Archived from groups: microsoft.public.win2000.security (
More info?)
Hmm, I don't see anything wrong with the filters. Officially MS only
supports IPsec on WS03 clusters so we are sailing into new waters here. Do
all the subnet filters not work or just the 10.10.0.0 network? Does stopping
and starting the IPSec service fix the issue? How about stopping and
starting clustering?
Filter Action: Allow
Mirrored=Yes Protocol=TCP SrcPort=ANY DestPort=80 SrcAddress=ANY
SrcMask=0.0.0.0 DestAddress=10.10.10.20 DestMask=255.255.255.255
Mirrored=Yes Protocol=TCP SrcPort=ANY DestPort=80 SrcAddress=ANY
SrcMask=0.0.0.0 DestAddress=10.10.10.21 DestMask=255.255.255.255
Mirrored=Yes Protocol=TCP SrcPort=ANY DestPort=80 SrcAddress=ANY
SrcMask=0.0.0.0 DestAddress=10.10.10.22 DestMask=255.255.255.255
Mirrored=Yes Protocol=TCP SrcPort=ANY DestPort=80 SrcAddress=ANY
SrcMask=0.0.0.0 DestAddress=10.10.10.23 DestMask=255.255.255.255
Filter Action: Allow
Mirrored=Yes Protocol=ANY SrcPort=ANY DestPort=ANY SrcAddress=10.10.0.0
SrcMask=255.255.0.0 DestAddress=My IP Address DestMask=255.255.255.255
Mirrored=Yes Protocol=ANY SrcPort=ANY DestPort=ANY SrcAddress=192.168.0.0
SrcMask=255.255.0.0 DestAddress=My IP Address DestMask=255.255.255.255
Mirrored=Yes Protocol=ANY SrcPort=ANY DestPort=ANY SrcAddress=20.50.0.0
SrcMask=255.255.0.0 DestAddress=My IP Address DestMask=255.255.255.255
Filter Action: Block
Mirrored=Yes Protocol=ANY SrcPort=ANY DestPort=ANY SrcAddress=ANY
SrcMask=0.0.0.0 DestAddr=My IP Address DestMask=255.255.255.255
--
Mark Swift
Software Test Engineer
IP Security
Windows Networking
Microsoft
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
--
"Solomon" <anonymous@discussions.microsoft.com> wrote in message
news:0ee101c48bab$cdeb60c0$a301280a@phx.gbl...
>I have reworked it so it looks better.
>
> Here are the filter lists, IP address are all made up.
> After one or both cluster nodes are rebooted the "filter
> list for port 80" does not take effect, and only the
> subnets that are defined in "Filter list for subnets"
> have access.
>
>
> 10.10.10.20 Cluster IP
> 10.10.10.21 Node1
> 10.10.10.22 Node2
> 10.10.10.23 Test1 (Stand alone server)
>
>
>
>
> Filter list for port 80 (Filter Action: Allow)
> Mirrored Protocol Source Port
> Yes TCP ANY
> Yes TCP ANY
> Yes TCP ANY
> Yes TCP ANY
>
>
> Destination Port Source DNS Source Address
> 80 ANY ANY
> 80 ANY ANY
> 80 ANY ANY
> 80 ANY ANY
>
>
>
> Source Mask Destination DNS
> 0.0.0.0 A Specific IP Address
> 0.0.0.0 A Specific IP Address
> 0.0.0.0 A Specific IP Address
> 0.0.0.0 A Specific IP Address
>
>
> Destination Address Destination Mask
> 10.10.10.20 255.255.255.255
>
>
>
>
> Filter list for subnets (Filter Action: Allow)
> Mirrored Protocol Source Port
> Yes ANY ANY
> Yes ANY ANY
> Yes ANY ANY
>
>
> Source DNS Source Address
> A Specific IP Address 10.10.0.0
> A Specific IP Address 10.10.0.0
> A Specific IP Address 10.10.0.0
>
>
> Source Mask Destination DNS
> 255.255.0.0 My IP Address
> 255.255.0.0 My IP Address
> 255.255.0.0 My IP Address
>
>
> Destination Address Destination Mask
> My IP Address 255.255.255.255
> My IP Address 255.255.255.255
> My IP Address 255.255.255.255
>
>
>
> Filter list for everything else (Filter Action: Block)
> Mirrored Protocol Source Port
> Yes ANY ANY
>
> Destination Port
> ANY
>
> Source DNS Source Address
> ANY ANY
>
>
> Source Mask Destination DNS
> 0.0.0.0 My IP Address
>
> Destination Address Destination Mask
> My IP Address 255.255.255.255
>
>
>>-----Original Message-----
>>Can you reply back with the filters you are using? (You
> can change the IP's
>>if you aren't comfortable making them public).
>>
>>
>>"Solomon" <anonymous@discussions.microsoft.com> wrote in
> message
>>news:c1ca01c489f0$7a9bbe40$a501280a@phx.gbl...
>>> Hi All
>>> I have 2 Windows 2000 servers in a cluster, and
>>> I'm using group polices to apply IPSec. I'm using
> IPSec
>>> as a firewall to block subnet ranges and ports. I
>>> currently have the servers open to my subnet and port
> 80
>>> open for IIS.
>>> My problem is when ever I reboot a server in the
>>> cluster, IPSec blocks port 80 but does not block my
> local
>>> subnet. I then have to disable IPSec in group polices
>>> run secedit on the local servers and then reapply IPSec
>>> and rerun secedit on the local servers.
>>>
>>> I'm aware that IPCes has problems when encrypting data
> on
>>> a cluster, but I have not seen anything about using
> IPSec
>>> as a firewall and having cluster problems.
>>>
>>> Any help would be great.
>>> -Solomon
>>>
>>
>>
>>.
>>