Windows 2008 R2 - IPSEC Firewall Configuration

Similar Messages

• Windows 2008 R2 IPSEC fails if NAT involved

  I'm deploying a project that includes an IPSEC Tunnel between Windows servers, through a NAT Firewall. When both servers were windows 2003, this worked fine. We have had to migrate to Win2k8R2, and now the tunnel is established, but no traffic flows through
  the tunnel.
  The tunnel has been tested in both Windows Firewall with Advanced Security, and Legacy "Policy Agent" configuration with the same result.
  Originally we were Win2k3 to Win2k3 and it worked:
  |Win2k3 PRIVATEIP|-------|NATFW|-----------|Win2K3 PUBLICIP|
  Then we had to switch one server to Win2k8R2:
  |Win2k3 PRIVATEIP|-------|NATFW|-----------|Win2K8R2 PUBLICIP|
  NATFW is mapping the yellow server to a blue IP address.  It is a 1:1 mapping, NAT not PAT! Our tunnel establishes, but no traffic will flow. In our testing, we have the following results:
  Yellow......Blue........Subnets...........Outcome
  =================================================
  2k8R2.......2k8R2.......same..............OK
  2k3..........2k8R2.......same..............OK
  2k3..........2k3..........same..............OK
  2k8R2.......2k8R2.......routed,no.NAT....OK
  2k3..........2k8R2.......routed,no.NAT.....OK
  2k3..........2k3..........routed,no.NAT.....OK
  2k8R2.......2k8R2.......routed,NAT........Fail.(quick/main.mode.established,.no.traffic)
  2k3..........2k8R2.......routed,NAT........Fail.(quick/main.mode.established,.no.traffic)
  2k3..........2k3..........routed,NAT........OK
  any thoughts.

  Hi I have exactly the same issue.
  2k8R2.......2k8R2.......routed,no.NAT....OK
  2k8R2.......2k8R2.......routed,NAT........Fail.(quick/main.mode.established,.no.traffic)
  Did you find any solution for this? 
  It is recommended to install ISA server to manage NAT and IPSEC. But I don't want to do this for some reasons.

• Network security: Configure encryption types allowed for Kerberos-Windows 2008

  If below setting has been enabled in domain policy on Windows 2008 R2 DC ; what is the effect on Windows 2008 Member server . that seeting is not present in Windows 2008.
  Network security: Configure encryption types allowed for Kerberos:
  Please advice & if possible please provide more info.
  AliahMurfy

  Hi,
  I found some related information is some type of the encrypt not supported on the server 2008, such as AES128_HMAC_SHA1.
  More detail information please refer the following KB:
  Network security: Configure encryption types allowed for Kerberos
  http://technet.microsoft.com/en-us/library/jj852180(v=ws.10).aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Unable to load driver for Storage for Windows 2008 UCS B230 M2

  I am trying to Boot from SAN windows 2008 R2. I  have configured and connected the Cisco UCS Chassis and FI to our Network & Storage .I am  having problem to install Windows 2008 R2 Server on Blades as it is not able to see Storage LUN while installation .I downloaded drivers from Cisco Support Site.
  I tried drivers from ISO ucs-bxxx-drivers.2.1.3 latest version but Windows is showing driver is available but not installing the driver I am getting the following error and not showing the LUN hard disk to select the installation.
  Windows is unabe to locate storage LUN. I am able to LUN while booting process.
  I am not sure where I am doing wrong.or I am chosing wrong driver.

  I don't see the error message either, but to install W2008 on a boot lun, you must
  1) do the zoning of the vhba (initiator) to the pwwn of the storage subsystem port (target)
  2) the lun masking / mapping has to be setup
  3) fnic driver has to be installed
  Therefore, if you don't see your boot lun, either 1) and or 2) has to be fixed
  then
  4) only one path should be configured (e.g. fabric a), because no multipathing is available during installation, this is very important, and necessary for W2003, 2008 and 2012
  and
  5) if you see the boot lun, and can install, but the boot fails, the problem is the boot policy !
  Very easy ! Good luck !

• Windows 2008 R2 Std SP1 - firewall reports packets dropped...

