IPSec tunneling through ISA

I have two servers in two different subnets (the main LAN and a DMZ),
connected through an ISA Server 2006 firewall; the two networks are routed.

I need to setup everything so that all traffic between the two servers is
encapsulated in an IPSec tunnel, thus opening only the bare minimum ports
required for IPSec on the ISA server.

Only the communications between the two servers need to be encrypted; they
need to be able to talk to their respective networks without using IPSec.

All TCP and UDP traffic should be allowed between the servers, but it will
need to go through the IPSec tunnel.

No certificates will be available; the encryption will be done using
pre-shared keys.


Can someone please point me in the right direction? I'm not really used at
IPSec, and I'm having quite a bit of troubles making it work.


Thanks


Massimo

"Massimo" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I need to setup everything so that all traffic between the two servers is
> encapsulated in an IPSec tunnel, thus opening only the bare minimum ports
> required for IPSec on the ISA server.

It is pointless. ISA is already limiting it to "bare minimum ports
required",...in fact the default is *none* until you tell it otherwise

> All TCP and UDP traffic should be allowed between the servers, but it will
> need to go through the IPSec tunnel.

You can't allow "all TCP & UDP" and at the same time allow only "bare
minimum ports required",...they are exact opposite of each other.

The only thing the IPsec would be doing is preventing "packet
sniffing",...which isn't going to happen anyway on a Switched network unless
you configure a Monitoring Port on a Switch sitting between the two Hosts
and plug a machine into that port with a packet sniffer running on it.

So it is all pointless.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Phillip Windell" <(E-Mail Removed)> ha scritto nel messaggio
news:(E-Mail Removed)...

>> I need to setup everything so that all traffic between the two servers is
>> encapsulated in an IPSec tunnel, thus opening only the bare minimum
>> ports required for IPSec on the ISA server.
>
> It is pointless. ISA is already limiting it to "bare minimum ports
> required",...in fact the default is *none* until you tell it otherwise
>
>> All TCP and UDP traffic should be allowed between the servers, but it
>> will need to go through the IPSec tunnel.
>
> You can't allow "all TCP & UDP" and at the same time allow only "bare
> minimum ports required",...they are exact opposite of each other.

Maybe I didn't explain the issue well.
The TCP and UDP traffic between the two servers should flow "inside" the
IPSec tunnel, so the firewall will only need to allow the ports used by the
IPSec tunnel itself (IP 50 and UDP 500, if I'm correct).

> So it is all pointless.

I know it is; but some manager thinks this is "a lot more secure", so I
should answer him if it can be done, and how :-/


Massimo

"Massimo" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>> So it is all pointless.
>
> I know it is; but some manager thinks this is "a lot more secure", so I
> should answer him if it can be done, and how :-/

Ok, well I guess I can understand that anyway :-)

Better wait and see what someone else has to say about that who migh have
more experience with the IPsec itself. You and I are probably in the same
boat with respect to that,..heck you probably know know more than me about
that part. I have never set it up at all apart from L2TP/IPsec with a
static key in a VPN situation.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Oh, by the way. I really don't think ISA will even have a role it in. ISA
is not going to be reading the insides of the IPsec packets,..and it is not
"proxying" anything,..it is just acting as a simple LAN router. It just
needs the correct protocol allowed to let the IPsec packets move acrossed it
"unmolested".

So the IPsec configuration would just be between the originating machine and
the receiving machine as if the ISA never existed.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

In fact, this is almost a half-day in the Microsoft Ninjitsu class Tim & I
present each year at Black Hat Las Vegas.
Since you have a routed relationship between the two networks where the
IPSec endpoints operate, it's as simple as adding a single IPSec policy to
enforce IPSec for all traffic to and from each host.
The place to be extra careful is in the "to" and "from" parts of the policy.
It's all too easy to get them backwards or inside-out and completely block
all traffic to and from them.
The good new is that you need only disable the IPSec policy that's blocking
and you'll be back in business.

