none
end to end auth and encryption setting RRS feed

  • Question

  • Hi

    When I use default end to edge auth and encryption, I can only connect to resource defined in management servers and DCs. Now I want to let DA client access all resources in my intranet. According what I understanding, I have to switch "end to edge" to "end to end", and add security groups of AD that include all resources(servers).

    After I done this, there is error according E2E when apply settings. What do I miss? The error below:

    failed.  A specified IP address or address keyword is not valid.  Usage: add rule name=<string>       endpoint1=any|localsubnet|dns|dhcp|wins|defaultgateway|          <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>       endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway|          <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>       action=requireinrequestout|requestinrequestout|          requireinrequireout|requireinclearout|noauthentication       [description=<string>]       [mode=transport|tunnel (default=transport)]       [enable=yes|no (default=yes)]       [profile=public|private|domain|any[,...] (default=any)]       [type=dynamic|static (default=static)]       [localtunnelendpoint=any|<IPv4 address>|<IPv6 address>]       [remotetunnelendpoint=any|<IPv4 address>|<IPv6 address>]       [port1=0-65535|<port range>[,...]|any (default=any)]       [port2=0-65535|<port range>[,...]|any (default=any)]       [protocol=0-255|tcp|udp|icmpv4|icmpv6|any (default=any)]       [interfacetype=wiresless|lan|ras|any (default=any)]       [auth1=computerkerb|computercert|computercertecdsap256|          computercertecdsap384|computerpsk|computerntlm|anonymous[,...]]       [auth1psk=<string>]       [auth1ca="<CA Name> [certmapping:yes|no] [excludecaname:yes|no]           [catype:root|intermediate (default=root)] |..."]       [auth1healthcert=yes|no (default=no)]       [auth1ecdsap256ca="<CA Name> [certmapping:yes|no]          [excludecaname:yes|no]          [catype:root|intermediate (default=root)] | ..."]       [auth1ecdsap256healthcert=yes|no (default=no)]       [auth1ecdsap384ca="<CA Name> [certmapping:yes|no]          [excludecaname:yes|no]          [catype:root|intermediate (default=root)] | ..."]       [auth1ecdsap384healthcert=yes|no (default=no)]       [auth2=computercert|computercertecdsap256|computercertecdsap384|          userkerb|usercert|usercertecdsap256|usercertecdsap384|userntlm|          anonymous[,...]]       [auth2ca="<CA Name> [certmapping:yes|no]          [catype:root|intermediate (default=root)] | ..."]       [auth2ecdsap256ca="<CA Name> [certmapping:yes|no]          [catype:root|intermediate (default=root)] | ..."]       [auth2ecdsap384ca="<CA Name> [certmapping:yes|no]          [catype:root|intermediate (default=root)] | ..."]       [qmpfs=dhgroup1|dhgroup2|dhgroup14|ecdhp256|ecdhp384|mainmode|          none (default=none)]       [qmsecmethods=authnoencap:<integrity>+[valuemin]+[valuekb]|          ah:<integrity>+esp:<integrity>-<encryption>+[valuemin]+[valuekb]          |default]       [exemptipsecprotectedconnections=yes|no (default=no)]       [applyauthz=yes|no (default=no)]  Remarks:        - Rule name should be unique and cannot be "all".       - When mode=tunnel,tunnel endpoints must be specified,         except when the action is noauthentication.         When specific IP addresses are entered, they must be         the same IP version.         In addition, When configuring dynamic tunnels:         Tunnel endpoints can be set to any. Local tunnel         endpoint need not be specified for Client policy         (i.e any).         Remote tunnel endpoints need not be specified for         Gateway Policy (i.e any).         Also, action must be requireinrequireout, requireinclearout,         or noauthentication.       - requireinclearout is not valid when mode=Transport.       - At least one authentication must be specified.       - Auth1 and auth2 can be comma-separated lists of options.       - Computerpsk and computerntlm methods cannot be specified together         for auth1.       - Computercert cannot be specified with user credentials for auth2.       - Certsigning options ecdsap256 and ecdsap384 are only supported on          Windows Vista SP1 and later.       - Qmsecmethods can be a list of proposals separated by a ",".       - For qmsecmethods, integrity=md5|sha1|sha256|aesgmac128|aesgmac192|         aesgmac256|aesgcm128|aesgcm192|aesgcm256  and         encryption=3des|des|aes128|aes192|aes256|aesgcm128|aesgcm192|aesgcm256.       - If aesgcm128, aesgcm192, or aesgcm256 is specified, it must be used for         both ESP integrity and encryption.       - Aesgmac128, aesgmac192, aesgmac256, aesgcm128, aesgcm192, aesgcm256,         sha256 are only supported on Windows Vista SP1 and later.        - Qmpfs=mainmode uses the main mode key exchange setting for PFS.       - The use of DES, MD5 and DHGroup1 is not recommended. These         cryptographic algorithms are provided for backward compatibility         only.       - The default value for certmapping and excludecaname is 'no'.       - The " characters within CA name must be replaced with \'       - For auth1ca and auth2ca, the CA name must be prefixed by 'CN='.       - catype can be used to specify the Certification authority type -         catype=root/intermediate       - authnoencap is supported on Windows 7 and later.       - authnoencap means that the computers will only use authentication,         and will not use any per packet encapsulation or encryption         algorithms to protect subsequent network packets exchanged as part         of this connection.       - QMPFS and authnoencap cannot be used together on the same rule.       - AuthNoEncap must be accompanied by at least one AH or ESP integrity         suite.       - applyauthz can only be specified for tunnel mode rules.       - exemptipsecprotectedconnections can only be specified         for tunnel mode rules. By setting this flag to "Yes",          ESP traffic will be exempted from the tunnel.          AH only traffic will NOT be exempted from the tunnel.        - Valuemin(when specified) for a qmsecmethod should be between 5-2880         minutes. Valuekb(when specified) for a qmsecmethod should be         between 20480-2147483647 kilobytes.  Examples:        Add a rule for domain isolation using defaults:       netsh advfirewall consec add rule name="isolation"       endpoint1=any endpoint2=any action=requireinrequestout        Add a rule with custom quick mode proposals:       netsh advfirewall consec add rule name="custom"       endpoint1=any endpoint2=any       qmsecmethods=ah:sha1+esp:sha1-aes256+60min+20480kb,ah:sha1       action=requireinrequestout        Add a rule with custom quick mode proposals:       netsh advfirewall consec add rule name="custom"       endpoint1=any endpoint2=any       qmsecmethods=authnoencap:sha1,ah:aesgmac256+esp:aesgmac256-none       action=requireinrequestout        Create a tunnel mode rule from       subnet A (192.168.0.0, external ip=1.1.1.1) to       subnet B (192.157.0.0, external ip=2.2.2.2):       netsh advfirewall consec add rule name="my tunnel" mode=tunnel       endpoint1=192.168.0.0/16 endpoint2=192.157.0.0/16       remotetunnelendpoint=2.2.2.2       localtunnelendpoint=1.1.1.1 action=requireinrequireout        Create a dynamic tunnel mode rule from subnet       A (192.168.0.0/16)       to subnet B (192.157.0.0, remoteGW=2.2.2.2)       Client Policy:       netsh advfirewall consec add rule name="dynamic tunnel"       mode=tunnel       endpoint1=any endpoint2=192.157.0.0/16       remotetunnelendpoint=2.2.2.2       action=requireinrequireout       Gateway Policy (Applied only to the Gateway device):       netsh advfirewall consec add rule name="dynamic tunnel"       mode=tunnel endpoint1=192.157.0.0/16       endpoint2=any localtunnelendpoint=2.2.2.2       action=requireinrequireout        Add a rule with CA name:       netsh advfirewall consec add rule name="cert rule"       endpoint1=any endpoint2=any action=requireinrequestout       auth1=computercert auth1ca="C=US, O=MSFT, CN=\'Microsoft North,        South, East, and West Root Authority\'"

