myITforum.com Community Forum myITforum.com Community Forum

Home  Forums  Blogs  Live Support chat  Search Articles  Wiki  FAQ  Email Lists  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Photo Gallery  Member List  Search  Calendars  FAQ  Ticket List  Log Out

All Forums RSS Feed Subscription:


  


ipsec & SMS

 
View related threads: (in this forum | in all forums)

Logged in as: Guest
  Printable Version
All Forums >> [Management Products] >> Microsoft Systems Management Server >> SMS 2003 >> ipsec & SMS Page: [1]
Login
Message << Older Topic   Newer Topic >>
ipsec & SMS - 5/9/2008 1:15:40 PM   
thibbard


Posts: 28
Score: 0
Joined: 8/22/2001
Status: offline 		If I wish to use Internet Protocol Security (IPSEC) to encrypt communications between site systems and the Site Server, where does that get enabled?  Not sure how to check on this.
Thanks
Post #: 1
RE: ipsec & SMS - 5/9/2008 3:39:00 PM   
bmason505

 

Posts: 1947
Score: 100
Joined: 1/23/2003
From: Minneapolis, MN
Status: offline 		You can sign and\or encrypt SMS traffic by checking the appropriate box(es) in the site systems settings (site server\advanced tab).  There is no undo to this setting, so test in the lab 1st if you can.

_____________________________

Brian Mason
MCSA\MCSE\MS MVP - SCCM
Wells Fargo
http://www.miscusergroup.org/

(in reply to thibbard)
Post #: 2
RE: ipsec & SMS - 5/11/2008 4:42:22 PM  1 votes
dkumar976

 

Posts: 4
Score: 2
Joined: 5/6/2008
Status: offline 		Site servers and site systems communicate use SQL and SMB. In addition SCCM 2007 branch DPs use BITS/HTTP. You can use IPSEC local policy (SECPOL.MSC) or Group Policy to secure all three protocols.

Once you get it working this would be a great topic for a myitform article.

_____________________________

Deepak Kumar,
Chief Technology Officer, Adaptiva,
http://www.adaptiva.com

(in reply to bmason505)
Post #: 3
RE: ipsec & SMS - 5/11/2008 11:09:48 PM   
mserafine

 

Posts: 1656
Score: 157
Joined: 4/7/2003
Status: offline 		Establishing IPSec tunnels for the site servers is all done outside of SMS, so there really isn't anything that needs to be done differently from the usual process of setting one up.

If there's a firewall between the two endpoints, you'll want to make sure that TCP ports 50 and 51, as well as UDP 500 are open. TCP 50 is for Encapsulating Security Protocol (ESP) traffic. TCP 51 is for Authentication Header (AH) traffic. And UDP 500 is for Internet Key Exchange (IKE) negotiation traffic.

When you only have a handful of servers that you need to tunnel, you can get away with using local IPSec policies w/o things getting too much of a hassle to administer. Otherwise, centralize the tunnel configurations within a group policy.

For authentication, the securest method is using certificates, but if you don't have a PKI infrastructure, use Kerberos. Using preshared keys for authentication isn't recommended because the key value is stored in plain text within the IPSec policy, and anyone with sufficient privileges or a system service with Local System user rights can read it.

< Message edited by mserafine -- 5/11/2008 11:10:54 PM >

_____________________________

Mark Serafine | Microsoft Corporation

Management Technologies (SMS, MOM, System Center) Premier Field Engineer | Microsoft Premier Support

(in reply to dkumar976)
Post #: 4
RE: ipsec & SMS - 5/12/2008 9:57:22 AM   
thibbard


Posts: 28
Score: 0
Joined: 8/22/2001
Status: offline 		Many thanks to both of you. 

(in reply to mserafine)
Post #: 5
Page:   [1]
All Forums >> [Management Products] >> Microsoft Systems Management Server >> SMS 2003 >> ipsec & SMS Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts



  
Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI

0.328