  Hi,
  1) I'm trying to harden the Windows firewall on standalone (non AD) Windows 2008 R2 Std SP1 server, and restrict outgoing packets to known rules. What I'm seeing is firewall log entries showing dropped packets,
  and the dropped packets are always zero length. e.g. I configured a rule to allow Windows Service Host svchost.exe to reach out to MS for MS Security Essentials Updates, and it is able to check for and download updates - but what I see are dropped zero length
  packets for the target IP addresses that I have allowed in the rule. I see other packets too, for other application targets, for which new rules allow the application to work
  - but again I see dropped zero length packets. Is there a feature that I can disable to allow the zero length packets out?
  2) Also, I've enabled firewall logging to a file, but I see a mis-match between what appears in the \Windows\System32\LogFiles\Firewall\*.log files versus
  the event ID 5152 entries in the Security event log - I mean, sometimes I see corresponding matching entries - most of the time I don't - it's as if some of the notifications re dropped packets make it to the firewall log file, and some make to the
  event log, and some make it to both.  Is this just a-typical and that's just the way it is?
  Thanks.  Dave.

  Hi Dave,
  I suggest you use Netsh commands to collect diagnostic data of Windows Firewall and IPsec, the collected data will be exported into an XML file that we can examine for clues to the cause of the problem. 
  Please use this command below for capturing:
  netsh wfp capture start file= "path and file".
  More information for you:
  Netsh Commands for Windows Filtering Platform (WFP) in Windows Server 2008 R2
  http://technet.microsoft.com/en-us/library/dd735538(v=WS.10).aspx
  [SDP 3][ 4f18caa6-df64-4dfd-a18e-096cf5a6a0fc] IPSEC Trace Logging
  http://support.microsoft.com/kb/2749575
  Best Regards,
  Amy

• Windows 2008 Server Configuration - Help

  Hello All,
  I am not an expert in configuring servers and I have just started to learn. Please forgive me if I am doing something funny!
  I have a router with static IP address and DHCP enabled on the router. The router had the following configuration as shown below and the clients were obtaining IP address from the router and using the internet without a problem.
  Router Configutaion:
  Basic Setting:
  IP Address : 122.165.60.160 (My Wan Static IP)
  IP Subnet Mask : 255.255.252.0
  Gateway IP: 122.165.60.1
  DNS Address:
  Primary DNS : 203.145.184.32
  Secondary DNS: 203.145.184.13
  Lan TCP/IP Setup:
  IP Address: 192.168.2.1 (Router IP)
  IP Subnet Mask: 255.255.255.0
  DHCP Enabled:
  Statring IP : 192.168.2.11 
  Ending IP: 192.168.2.100
  Now, I have installed Windows 2008 R2 Server with Active Directory, DNS and DHCP, IIS. I have created a few users and did nothing more than that in the server.
  Server IP Settings
  Server IP: 192.168.2.5
  Subnet : 255.255.255.0
  Gateway : 192.168.2.1
  DNS: 127.0.0.1
  And when I tried to join the domain i created... corp.globe.com the clients were not able to find the domain I therefore changed the following settings in the router.
  DNS Address:
  Primary DNS : 203.145.184.32
  Secondary DNS: 192.168.2.5 (Server IP)
  After this change the clients were able to join the domain and login as well. However the clients were getting the IP from the router. I am facing a lot of problems as listed below.
  1. I am not able to ping the clients using the computer name from the server.
  2. Clients cannot ping other clients or server using name. (Suppose if I try... PING SYS1 .... It looks like it is trying to ping some 92.x.x.xx IP address) even if SYS1 IP address is 192.168.2.13
  3. Clients can access Internet, but I cannot browse anything in the server.
  Please help me in the configuration, or point me to some guide which describes the same. I tried to set up and enable the DHCP server using Windows 2008 machine and I disabled it DHCP on the router, clients where able to get the IP address from Windows 2008
  server, but they were not able to use internet. Please advise.
  Thanks for your time.

  Hi,
  And you cannot ping the clients using the computer name from the server?
  Did you turn off the firewall on server and client?
  If you are having problems connecting to Active Directory and you have already successfully verified network connectivity, there might be a name resolution problem. For more and detail information, please refer to:
  http://technet.microsoft.com/en-us/library/cc961921.aspx
  Regards.
  Vivian Wang

• Oracle12c SQL*NET blocked by Windows 2008 firewall - what is the correct solution?

