# Active Directory Replication over Firewalls



## neilrudd (Aug 18, 2006)

We're trying to enable Active Directory replication between 2 sites divided by 2 separate firewalls using NAT.

*The Setup*

Private: 192.168.255.#
Public: 62.49.#.#
Domain Controller (Windows 2003)
|
|
|
3Com OfficeConnect VPN firewall (3CR870-95)
1-to-1 NAT Enabled
|
|
[Internet]
|
|
Cisco PIX 515E
1-to-1 NAT Enabled
|
|
|
Private: 192.168.84.#
Public: 212.78.#.#
Domain Controller (Windows 2003)

*The Question*

Can we utilise IPSec for Active Directory replication (using Kerberos for authentication). If yes, could someone point me in the direction of documentation that explains how to achieve this or provide some pointers. I've followed several Microsoft articles including the well written one by Steve Riley (Active Directory Replication over Firewalls) but so far I've been unable to get replication working. When doing a ping it continuously responds with "Negotiating IP security". When setting up the IPSec IP filter, do I specify the private IP address of the destination server or the public IP address?

Additionally I believe the NAT may be the problem but NAT-T fixes this, does anybody know if the firewalls we're utilising use NAT-T?

Thanks in advance


----------



## Chevy (Jul 25, 2003)

I would consider upgrading the Cisco to a model that supports VPN, and then establish a VPN between the two sites.


----------



## bilbus (Aug 29, 2006)

VPN is the way to go .... you dont want to move AD over the internet in clear text. VERY bad idea

You can use a watchguard x5 or x15 to link the two offices.


----------



## neilrudd (Aug 18, 2006)

Thanks bilbus and Chevy, I've managed to resolve this last week by adopting the firewall-to-firewall approach using an IPSec tunnel. Seems to work very well with the additional benefit now that all Remote Desktop sessions are secure.


----------



## bilbus (Aug 29, 2006)

just so you know rdp is encrypted unless you tell it not to be.


----------



## neilrudd (Aug 18, 2006)

bilbus said:


> just so you know rdp is encrypted unless you tell it not to be.


Thanks Bilbus, I thought I heard it mentioned somewhere that rdp wasn't encrypted. This comes as good news as I use rdp for other servers without any vpn tunnels.


----------



## bilbus (Aug 29, 2006)

if you goto TS config manager, general tab.

You will have security options, you can change security layer and encryption level. Client compadable is the default but you can put on high. But an extra tunnel will give you even better.

But basicly as long as there is something its good enough unless you are dealing with a gov agency that wants to read your data or has the power to break it.


----------



## Cellus (Aug 31, 2006)

bilbus said:


> if you goto TS config manager, general tab.
> 
> You will have security options, you can change security layer and encryption level. Client compadable is the default but you can put on high. But an extra tunnel will give you even better.
> 
> But basicly as long as there is something its good enough unless you are dealing with a gov agency that wants to read your data or has the power to break it.


An encryption level of "High" uses RC4 128-bit encryption, which is more than good enough to protect communications. If you want to be truly anal, you can set it to "FIPS Compliant", which meets the Federal Information Processing Standard. However some legacy clients may not be able to use FIPS Compliant encryption.


----------