     


    邁格行動 技術顧問 George 小顧 部落格: http://www.magg.com.tw/blog/
    Thursday, July 15, 2010 1:29 PM

Answers

  • I register ISATAP address on intranet DNS. I think I am not using native IPv6. So if I use ISATAP, I can't use end-to-end. If it is true,  I can only add all servers for DA client to management servers list and use end-to-edge. Correct?
    邁格行動 技術顧問 George 小顧 部落格: http://www.magg.com.tw/blog/


    Hi George,

    ISATAP is IPv6 so you can have end to end security when you use ISATAP addresses.

    All the machines have computer certificates installed?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    • Marked as answer by Erez Benari Monday, July 26, 2010 10:35 PM
    Monday, July 19, 2010 12:36 PM
    Moderator

All replies

  • Hi George,

    Actually, you can use end-to-edge to access your entire intranet - most people do. End-to-End is when you want to extend the authentication and encryption of traffic all the way to the backend server (instead of terminating at the edge).

    You are probably unable to access your entire intranet using end-to-edge due to some IPsec error.

    To view the audit failures for IPsec in the Windows Logs\Security event log in Event Viewer, you must enable auditing on the DirectAccess client and server with the command:
    auditpol.exe /set /SubCategory:"IPsec Main Mode","IPsec Extended Mode" /failure:enable
    About the error you're seeing when you try to apply the end-to-end settings, I'd appreciate it if you can export the policy generation script and send that to me: yanivn@microsoft.com
    It's possible that the security group you chose doesn't contain any machine with IPv6 address and ISATAP is disabled.
    Thursday, July 15, 2010 1:41 PM
  • I think I found the reason. The AD security group is include UAG itself and cause this error.

    I create a new security group and exclude UAG, then apply OK.

    But I still can not access resources of servers in the security group. If I put them into management servers and DCs list. Almost all of them can access to.

    Can anyone explain why?


    邁格行動 技術顧問 George 小顧 部落格: http://www.magg.com.tw/blog/
    Thursday, July 15, 2010 2:10 PM
  • Hi George,

    Is your intranet DirectAccess tunnel coming up at all?

    You can check in the Windows Firewall with Advanced Security console and look at the Main Mode SAs.

    If you don't see any Kerberos authenticated SAs, then you might be having a problem with the second tunnel establishment.

    Did you have access to the intranet tunnel before employing end-to-end to selected servers?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Thursday, July 15, 2010 3:10 PM
    Moderator
  • Hi, Thomas...

    Thanks for your feedback. I always look your blog...:> There are many many good articles.

    The DA enviroment I just make it up. To tell u a truth, many many term I might not know very well. So I am afraid how and where I can see what you are talking.

    Do you mind speak more details about waht you want me to check?

    Before end-to-end, I add some servers into management server list. And some of them I can access to(remote desktop to them). There are 2008 DC, member server and also 2003 servers.

    After transfer some servers into end-to-edge, all of them become un-reachable.(rdp)

    Thanks again.


    邁格行動 技術顧問 George 小顧 部落格: http://www.magg.com.tw/blog/
    Friday, July 16, 2010 10:22 AM
  • Hi George,

    It could be that you're using NAT64/DNS64 to access the machines on the intranet. If that is true, end to end security won't work because you need to support IPv6 from end to end.

    Are you using native IPv6 addressing on the intranet, or are you using ISATAP?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Friday, July 16, 2010 12:41 PM
    Moderator
  • I register ISATAP address on intranet DNS. I think I am not using native IPv6. So if I use ISATAP, I can't use end-to-end. If it is true,  I can only add all servers for DA client to management servers list and use end-to-edge. Correct?
    邁格行動 技術顧問 George 小顧 部落格: http://www.magg.com.tw/blog/
    Friday, July 16, 2010 3:00 PM
  • Hi George.

    Management servers are servers required for the DA client to log in securely. Other servers not specified in this list, are still accessible using the end-to-edge model.

    You can read this article to understand some of the DirectAccess concepts: http://technet.microsoft.com/en-us/library/ee428854.aspx#BKMK_concepts

    Thanks,

    Yaniv

    Sunday, July 18, 2010 7:49 AM
  • I register ISATAP address on intranet DNS. I think I am not using native IPv6. So if I use ISATAP, I can't use end-to-end. If it is true,  I can only add all servers for DA client to management servers list and use end-to-edge. Correct?
    邁格行動 技術顧問 George 小顧 部落格: http://www.magg.com.tw/blog/


    Hi George,

    ISATAP is IPv6 so you can have end to end security when you use ISATAP addresses.

    All the machines have computer certificates installed?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    • Marked as answer by Erez Benari Monday, July 26, 2010 10:35 PM
    Monday, July 19, 2010 12:36 PM
    Moderator