ipsec & SMS (Full Version)

All Forums >> [Management Products] >> Microsoft Systems Management Server >> SMS 2003



Message

thibbard -> ipsec & SMS (5/9/2008 1:15:40 PM)

If I wish to use Internet Protocol Security (IPSEC) to encrypt communications between site systems and the Site Server, where does that get enabled?  Not sure how to check on this.
Thanks



bmason505 -> RE: ipsec & SMS (5/9/2008 3:39:00 PM)

You can sign and\or encrypt SMS traffic by checking the appropriate box(es) in the site systems settings (site server\advanced tab).  There is no undo to this setting, so test in the lab 1st if you can.



dkumar976 -> RE: ipsec & SMS (5/11/2008 4:42:22 PM)

Site servers and site systems communicate use SQL and SMB. In addition SCCM 2007 branch DPs use BITS/HTTP. You can use IPSEC local policy (SECPOL.MSC) or Group Policy to secure all three protocols.

Once you get it working this would be a great topic for a myitform article.



mserafine -> RE: ipsec & SMS (5/11/2008 11:09:48 PM)

Establishing IPSec tunnels for the site servers is all done outside of SMS, so there really isn't anything that needs to be done differently from the usual process of setting one up.

If there's a firewall between the two endpoints, you'll want to make sure that TCP ports 50 and 51, as well as UDP 500 are open. TCP 50 is for Encapsulating Security Protocol (ESP) traffic. TCP 51 is for Authentication Header (AH) traffic. And UDP 500 is for Internet Key Exchange (IKE) negotiation traffic.

When you only have a handful of servers that you need to tunnel, you can get away with using local IPSec policies w/o things getting too much of a hassle to administer. Otherwise, centralize the tunnel configurations within a group policy.

For authentication, the securest method is using certificates, but if you don't have a PKI infrastructure, use Kerberos. Using preshared keys for authentication isn't recommended because the key value is stored in plain text within the IPSec policy, and anyone with sufficient privileges or a system service with Local System user rights can read it.



thibbard -> RE: ipsec & SMS (5/12/2008 9:57:22 AM)

Many thanks to both of you. 



Page: [1]

Valid CSS!




Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI
0.171875