problem blocking external ip with ipsec, only local ips get blocked?

[Les Caudle]

I'm behind a MS Proxy 2 server with WSP Client Installed.

I created an ipsec filter that attempted to entirely block access to any ip from
my ip for a certain port.

It worked grreat, blocking all access to that port from inside my local
non-routable network.

However, that port is not blocked for ips outside of my network on the Internet.

I'm having trouble figuring this out.

I tried creating a blocking filter for the Proxy 2 server's external ip to any
ip (with the ipsec filter on my box) That didn't do the trick.

What am I missing? Why can't I create a filter that will entirely block a port?

I think this must have something to do with the Proxy Server and how it works?

 

[Ace Fekay [MVP]]

In

I'm behind a MS Proxy 2 server with WSP Client Installed.

I created an ipsec filter that attempted to entirely block access to
any ip from my ip for a certain port.

It worked grreat, blocking all access to that port from inside my
local non-routable network.

However, that port is not blocked for ips outside of my network on
the Internet.

I'm having trouble figuring this out.

I tried creating a blocking filter for the Proxy 2 server's external
ip to any ip (with the ipsec filter on my box) That didn't do the
trick.

What am I missing? Why can't I create a filter that will entirely
block a port?

I think this must have something to do with the Proxy Server and how
it works?

I think you're better off posting this to the Proxy and ISA newsgroups for
better exposure.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Phillip Windell]

Les,
I already answered this in the Proxy2 Group,...at least as best as I thnk it
can be answered anyway.

 

[Steven L Umbach]

Make sure the filter rule is mirrored. You can also try tcp/ip filtering to limit
what tcp ports [if any] are allowed through the adapter from untrusted network. Do
not try implementing udp port filtering for tcp/ip filtering as your dns name
resolution will fail. I would recommend a hardware firewall however that would work
for your server. A regular NAT router would not but you can buy used Netscreen or
SonicWall firewall devices that will work great on Ebay for cheap, cheap - less than
$200. --- Steve