IPSec and clusters

[Solomon]

Archived from groups: microsoft.public.win2000.security (More info?)

Hi All
I have 2 Windows 2000 servers in a cluster, and
I'm using group polices to apply IPSec. I'm using IPSec
as a firewall to block subnet ranges and ports. I
currently have the servers open to my subnet and port 80
open for IIS.
My problem is when ever I reboot a server in the
cluster, IPSec blocks port 80 but does not block my local
subnet. I then have to disable IPSec in group polices
run secedit on the local servers and then reapply IPSec
and rerun secedit on the local servers.

I'm aware that IPCes has problems when encrypting data on
a cluster, but I have not seen anything about using IPSec
as a firewall and having cluster problems.

Any help would be great.
-Solomon

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Can you reply back with the filters you are using? (You can change the IP's
if you aren't comfortable making them public).


"Solomon" <anonymous@discussions.microsoft.com> wrote in message
news:c1ca01c489f0$7a9bbe40$a501280a@phx.gbl...
> Hi All
> I have 2 Windows 2000 servers in a cluster, and
> I'm using group polices to apply IPSec. I'm using IPSec
> as a firewall to block subnet ranges and ports. I
> currently have the servers open to my subnet and port 80
> open for IIS.
> My problem is when ever I reboot a server in the
> cluster, IPSec blocks port 80 but does not block my local
> subnet. I then have to disable IPSec in group polices
> run secedit on the local servers and then reapply IPSec
> and rerun secedit on the local servers.
>
> I'm aware that IPCes has problems when encrypting data on
> a cluster, but I have not seen anything about using IPSec
> as a firewall and having cluster problems.
>
> Any help would be great.
> -Solomon
>

 

[Solomon]

Archived from groups: microsoft.public.win2000.security (More info?)

Here are the filter lists, IP address are all made up.
Hope you can read them, they look bad after pasting.

After one or both cluster nodes are rebooted
the "filter list for port 80" does not take effect, and
only the subnets that are defined in "Filter list for
subnets" have access.


10.10.10.20 Cluster IP
10.10.10.21 Node1
10.10.10.22 Node2
10.10.10.23 Test1 (Stand alone server)



Filter list for port 80 (Filter Action: Allow)
Mirrored Protocol Source Port
Destination Port Source DNS Source
Address Source Mask Destination DNS
Destination Address Destination Mask
Yes TCP ANY 80
ANY ANY
0.0.0.0 A Specific IP Address
10.10.10.20 255.255.255.255
Yes TCP ANY 80
ANY ANY
0.0.0.0 A Specific IP Address
10.10.10.21 255.255.255.255
Yes TCP ANY 80
ANY ANY
0.0.0.0 A Specific IP Address
10.10.10.22 255.255.255.255
Yes TCP ANY 80
ANY ANY
0.0.0.0 A Specific IP Address
10.10.10.23 255.255.255.255



Filter list for subnets (Filter Action: Allow)
Mirrored Protocol Source Port
Destination Port Source DNS
Source Address Source Mask
Destination DNS Destination Address
Destination Mask
Yes ANY ANY ANY
A Specific IP Address 10.10.0.0
255.255.0.0 My IP Address My IP
Address 255.255.255.255
Yes ANY ANY ANY
A Specific IP Address 192.168.0.0
255.255.0.0 My IP Address My IP
Address 255.255.255.255
Yes ANY ANY ANY
A Specific IP Address 20.50.0.0
255.255.0.0 My IP Address My IP
Address 255.255.255.255



Filter list for everything else (Filter Action: Block)
Mirrored Protocol Source Port
Destination Port Source DNS
Source Address Source Mask
Destination DNS Destination Address
Destination Mask
Yes ANY ANY ANY
ANY ANY
0.0.0.0 My IP Address My IP
Address 255.255.255.255


Thanks,
-Solomon




>-----Original Message-----
>Can you reply back with the filters you are using? (You
can change the IP's
>if you aren't comfortable making them public).
>
>
>"Solomon" <anonymous@discussions.microsoft.com> wrote in
message
>news:c1ca01c489f0$7a9bbe40$a501280a@phx.gbl...
>> Hi All
>> I have 2 Windows 2000 servers in a cluster, and
>> I'm using group polices to apply IPSec. I'm using
IPSec
>> as a firewall to block subnet ranges and ports. I
>> currently have the servers open to my subnet and port
80
>> open for IIS.
>> My problem is when ever I reboot a server in the
>> cluster, IPSec blocks port 80 but does not block my
local
>> subnet. I then have to disable IPSec in group polices
>> run secedit on the local servers and then reapply IPSec
>> and rerun secedit on the local servers.
>>
>> I'm aware that IPCes has problems when encrypting data
on
>> a cluster, but I have not seen anything about using
IPSec
>> as a firewall and having cluster problems.
>>
>> Any help would be great.
>> -Solomon
>>
>
>
>.
>

 

[Solomon]

Archived from groups: microsoft.public.win2000.security (More info?)