If you're using IPSec to limit the domain traffic across ISA (good idea) and
IPSec bothers you that much, you might want to take a read here:
http://technet.microsoft.com/library/cc891503.aspx. This article discusses
domain traffic to, across and through ISA in painful detail.

--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html



"Phillip Windell" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
"Massimo" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I need to setup everything so that all traffic between the two servers is
> encapsulated in an IPSec tunnel, thus opening only the bare minimum ports
> required for IPSec on the ISA server.

It is pointless. ISA is already limiting it to "bare minimum ports
required",...in fact the default is *none* until you tell it otherwise

> All TCP and UDP traffic should be allowed between the servers, but it will
> need to go through the IPSec tunnel.

You can't allow "all TCP & UDP" and at the same time allow only "bare
minimum ports required",...they are exact opposite of each other.

The only thing the IPsec would be doing is preventing "packet
sniffing",...which isn't going to happen anyway on a Switched network unless
you configure a Monitoring Port on a Switch sitting between the two Hosts
and plug a machine into that port with a packet sniffer running on it.

So it is all pointless.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Phillip Windell" <(E-Mail Removed)> ha scritto nel messaggio
news:%(E-Mail Removed)...

> Oh, by the way. I really don't think ISA will even have a role it in.
> ISA is not going to be reading the insides of the IPsec packets,..and it
> is not "proxying" anything,..it is just acting as a simple LAN router. It
> just needs the correct protocol allowed to let the IPsec packets move
> acrossed it "unmolested".

True.
But I don't see anything in ISA that lets me allow specific IP protocols
other than TCP, UDP and ICMP...


Massimo

"Jim Harrison (ISA SE)" <(E-Mail Removed)> ha scritto nel
messaggio news:8F483A79-E992-46AC-B044-(E-Mail Removed)...

> In fact, this is almost a half-day in the Microsoft Ninjitsu class Tim & I
> present each year at Black Hat Las Vegas.
> Since you have a routed relationship between the two networks where the
> IPSec endpoints operate, it's as simple as adding a single IPSec policy to
> enforce IPSec for all traffic to and from each host.
> The place to be extra careful is in the "to" and "from" parts of the
> policy.
> It's all too easy to get them backwards or inside-out and completely block
> all traffic to and from them.
> The good new is that you need only disable the IPSec policy that's
> blocking
> and you'll be back in business.

Thanks. I've played for a while with IPSec policies, but I still wasn't able
to make them work... tomorrow I'll try again. I'm quite confused.
I've tried setting up a policy on ServerA with the default answer rule
configured to allow security using a pre-shared key, and a policy on ServerB
requiring security for all TCP connections to ServerA (using the same key),
but all traffic to/from ServerB just stops. What I'm missing?
And what should I configure where I'm asked for the tunnel endpoint? The
server itself? The ISA firewall? The remote server?
How about ISA? Now it's just letting all traffic flow between the two
networks, but is it enough? Everything I've read about IPSec tunnels
involves specific IP protocols (50 or 51), how should I tell ISA to let them
through?

> If you're using IPSec to limit the domain traffic across ISA (good idea)
> and
> IPSec bothers you that much, you might want to take a read here:
> http://technet.microsoft.com/library/cc891503.aspx. This article
> discusses
> domain traffic to, across and through ISA in painful detail.

Thanks, my situation is in fact somewhat similar: we're putting Exchange
2003 front-end servers in a DMZ, and they're asking me to let them talk with
domain controllers and Exchange back-ends without opening the firewall "too
much".
I've found similar documents describing ports and protocols needed by
Exchange, and they replied "use IPSec, so you'll only need to open two or
three ports in the firewall". I still didn't manage to get them to
understand how completely foolish is this... :-/


Massimo

IPSec is always defined in the context of "endpoints".
Since you want IPSec between the two hosts in opposite networks, you define
them in as each other's remote.
The biggest problem you will have is that Exch FE is not communicating only
to Exch BE; it must also communicate with the domain controllers and other
relevant services that you may have imposed on them.

