Windows Server 2003
1833491 Members
2695 Online
110052 Solutions
New Discussion

Active Directory Replication over Firewalls

 
Neil Rudd
New Member

Active Directory Replication over Firewalls

We're trying to enable Active Directory replication between 2 sites divided by 2 separate firewalls using NAT.

The Setup

Private: 192.168.255.#
Public: 62.49.#.#
Domain Controller (Windows 2003)
|
|
|
3Com OfficeConnect VPN firewall (3CR870-95)
1-to-1 NAT Enabled
|
|
[Internet]
|
|
Cisco PIX 515E
1-to-1 NAT Enabled
|
|
|
Private: 192.168.84.#
Public: 212.78.#.#
Domain Controller (Windows 2003)


The question

Can we utilise IPSec for Active Directory replication (using Kerberos for authentication). If yes, could someone point me in the direction of documentation that explains how to achieve this or provide some pointers. I've followed several Microsoft articles including the well written one by Steve Riley (Active Directory Replication over Firewalls) but so far I've been unable to get replication working. When doing a ping it continuously responds with "Negotiating IP security". When setting up the IPSec IP filter, do I specify the private IP address of the destination server or the public IP address?
1 REPLY 1
Ivan Ferreira
Honored Contributor

Re: Active Directory Replication over Firewalls

IPSec protected traffic will not work with Network Address Translation (NAT). NAT needs to modify packets in transit, but IPSec is designed to be tamper resistant, preventing packet modification. The IETF is currently working toward specifying a NAT and IPSec interoperability standard.

A new technology known as IPsec NAT Traversal (NAT-T) has been standardized by the IP Security Protocol Working Group of the Internet Engineering Task Force (IETF) and is defined in Requests for Comments (RFCs) 3947 and 3948. IPsec NAT-T defines both changes in the negotiation process and different methods of sending IPsec-protected data.

Information about NAT-T can be found here:
http://www.microsoft.com/technet/community/columns/cableguy/cg0802.mspx

Another good document for AD with IPSEC and protected networks:

http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&DisplayLang=en
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?