Recipe10.3.Enabling IPsec Between Front- and Back-End Servers

Recipe 10.3. Enabling IPsec Between Front- and Back-End Servers

Problem

You want to protect traffic between your front- and back-end servers by using IPsec.

Solution

Using a graphical user interface

To create a new IPsec policy for HTTP, POP, and IMAP on the front-end server, do the following:

1. Log on to the front-end server with an account that has administrative privileges.

2. Open the Microsoft Management Console (mmc.exe).

3. From the menu select File Add/Remove Snap-In. When the Add Standalone Snap-in dialog box appears, click the Add button.

4. Select the group policy snap-in from the list (Group Policy Object Editor on Windows 2000, Group Policy on Windows 2003) and click the Add button.

5. The Select Group Policy Object dialog box appears. Make sure the Group Policy Object field says Local Computer, and click Finish.

6. Click Close and click OK to return to the management console.

7. Expand the IPsec policy object, which is located under Local Computer Policy Computer Configuration Windows Settings Security Settings IP Security Policies on Local Computer.

8. Right-click IP Security Policies on Local Computer and select Create IP Security Policy.

9. When the IP Security Policy wizard appears, click Next.

10. Give the policy a name (and, optionally, a description) and click Next.

11. Click Next to keep the default response rule.

12. In the Default Response Rule Authentication Method dialog box, make sure that Active Directory default (Kerberos V5 protocol) is selected and click Next.

13. Click Finish; the properties dialog box for the new policy will appear.

14. Click the Add button and click Next to start the Create IP Security Rule Wizard.

15. On the Tunnel Endpoint page, make sure This Rule Does Not Specify A Tunnel is selected and click Next.

16. On the Network Type page, make sure Local Area Network (LAN) is selected and click Next.

17. In the IP Filter List page, click the Add button. The IP Filter List dialog box will appear.

18. Give the filter list a name (preferably one that indicates which protocols you're filtering), add a useful description, then click the Add button.

19. Click Next to start the IP Filter Wizard.

20. Give the filter a description (such as "FE-to-BE traffic") and click Next.

21. On the IP Traffic Source page, make sure My IP Address is selected in the Source address field, and click Next.

22. On the IP Traffic Destination page, specify the back-end server by IP address or DNS name, and click Next.

23. On the IP Protocol Type page, select TCP and click Next.

24. On the IP Protocol Port page, select the From any port and To this port radio buttons; specify port 80 as the destination port and click Next.

25. Click Finish.

26. Repeat steps 14-25 for POP (TCP port 110) and IMAP (TCP port 143) if you're using them.

27. Click OK.

28. In the IP Filter List dialog box, select the filter list you just created and click Next.

29. Select Require Security and click Next.

30. In the Authentication Method page, ensure that Active Directory default (Kerberos V5 protocol) is selected and click Next.

31. Click Finish, click OK, and click OK again.

32. In the MMC, verify that your new policy appears in the right pane.

33. Right-click the new policy and use the Assign option to apply it.

To enable the corresponding IPsec policy on the back-end server, do the following:

1. Log on to the front-end server with an account that has administrative privileges.

2. Launch the Microsoft Management Console (mmc.exe).

3. From the menu, select File Add/Remove Snap-In. When the Add Standalone Snap-in dialog box appears, click the Add button.

4. Select Group Policy Editor from the snap-in list and click the Add button.

5. The Select Group Policy Object dialog box appears. Make sure the Group Policy Object field says Local Computer and click Finish.

6. Click Close and click OK again.

7. Expand the IPsec policy object, which will be under Local Computer Policy Computer Configuration Windows Settings Security Settings IP Security Policies on Local Computer.

8. Right-click Client (Respond Only) in the right MMC pane, then select the Assign option.

9. Verify that the Policy Assigned column for Client (Respond Only) says Yes.

10. Close the MMC.

Using a command-line interface

To apply IPsec policy to the front-end server, run the following commands:

> netsh ipsec static add policy "FE-to-BE" > netsh ipsec static add filterlist "FE-to-BE" > netsh ipsec static add filter filterlist="FE-to-BE" srcaddr=me  dstaddr=<backEndIP> protocol=TCP  mirrored=yes srcport=0 dstport=80 > netsh ipsec static add filter filterlist="FE-to-BE" srcaddr=me  dstaddr=<backEndIP> protocol=TCP  mirrored=yes srcport=0 dstport=110 > netsh ipsec static add filter filterlist="FE-to-BE" srcaddr=me  dstaddr=<backEndIP> protocol=TCP  mirrored=yes srcport=0 dstport=143 > netsh ipsec static add rule name="FE-to-BE" policy="FE-to-BE"  filterlist="FE-to-BE" conntype="LAN" kerberos=yes filteraction= "Require Security" activate=yes

Discussion

Deploying IPsec is fairly complex and one recipe can't really do it justice. The important point for deploying IPsec between front- and back-end Exchange servers is that you must specify which types of traffic you want to protect:

• If you just want to protect POP and IMAP credentials, you can protect TCP port 110 (for POP) and TCP port 143 (for IMAP) between the front- and back-end servers. For this to be meaningful, you should also disable unencrypted POP and IMAP access to the front-end; there's relatively little value in securing the credentials on your network if they're not secured when passing across the Internet.

• If you want to protect message traffic as it travels back and forth, you need to protect TCP port 80 (since the front-end proxies all WebDAV, IMAP, and POP requests to the back-end onto that port), as well as the POP and IMAP ports (which are used to send data back to the clients).

• To protect all traffic between the FE and BE, you'll need to build a much more complex set of filters that include SMTP (TCP 25), DNS (TCP and UDP 53), LDAP (TCP 389 for ordinary LDAP, plus TCP 3268 for LDAP communications with the GC), Kerberos, and RPC traffic.

IPsec policies are stored in a local policy database, so you can apply them to individual machines (as we do in this recipe). The local policy database can be linked to, and automatically refreshed from, a group policy object (GPO), so you can define IPsec policies at the site or domain level, or link them to OUs. This approach is valuable if your Exchange servers are in their own domains or OUs or are using group filtering on Windows 2003 DCs. If not, running scripts like the one shown in the command-line solution (or using the policy import and export features of netsh) is probably the fastest way to get IPsec protection in place on your servers.

See Also

Recipe 10.4 for setting IPsec between a front-end and a clustered back-end, Chapters 11 and 14 of Secure Messaging with Microsoft Exchange Server 2003 (Microsoft Press) for more on IPsec setup and administration, MS KB 253169 (Traffic that Canand CannotBe Secured by IPsec), MS KB 254949 (Client-to-Domain Controller and Domain Controller-to-Domain Controller IPSec support), the TechNet "Step-by-Step Guide to Internet Protocol Security" for Windows 2000:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/ispstep.mspx

and the "Deploying IPSec" chapter of the Deploying Network Services Guide of the Windows Server 2003 Deployment Kit:

http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/ deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/ deployguide/en-us/dnsbj_ips_overview.asp