02-17-2010 08:12 AM
This is something we had enabled when we were using a Symantec SGS firewall, but had to disable it when we went to the PA-2050. I haven't had much time to play with it, but I need to get it working again. Under the local Group Policy of each server, we have a Secure Terminal Services IPSec policy that requires security when attempted a connection over TCP port 3389.
When we moved to the PA-2050, I had to disable this IPSec Policy on the DMZ Servers. No matter what I did, I wasn't able to see the IPSec traffic in the PAN logs. Even adding the IPSec applications made no difference in the connection, nor did creating a completely open rule from my desktop to one of the servers.
Is there anything that I am missing here, or is this not feasible anymore?
02-17-2010 10:10 AM
This should work with no problem, so you might want to work with Support so they can help troubleshoot.
I have seen instances in the past where I had included an incorrect IPSEC application (it turned out to be Cisco VPN instead of generic IPSEC) and that caused the traffic to fail even when switching to an open policy. The reason is because the firewall cached the IKE session initiation but it was later determined to be the incorrect IKE type. All I had to do was to clear the session from the session table and the next IPSEC connection was correctly identified and allowed through. You can clear all sessions or selectively clear sessions from the CLI.
Cheers,
Kelly
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
