Hi
I am looking to publish Outlook Anywhere, with IPSEC configured as per (http://www.microsoft.com/en-us/download/confirmation.aspx?id=23708) to lock down Outlook Anywhere to machines with internal certificates only.
I have the following infrastructure setup:
ISA 2006 SP1 - Server 2003 R2 / SP2
-Allows UDP 4500/500 and TCP 443
-Hosted on VMWare ESXi 5
Test laptop - Windows 7
External Firewall static NAT's from a public IP to ISA server and allows the following:
UDP 4500/500
Protocol 50/51
IPSEC policy configured on the ISA server:
-IP Filter List = DMZ IP of ISA server, source port any, destination port 443
-Filter Action = Negotiate Security, Integrity Only
-Authentication Methods = Certifciate Authority, internal enterprise CA selected
IPSEC policy configured on the Windows 7 Test Laptop:
-IP Filter List = External (public) IP of ISA server, source port any, destination port 443
-Filter Action = Negotiate Security, Integrity Only
-Authentication Methods = Certifciate Authority, internal enterprise CA selected
So far the following works:
I have a port listener running on the ISA server to mimic Exchange (just to keep things simple to begin with).
If I unassign the IPSEC policies, I can telnet from an external network on the test laptop successfully to the external IP of the ISA server.
If I assign the IPSEC policies, I cannot telnet from an external network on the test laptop to the external IP of the ISA server. I note the following:
-HTTPS is denied with no rule (an allow rule is present)
-Result Code = 0xc0040031 FWX_E_BAD_TCP_CHECKSUM_DROPPED
-The ISA log shows IKE Client and IPSEC NAT-T client traffic as successful.
-The event log shows main mode and quick mode as successful.
-The IPSEC monitor shows SA's for quick mode and main mode.
If I google the error code I gather it relates to the TCP checksum being calculated by the ISA server disagreeing with the actual checksum received. I guess this is part of AH. I have tried the following:
-Add the AssumeUDPEncapsulationContextOnSendRule = 2 on the ISA server under services\IPSEC and reboot.
-Add the AssumeUDPEncapsulationContextOnSendRule = 2 on the Windows 7 Laptop under services\PolicyAgent and reboot.
-Disable the following in the ISA server registry and reboot:
RSS
SecurityFilters
TCPA
TCPChimney
-Disable Chimney Offload via Netsh command
-Disable all Offload options on VMXNET 3 driver advanced settings and rebooting
-Switching to an E1000 NIC and disabling all offload options and rebooting
-Upgrading E1000 drivers from base version (2002 driver) to intels later version (2008), rebooting and disabling all offload options.
-Run a wireshark trace - cannot see anything useful
-Checked oackley log - cannot see anything useful
I still cannot get the 443 traffic to successfully connect without the FWX_E_BAD_TCP_CHECKSUM_DROPPED error and have run out of google articles.
I would really appreciate if anyone has any suggestions?
Many Thanks
Steven