locked
Windows Firewall IPSec bypass: asymmetric behavior RRS feed

  • Question

  • Hello everybody!

     

    I'm trying to get Windows Firewall IPSec bypass to work within a SQL replication context to have all exchanges between SQL Servers encrypted and to avoid painful port opening listing.

     

    I started with 3 servers:
    - a domain (MyDomain) controller with active directory (MyDomain/A)
    - a SQL serveur (MyDomain/B)
    - another  SQL server (MyDomain/C)

     

    I installed everything and checked that SQL replication works fine between B and C.

     

    Then I enabled "Windows firewall: Allow authenticated IPSec bypass " in B policy, defining C SID as the lucky guy and did something symmetric in C policy (domain group policies contain only standard already made rules).

     

    I defined IPSec rules requiring all exchanges from B to C and from C to B to be authenticated by Kerberos in both B and C local IP Security polices (I disabled dynamics rules).

     

    Kerberos tickets appeared in Kerbtray, replication still worked perfectly, machines could see each other without any problem and I started to think about having a beer.

     

    Then I blocked everything in both B and C Windows Firewalls except RDP and I "raised the shield(s)" (as Master MINASI says in his chapter 8).

     

    Everything worked fine at first glance: B can ping and connect to C like a charm!
    But rapidly replication failed and it appeared that C couldn't access, not even ping, B (packets are dropped according to B firewall log file).

     

    I reboot all servers: same problem.I reboot all servers another time and began my tests on C ; surprise: C can connect to B without any problem, but this time it's B who fails to initiate any exchange with C (packets are dropped the same way)…
    My beer dream vanished and I'm stuck with that for a week now: it looks like the first "client" couldn’t' become a "server"…

     

    Usual reporting tools (event viewer…) doesn't report any error.


    Did I miss something too huge to be seen from where I stand?

     

    Any suggestion or explanation would be gratefully appreciated.

    Thursday, January 17, 2008 3:45 PM

Answers

  • Hi,

    Sorry that nobody responded. I am going through the forum looking for questions that are missing answers. I think this question is not NAP related, so it was not answered here. Do you still have the problem? If so, I will try to get it answered or directed to the corrrect forum.

    Thanks,
    -Greg
    Wednesday, July 16, 2008 3:36 PM

All replies

  •  

    Nobody? Really?
    Tuesday, January 29, 2008 2:12 PM
  • Hi,

    Sorry that nobody responded. I am going through the forum looking for questions that are missing answers. I think this question is not NAP related, so it was not answered here. Do you still have the problem? If so, I will try to get it answered or directed to the corrrect forum.

    Thanks,
    -Greg
    Wednesday, July 16, 2008 3:36 PM
  • Did you ever solve this?

    I'm grappling with the same problem right now.
    Wednesday, October 14, 2009 9:25 AM