Today I have the following setup:
- All my servers are located in the internet, they are protected by Windows Firewall and Advanced Secutiry using IPSec with certificate. It includes the Domain Controllers.
- All the clients computers have a GPO and the corresponding certificate to use the servers.
All in all, it's almost perfect, there's still one thing that doesn't work, some Internet Service Providers block some communication ports (135 for instance), which creates troubles when the client connect through them.
I don't want to rely on a VPN setup, because all my servers have Internet IP, so why should I?
Looks like the IPSec Tunnel may be the way to go. From my understanding (I have hard times to find documentation about this, event on the MSDN) I can setup a tunnel with the client acting as a Gateway and setup a remote gateway in a dedicated server.
EDIT
The real question is: will the tunnel communication be encapsulated into one given UDP/TCP port rather than each requested being straightly forwarded?
For instance if the client tries to contact the port 135 of one of my domain controller, will it be transmitted through the port 135 in the internet wire or tunneled into a one unique/predefined port (say 443 for instance) that have better chances to be opened.
Same goes for any other port the client tries to contact, all encapsulated into the 443.
I hope it's more clear that way, I honestly though it already was the first time! š
Thanks
Best Answer
Since you modified your question, then yeah.
It depends really,
If clients establish VPN tunnel through NAT device somewhere on their LAN through which they get outside then IPSec is done over NAT-T where all IPSec traffic is being encapsulated in UDP datagrams, using port 4500. So yeah all the communication going through the tunnel will be over 4500 UDP port.
IPsec over TCP works with remote access clients. It is a client to security appliance feature only. It does not work for LAN-to-LAN connections. By default uses TCP 10000 port. You can configure and change it to something not standard as well, (not 80 or 443 apparently). So all IPSec traffic will go over that 10000 port.
L2TP/IPSec traffic looks just like IPSec traffic on the wire. The firewall just has to allow IKE (UDP 500)
It may be necessary to allow Kerberos traffic through the firewall, if so then UDP port 88 and TCP port 88 would also need to be forwarded.
Hope this helps. Original question was really unclear.