Sunday, November 10, 2013

Creating a IPSEC tunnel with the Windows Firewall with Advanced Security

Windows provides a very simple way to establish a secure communication (IPSEC) between two machines on the machine level: Connection Security Rules.
Connection Securiy Rules allow the configuration of a encrypted communication even a user is not logged on. The IPSEC rule can use a preshared key (for testing, single server or you do not have a PKI) or digital certificates for authentication in an enterprise environment Using certificates is the best way for authentication and my recommendation.
The computer and the users have still to authenticate before they can use any service on a IPSEC protected host, so see IPSEC as an pre-authentication.

Use scenarios:
- You want allow only access from corporate laptop computers to Exchange Outlook Anywhere or other internal services directly, or over TMG or UAG
- You have a server externally hosted and you want have a more secure way to RDP in
- You want allow access to a file share for remote workers in a way they do not have to VPN-in all the time
- You want make sure that computers for remote worker can use the corporate WSUS server for patching even the machines are not connected back via VPN to corporate network
- ...

- Windows Firewall service must be running
- Windows Firewall profiles must be active the network profile(s)
- Firewall rules must allow IPSEC traffic ESP and UDP500(ISAKMP). UDP4500(IPSEC NAT-T) is required if the server is behind a NAT firewall (as it is in this example)

Note: You can require IPSEC also only for certain TCP ports, e.g. you have an externally hosted web server. Require IPSEC only for 3389(RDP) for web server administration but port 80 is open because you clients want surf your companies public web site.And make all other ports not available from outside of that server at all.

Client Configuration Steps

The client configuration can be done using the Advanced Windows Firewall management console (wf.msc) or via group policy. In this post i use the group policy.

1.       Open Group Policy Management

2.       Navigate to Computer Configuration/Policies/Windows Settings/Security Settings/Windows Firewall with Advanced Security/ Windows Firewall with Advanced Security/Connection Security Rules

Note: as alternative and for testing you can also start the Windows Firewall management console by starting wf.msc from the Run dialog.

3.       Make a right mouse click on Connection Security Rules and click on New Rule…

4. Select Server-to-server as rule type and click Next.

5.   Add the public IP address of the edge server to the list of IP addresses under “Which computers are in Endpoint 2?” Then select Next to continue.

6.       Select and then click Next.

7. Click Browse and select the appropriate CA name. Then click Next.

8. Select all firewall profiles and click Next.

9. Enter name and description of the rule. Then click Finish to end the configuration wizard.

Server Side Configuration Steps

The server must have a second network card for external facing connections. The configuration of the IPSEC rules should be for this interface, otherwise you might lose the network connection to the server.

1. Start the Windows Firewall Advanced Configuration management console from the Run menu by running wf.msc.

2. Click on Connection Security Rules and then New Rule …

3. Select Server-to-server and click Next.

4. Add the server IP address to the list of IP address under “Which computers are in Endpoint 2?” and click Next to continue.

5. Select Require authentication for inbound and outbound connections and then click on Next.

6. Click Browse and select the appropriate CA name. Then click Next.

7. Select all firewall profiles and click Next.