Hello everybody!
I'm trying to get Windows Firewall IPSec bypass to work within a SQL replication context to have all exchanges between SQL Servers encrypted and to avoid painful port opening listing.
I started with 3 servers:
- a domain (MyDomain) controller with active directory (MyDomain/A)
- a SQL serveur (MyDomain/B)
- another SQL server (MyDomain/C)
I installed everything and checked that SQL replication works fine between B and C.
Then I enabled "Windows firewall: Allow authenticated IPSec bypass " in B policy, defining C SID as the lucky guy and did something symmetric in C policy (domain group policies contain only standard already made rules).
I defined IPSec rules requiring all exchanges from B to C and from C to B to be authenticated by Kerberos in both B and C local IP Security polices (I disabled dynamics rules).
Kerberos tickets appeared in Kerbtray, replication still worked perfectly, machines could see each other without any problem and I started to think about having a beer.
Then I blocked everything in both B and C Windows Firewalls except RDP and I "raised the shield(s)" (as Master MINASI says in his chapter 8).
Everything worked fine at first glance: B can ping and connect to C like a charm!
But rapidly replication failed and it appeared that C couldn't access, not even ping, B (packets are dropped according to B firewall log file).
I reboot all servers: same problem.I reboot all servers another time and began my tests on C ; surprise: C can connect to B without any problem, but this time it's B who fails to initiate any exchange with C (packets are dropped the same way)…
My beer dream vanished and I'm stuck with that for a week now: it looks like the first "client" couldn’t' become a "server"…
Usual reporting tools (event viewer…) doesn't report any error.
Did I miss something too huge to be seen from where I stand?
Any suggestion or explanation would be gratefully appreciated.
