0

Today I have the following setup:

  • All my servers are located in the internet, they are protected by Windows Firewall and Advanced Secutiry using IPSec with certificate. It includes the Domain Controllers.
  • All the clients computers have a GPO and the corresponding certificate to use the servers.

All in all, it's almost perfect, there's still one thing that doesn't work, some Internet Service Providers block some communication ports (135 for instance), which creates troubles when the client connect through them.

I don't want to rely on a VPN setup, because all my servers have Internet IP, so why should I?

Looks like the IPSec Tunnel may be the way to go. From my understanding (I have hard times to find documentation about this, event on the MSDN) I can setup a tunnel with the client acting as a Gateway and setup a remote gateway in a dedicated server.

EDIT

The real question is: will the tunnel communication be encapsulated into one given UDP/TCP port rather than each requested being straightly forwarded?

For instance if the client tries to contact the port 135 of one of my domain controller, will it be transmitted through the port 135 in the internet wire or tunneled into a one unique/predefined port (say 443 for instance) that have better chances to be opened. Same goes for any other port the client tries to contact, all encapsulated into the 443.

I hope it's more clear that way, I honestly though it already was the first time! :)

Thanks

Nock
  • 203
  • 2
  • 12
  • There are no guarantees on the Internet. For anything. – EEAA Apr 28 '13 at 23:03
  • 48K of reput to pull that kind of answer, looks like you have time to kill... the real question is "are communications encapsulated into one port" whether the internet blocks that port or not is not the question right now. – Nock Apr 28 '13 at 23:34
  • ...there's a reason I posted that as a comment, not an answer. :) If you're not asking about whether or not a port can be guaranteed open, then you should probably remove that part. – EEAA Apr 28 '13 at 23:40
  • Show me where I asked that, please. – Nock Apr 28 '13 at 23:43
  • Your last paragraph. – EEAA Apr 28 '13 at 23:46
  • Man, I agree with EEAA, I read your question 3 times, and I still have no slight idea what is that you are asking and trying to do. What do ports have to do with IPSec Layer 3 encapsulation? I really would suggest you clearly form your problem and ask a question which makes sense. – Danila Ladner Apr 29 '13 at 00:56
  • I want to know if IPSec Layer 3 encapsulation "packs" all the ports the client contacts to into a single one when it is transmitted through the tunnel. – Nock Apr 29 '13 at 00:59

1 Answers1

0

Since you modified your question, then yeah.

It depends really,

If clients establish VPN tunnel through NAT device somewhere on their LAN through which they get outside then IPSec is done over NAT-T where all IPSec traffic is being encapsulated in UDP datagrams, using port 4500. So yeah all the communication going through the tunnel will be over 4500 UDP port.

IPsec over TCP works with remote access clients. It is a client to security appliance feature only. It does not work for LAN-to-LAN connections. By default uses TCP 10000 port. You can configure and change it to something not standard as well, (not 80 or 443 apparently). So all IPSec traffic will go over that 10000 port.

L2TP/IPSec traffic looks just like IPSec traffic on the wire. The firewall just has to allow IKE (UDP 500)

It may be necessary to allow Kerberos traffic through the firewall, if so then UDP port 88 and TCP port 88 would also need to be forwarded.

Hope this helps. Original question was really unclear.

Danila Ladner
  • 5,331
  • 22
  • 31