  Hello,
  I have a question with regards to the SQL*NET traffic being blocked by the Windows 2008 firewall. This document shows that disabling the firewall can resolve the problem:
  https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=166773506396122&id=1472931.1&displayIndex=13&_afrWindowMode=0&_adf.ctrl-state=o4dq0hlih_112
  Is this really the solution?
  From what I understand from other documents is that just enabling port 1521 will not resolve any issues, as SQL*NET can use redirection to other random ports. That is probably the reason why the Oracle installation does not alter any firewall settings.
  What other methods do people use to connect a client to a DB server?
  This document shows what other methods to use, but who uses them?
  https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=166043735580557&id=68652.1&_afrWindowMode=0&_adf.ctrl-state=o4dq0hlih_78
  Does anyone use the Oracle Connection Manager for example?
  Thanks
  Richard

  I configure firewall to allow DB Server to start new network connections

• How to Configure Microsoft loopback adapter in windows 2008

  Hi all,
  I am trying to install SAP IDES 6.0..... while i m trying to install it , it is asking forUnlimited Strength Jurisdiction Policy Files at runtime.
  I do have local and US policy jar file, but i guess its asking for JCE extension file, i dont know about it. so i m not able to proceed
  further. it gives osme error about local host. i think its about Microsoft loopback adapter. can anyone have idea abt it.How to
  Configure Microsoft loopback adapter in windows 2008?
  Can anyone help me ASAP coz i m stucked like anythng.
  thanks
  Cheers

  Hi vinay
  Thanks for reply...I m Installing SAP IDES...with DB2
  I have upload JCE zip file...after clicking next button i m getting following Errors,
  ERROR 2014-10-02 09:52:29
  MOS-01185  The subkey 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DPS' does not exist on the 'localhost' host.
  ERROR 2014-10-02 09:52:29
  FCO-00011  The step collect with step key |NW_Onehost|ind|ind|ind|ind|0|0|NW_Onehost_System|ind|ind|ind|ind|1|0|NW_GetSidNoProfiles|ind|ind|ind|ind|2|0|collect was executed with status ERROR .
  i guess its about Loopback adapter configuration. Still i m not sure... DO u have any idea about it.
  How i can get rid of it.
  Thanks

• How to Configure Active-Passive oracle cluster in Windows 2008 R2 64bit Server.

  How to Configure Active-Passive oracle cluster in Windows 2008 R2 64bit Server With Oracle 11g R2.
  How many database will play in this role.
  Best,

  hello
  I was going through your post and i am also doing the same thing here at our organisation for Oracle 10g R2
  Can you pls send me any docs u r having for configuration of Oracle in windows clusters .
  And, can you pls elaborate on this point
  e)Create Oracle Service with the same name in the 2nd node and copy all the files like spfile,tnsnames.ora,listener.ora,password file to Node2.
  Pls send me the details at [email protected] or you can contact me at 08054641476.
  Thanks in advance.

• FIrewall for Windows File Share for windows 2008

  Hi All,
  Recently we upgraded one of our application file server from Windows 2000 to Windows 2008. We use this server for file sharing. We used to read files and write files to this server. Post upgrade one week every thing went fine all of a sudden we started seeing
  issues like the application servers stopped communicated to this server. 
  We worked with our firewall team and enabled port 445 post this the application servers started communicating to the file server. Our Application servers are on Windows 2003 server.
  Can someone please help me understand what is the port that needs to be enabled for accessing the file shares. My firewall team confirmed there were no firewalls rules between the Application server and File server. 

  Hi,
  Based on my research, firewall ports required for SMB file sharing are port 445 and 139.
  More information for you:
  SMB: File and printer sharing ports should be open
  https://technet.microsoft.com/en-us/library/ff633412(v=ws.10).aspx
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Slowness when connecting to RemoteApp configured in Windows 2008 R2 Server using RDP file

  Dear All,
  When connecting to a RemoteApp configured in Windows 2008 R2 with less privileged user it takes ~20 seconds to connect.
  Initial connection to
  application takes about 20-30 seconds and once loaded, subsequent RemoteApp connection takes
  2-3 seconds. i.e. if there is a disconnected session available in the server it connects quickly otherwise it takes long time.
  I am seeing this issue with Windows 2008 Server, when I connect to a Windows 2012 Server RemoteApp gets
  connected quickly. Also if I try with higher privileged user (like RemoteAdmin) connection is quick. The user I am trying is having lot of group policies set to limit user access to file system, desktop and registries.
  If I keep UAC settings to minimal level connection happens quickly(i.e. solves this issue). But I am
  not supposed to change the server UAC setting. It seems this has something to do with the list of group policies set for the user.
  Any suggestion to avoid this first time connection delay for less privileged users for connecting to RemoteApp (in Windows 2008 Server).
  Thanks
  Bachuu

  Hi Bachu,
  Thank you for posting in Windows Server Forum.
  First of all, if you are using RD Gateway serve then I would like you to
  uncheck the “Bypass RD Gateway server for local address” under RemoteApp Manager Checkbox and notify the result.
  Configure Remote Desktop Gateway Settings
  Also like you to update the RDP client version to RDP 8.1 and then check the result. In addition,
  I will suggest you to check that you have proper certificate in place. You can enable certificate revocation checking on RD Gateway client. Might due to this, you are facing issue. Please notify that you find any certificate related warning. Refer below article
  for information.
  How to Enable Certificate Revocation Checking on a Remote Desktop Gateway Client
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• Cisco aironet 2600 series AP configuration with windows 2008 R2 Radius server.

