none
Outbound Firewall Rule with authentication does not work RRS feed

  • Question

  • Hi there,

    we're testing with IPSec and are running into an issue we can't seem to narrow down.

    Currently there's a GPO denying all inbound and outbound traffic. It also has rules to allow basic AD connectivity in order to be able to retrieve GPO updates etc.

    So far so good.

    Then we created additional rules. We have a webserver running a site on port 980 to test the connectivity. Created a connection security rule that requiress inbound and requests outbound authentication. I had set this to require both, but for some reason things like DNS then sometimes worked, sometimes not, without any changes... Really driving me mad... This only goes for the 172.30.0.0/16 subnet set as both endpoint 1 and 2.

    Created a rule allowing tcp/980 incoming, require security (authentication/integrity, no encryption) on the webserver, this rule also specifies only the application server can connect.

    Created a second rule, and here is where it goes wrong, allowing outbound tcp/980 on the application server. This one also requires security.

    This works, however, if I add the webserver to the outbound rule (the only allow connections to these computers check is now cleared, it then works thus) it drops dead. The connection does not work at all. Figured I maybe had the wrong direction or something, so tried adding all the computers to the authorized computer section, but no changes. If I clear the check it works flawlessly, also see the security associations in the Windows Firewall with Advanced Services snap-in. Don't quite get why it stops working when I set it somewhat stricter, since the computer accounts are correct and they secure the connection anyways if I don't specify them specifically.

    Wednesday, January 26, 2011 1:24 PM

All replies

  • Hi,

    What operating system is running on the computers? To better understand the issue, please export the firewall and connection security rules from the computers and upload the following space:

     https://sftasia.one.microsoft.com/choosetransfer.aspx?key=a11358dc-bf16-4d5e-bb67-ceb125e9e081
    Password: Jguex$K)C1^b39


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, January 31, 2011 6:12 AM
    Moderator
  • Hey there FreakyNL. I came across your post while looking for information in a similar problem. 

    http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/63fa7b33-68d8-4d56-9461-431146902239/#63fa7b33-68d8-4d56-9461-431146902239

    Did you ever get a solution to this issue? 

    Wednesday, April 3, 2013 4:36 PM