I have reworked it so it looks better.

Here are the filter lists, IP address are all made up.
After one or both cluster nodes are rebooted the "filter
list for port 80" does not take effect, and only the
subnets that are defined in "Filter list for subnets"
have access.


10.10.10.20 Cluster IP
10.10.10.21 Node1
10.10.10.22 Node2
10.10.10.23 Test1 (Stand alone server)




Filter list for port 80 (Filter Action: Allow)
Mirrored Protocol Source Port
Yes TCP ANY
Yes TCP ANY
Yes TCP ANY
Yes TCP ANY


Destination Port Source DNS Source Address
80 ANY ANY
80 ANY ANY
80 ANY ANY
80 ANY ANY



Source Mask Destination DNS
0.0.0.0 A Specific IP Address
0.0.0.0 A Specific IP Address
0.0.0.0 A Specific IP Address
0.0.0.0 A Specific IP Address


Destination Address Destination Mask
10.10.10.20 255.255.255.255




Filter list for subnets (Filter Action: Allow)
Mirrored Protocol Source Port
Yes ANY ANY
Yes ANY ANY
Yes ANY ANY


Source DNS Source Address
A Specific IP Address 10.10.0.0
A Specific IP Address 10.10.0.0
A Specific IP Address 10.10.0.0


Source Mask Destination DNS
255.255.0.0 My IP Address
255.255.0.0 My IP Address
255.255.0.0 My IP Address


Destination Address Destination Mask
My IP Address 255.255.255.255
My IP Address 255.255.255.255
My IP Address 255.255.255.255



Filter list for everything else (Filter Action: Block)
Mirrored Protocol Source Port
Yes ANY ANY

Destination Port
ANY

Source DNS Source Address
ANY ANY


Source Mask Destination DNS
0.0.0.0 My IP Address

Destination Address Destination Mask
My IP Address 255.255.255.255


>-----Original Message-----
>Can you reply back with the filters you are using? (You
can change the IP's
>if you aren't comfortable making them public).
>
>
>"Solomon" <anonymous@discussions.microsoft.com> wrote in
message
>news:c1ca01c489f0$7a9bbe40$a501280a@phx.gbl...
>> Hi All
>> I have 2 Windows 2000 servers in a cluster, and
>> I'm using group polices to apply IPSec. I'm using
IPSec
>> as a firewall to block subnet ranges and ports. I
>> currently have the servers open to my subnet and port
80
>> open for IIS.
>> My problem is when ever I reboot a server in the
>> cluster, IPSec blocks port 80 but does not block my
local
>> subnet. I then have to disable IPSec in group polices
>> run secedit on the local servers and then reapply IPSec
>> and rerun secedit on the local servers.
>>
>> I'm aware that IPCes has problems when encrypting data
on
>> a cluster, but I have not seen anything about using
IPSec
>> as a firewall and having cluster problems.
>>
>> Any help would be great.
>> -Solomon
>>
>
>
>.
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Hmm, I don't see anything wrong with the filters. Officially MS only
supports IPsec on WS03 clusters so we are sailing into new waters here. Do
all the subnet filters not work or just the 10.10.0.0 network? Does stopping
and starting the IPSec service fix the issue? How about stopping and
starting clustering?

Filter Action: Allow
Mirrored=Yes Protocol=TCP SrcPort=ANY DestPort=80 SrcAddress=ANY
SrcMask=0.0.0.0 DestAddress=10.10.10.20 DestMask=255.255.255.255
Mirrored=Yes Protocol=TCP SrcPort=ANY DestPort=80 SrcAddress=ANY
SrcMask=0.0.0.0 DestAddress=10.10.10.21 DestMask=255.255.255.255
Mirrored=Yes Protocol=TCP SrcPort=ANY DestPort=80 SrcAddress=ANY
SrcMask=0.0.0.0 DestAddress=10.10.10.22 DestMask=255.255.255.255
Mirrored=Yes Protocol=TCP SrcPort=ANY DestPort=80 SrcAddress=ANY
SrcMask=0.0.0.0 DestAddress=10.10.10.23 DestMask=255.255.255.255