ISA cannot "see inside" IPSec channels; that's the whole point of IPSec.
Thus, you ISA policies have to allow IPSec Client and IKE between any hosts
that are trying to communicate to each other.
since this definition is somewhat dynamic, simply creating IPSec policies
between you two Exchange servers is not going to cut it.

If this is a deployment blocker, you may be better off allowing domain
traffic only between the Exch FE and the domain network as described in the
article I linked and play with IPSec in a virtual lab until you get the
definitions nailed.

--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html



"Massimo" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
"Jim Harrison (ISA SE)" <(E-Mail Removed)> ha scritto nel
messaggio news:8F483A79-E992-46AC-B044-(E-Mail Removed)...

> In fact, this is almost a half-day in the Microsoft Ninjitsu class Tim & I
> present each year at Black Hat Las Vegas.
> Since you have a routed relationship between the two networks where the
> IPSec endpoints operate, it's as simple as adding a single IPSec policy to
> enforce IPSec for all traffic to and from each host.
> The place to be extra careful is in the "to" and "from" parts of the
> policy.
> It's all too easy to get them backwards or inside-out and completely block
> all traffic to and from them.
> The good new is that you need only disable the IPSec policy that's
> blocking
> and you'll be back in business.

Thanks. I've played for a while with IPSec policies, but I still wasn't able
to make them work... tomorrow I'll try again. I'm quite confused.
I've tried setting up a policy on ServerA with the default answer rule
configured to allow security using a pre-shared key, and a policy on ServerB
requiring security for all TCP connections to ServerA (using the same key),
but all traffic to/from ServerB just stops. What I'm missing?
And what should I configure where I'm asked for the tunnel endpoint? The
server itself? The ISA firewall? The remote server?
How about ISA? Now it's just letting all traffic flow between the two
networks, but is it enough? Everything I've read about IPSec tunnels
involves specific IP protocols (50 or 51), how should I tell ISA to let them
through?

> If you're using IPSec to limit the domain traffic across ISA (good idea)
> and
> IPSec bothers you that much, you might want to take a read here:
> http://technet.microsoft.com/library/cc891503.aspx. This article
> discusses
> domain traffic to, across and through ISA in painful detail.

Thanks, my situation is in fact somewhat similar: we're putting Exchange
2003 front-end servers in a DMZ, and they're asking me to let them talk with
domain controllers and Exchange back-ends without opening the firewall "too
much".
I've found similar documents describing ports and protocols needed by
Exchange, and they replied "use IPSec, so you'll only need to open two or
three ports in the firewall". I still didn't manage to get them to
understand how completely foolish is this... :-/


Massimo

"Jim Harrison (ISA SE)" <(E-Mail Removed)> ha scritto nel
messaggio news:F247F293-CB3F-40A9-82E5-(E-Mail Removed)...

> IPSec is always defined in the context of "endpoints".
> Since you want IPSec between the two hosts in opposite networks,
> you define them in as each other's remote.

Ok, now it's definitely clearer.

> The biggest problem you will have is that Exch FE is not
> communicating only to Exch BE; it must also communicate
> with the domain controllers and other relevant services that
> you may have imposed on them.

No problem about this, that has been already planned; those servers will be
allowed to freely communicate with Exchange BEs and DCs. But they're asking
me to do that inside an IPSec tunnel.

> ISA cannot "see inside" IPSec channels; that's the whole point of IPSec.
> Thus, you ISA policies have to allow IPSec Client and IKE between any
> hosts that are trying to communicate to each other.

This is ok, ISA's role will not be to filter application traffic here; it'll
simply allow IPSec connections between the relevant hosts, what they're
exchanging inside the IPSec channel isn't its business.

> If this is a deployment blocker, you may be better off allowing domain
> traffic only between the Exch FE and the domain network as described
> in the article I linked and play with IPSec in a virtual lab until you get
> the
> definitions nailed.

I'm actually doing exactly that, playing with it in a virtual lab :-)


Massimo