Hello,
I have a connection between a Windows 7 workstation and a Windows Server 2008 R2 server that I need to encrypt. I would like to simply use the IPSec feature of WFAS to do this.
The workstation and server are not on the same domain, and there is a Cisco hardware firewall between them performing NAT.
I have set up the IPSec connection policy using a preplaced key (at this time - I am looking into certificates for later). I have set up the data protection to use ESP encryption per this article: http://technet.microsoft.com/en-us/library/cc947839%28v=ws.10%29.aspx. On both the workstation and server, I am using a "public" connection and the "public" WFAS profile. The WFAS does not contain any actual port protection rules at this time and is set to allow any connections that do not match a rule.
I can see the SA between these two endpoints with the correct settings in the WFAS connection monitor, and using Wireshark and the hardware firewall , I can verify that ISAKMP and keep-alive messages are being exchanged via port 500 and 4500 (IPSec IKE and NAT transversal).
The problem I am having is that I can't seem to establish any other form of communication between the two machines when the firewall with the IPSec rules is active - I cannot ping between them, I cannot map a drive on the server from the workstation, I cannot initiate an FTP session.
Does anyone have experience using the windows IPSec rules in this kind of setup?