Filter Action: Allow
Mirrored=Yes Protocol=ANY SrcPort=ANY DestPort=ANY SrcAddress=10.10.0.0
SrcMask=255.255.0.0 DestAddress=My IP Address DestMask=255.255.255.255
Mirrored=Yes Protocol=ANY SrcPort=ANY DestPort=ANY SrcAddress=192.168.0.0
SrcMask=255.255.0.0 DestAddress=My IP Address DestMask=255.255.255.255
Mirrored=Yes Protocol=ANY SrcPort=ANY DestPort=ANY SrcAddress=20.50.0.0
SrcMask=255.255.0.0 DestAddress=My IP Address DestMask=255.255.255.255

Filter Action: Block
Mirrored=Yes Protocol=ANY SrcPort=ANY DestPort=ANY SrcAddress=ANY
SrcMask=0.0.0.0 DestAddr=My IP Address DestMask=255.255.255.255

--

Mark Swift
Software Test Engineer
IP Security
Windows Networking
Microsoft

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

--

"Solomon" <anonymous@discussions.microsoft.com> wrote in message
news:0ee101c48bab$cdeb60c0$a301280a@phx.gbl...
>I have reworked it so it looks better.
>
> Here are the filter lists, IP address are all made up.
> After one or both cluster nodes are rebooted the "filter
> list for port 80" does not take effect, and only the
> subnets that are defined in "Filter list for subnets"
> have access.
>
>
> 10.10.10.20 Cluster IP
> 10.10.10.21 Node1
> 10.10.10.22 Node2
> 10.10.10.23 Test1 (Stand alone server)
>
>
>
>
> Filter list for port 80 (Filter Action: Allow)
> Mirrored Protocol Source Port
> Yes TCP ANY
> Yes TCP ANY
> Yes TCP ANY
> Yes TCP ANY
>
>
> Destination Port Source DNS Source Address
> 80 ANY ANY
> 80 ANY ANY
> 80 ANY ANY
> 80 ANY ANY
>
>
>
> Source Mask Destination DNS
> 0.0.0.0 A Specific IP Address
> 0.0.0.0 A Specific IP Address
> 0.0.0.0 A Specific IP Address
> 0.0.0.0 A Specific IP Address
>
>
> Destination Address Destination Mask
> 10.10.10.20 255.255.255.255
>
>
>
>
> Filter list for subnets (Filter Action: Allow)
> Mirrored Protocol Source Port
> Yes ANY ANY
> Yes ANY ANY
> Yes ANY ANY
>
>
> Source DNS Source Address
> A Specific IP Address 10.10.0.0
> A Specific IP Address 10.10.0.0
> A Specific IP Address 10.10.0.0
>
>
> Source Mask Destination DNS
> 255.255.0.0 My IP Address
> 255.255.0.0 My IP Address
> 255.255.0.0 My IP Address
>
>
> Destination Address Destination Mask
> My IP Address 255.255.255.255
> My IP Address 255.255.255.255
> My IP Address 255.255.255.255
>
>
>
> Filter list for everything else (Filter Action: Block)
> Mirrored Protocol Source Port
> Yes ANY ANY
>
> Destination Port
> ANY
>
> Source DNS Source Address
> ANY ANY
>
>
> Source Mask Destination DNS
> 0.0.0.0 My IP Address
>
> Destination Address Destination Mask
> My IP Address 255.255.255.255
>
>
>>-----Original Message-----
>>Can you reply back with the filters you are using? (You
> can change the IP's
>>if you aren't comfortable making them public).
>>
>>
>>"Solomon" <anonymous@discussions.microsoft.com> wrote in
> message
>>news:c1ca01c489f0$7a9bbe40$a501280a@phx.gbl...
>>> Hi All
>>> I have 2 Windows 2000 servers in a cluster, and
>>> I'm using group polices to apply IPSec. I'm using
> IPSec
>>> as a firewall to block subnet ranges and ports. I
>>> currently have the servers open to my subnet and port
> 80
>>> open for IIS.
>>> My problem is when ever I reboot a server in the
>>> cluster, IPSec blocks port 80 but does not block my
> local
>>> subnet. I then have to disable IPSec in group polices
>>> run secedit on the local servers and then reapply IPSec
>>> and rerun secedit on the local servers.
>>>
>>> I'm aware that IPCes has problems when encrypting data
> on
>>> a cluster, but I have not seen anything about using
> IPSec
>>> as a firewall and having cluster problems.
>>>
>>> Any help would be great.
>>> -Solomon
>>>
>>
>>
>>.
>>