  I want to know the configuration of Cisco aironet 2600 series AP with windows 2008 R2 Radius server.  
  I have
  1. AD & DHCP Server
  2. Cisco Aironet 2600 Access Point.
  I want to connect wifi devices through this AP. Authentication should be through Radius server and AD.

  Hi , 
  Below link should support your requirement 
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116584-configure-wirelesslan-00.html
  Minimal command : -
  AP(config)# aaa new-model
   AP(config)# radius-server host 172.20.0.1 auth-port 1645 acct-port 1645 key XXXXXX
   AP(config)# radius-server deadtime 10
  HTH
  Sandy

• Remote Access to Windows 2008 R2 Server configured with local IP

  Hello,
  I have a Windows 2008 R2 Server configured with local IP (e.g. 192.168.1.115).
  Please how can I access it remotely outside its local domain through (remote desktop connection).
  Thank you.
  Tony.

  Hi Tony,
  Based on your description, you would like to connect to the Windows 2008 R2 server via remote desktop connection.
  So you need to enable remote desktop on the Windows 2008 R2 server if it is not already.
  1.Install and configure the Remote Desktop Session Host role service in the Windows 2008 R2 server.
  2.Add related user to the Remote Desktop Users group in the Windows 2008 R2 server.
  3.Configure remote desktop connection in the Client.                   
  Also, due to you would like to access it remotely outside the domain, so you will need a VPN connection or a port forward to connect through.
  For more details, please refer to the guide below,
  Installing and Configuring Remote Desktop Session Host
  http://technet.microsoft.com/en-us/library/dd883253.aspx
  Allow Remote Desktop connections from outside your home network
  http://windows.microsoft.com/en-IN/windows7/allow-remote-desktop-connections-from-outside-your-home-network
  Best Regards,
  Tina

• Configure OEM on Oracle Failsafe 3.4.2 (11g R2) on windows 2008

  Hi Friends,
  Please let me know how to configure Oracle Enterprise Manager(OEM) On Oracle Failsafe 3.4.2 (11g R2 Database) on windows 2008.
  I found a Metalink Note : 396659.1 but i am unable to open the Note.
  Please provide the Proper Note.
  Regards,
  DB

  I have the same problem.
  My solution is:
  1.add OFS group name mapping VIP in DNS
  2.add VIP in MSCS manager
  3.delete VIP in OFS manager
  4.add VIP in OFS manager

• Windows 2008 DNS & DHCP configuration steps for 11gR2 GI install with GNS

  Hi,
  I have windows 2008 R2 server with DNS & DHCP services installed. I am planning to install 2 node RAC with GNS option.
  The problem is i could not find any document to setup the windows 2008 DNS server for the below steps.
  a. Configure GNS VIP : add a name resolution entry in a DNS for the GNS virtual IP address in the forward Lookup file.
  gns-server IN A <virtual_IP>
  where gns-server is the GNS virtual IP address given during grid installation.
  b. Configure the GNS sub-domain delegation: add an entry in the DNS to establish DNS Lookup that directs the DNS resolution of a GNS subdomain to the cluster.
  clusterdomain.example.com. NS gns-server.example.com.
  where clusterdomain.example.com is the GNS subdomain (provided during grid installation) that you
  delegate and gns-server.clustername.com resolves to GNS virtual IP address.
  I am aware that this configuration steps has to be taken care by the System administrator. Here is what he tried and the results.
  My SA was able to Configure GNS VIP in the DNS and the Nslookup works fine for this.
  When he Configures the GNS sub-domain delegation the nslookup fails when trying to resolve the SCAN name.
  Any step by step tutorial for this windows 2008 DNS & DHCP configuration for Oracle GNS setup would be highly appreciated.
  Thanks,
  Ashok Kumar.G

  Hi Guys,
  Any help on this request will be very helpful.
  Thanks,
  Ashok Kumar.G