UWSADS Campus IPsec and Trust

The purpose of this document is to provide a high level step-by-step guide to establishing an IPsec tunnel and one-way forest trust with uwsads.wisconsin.edu.

Prerequisites:

Complete the following steps so a trust can be established.

  • Campus administrators have been in contact with UWSADS administrators to schedule collaboration of resources.
  • Campus administrators have administrative rights to establish a trust in their environment.
    • At a minimum, the firewall must be enabled to allow all inbound and outbound traffic.
    • Connection Profiles will not function if profiles (Public/Private/Domain) are set to disabled.
  • Appropriate firewall rules (at this time, IPsec ports) have been allowed through both host-based and physical firewalls to:
    • uwsadsdc-prd-01.uwsads.wisconsin.edu - 144.92.104.76
    • uwsadsdc-prd-02.uwsads.wisconsin.edu - 144.92.104.77
  • The trust NetBOIS names are unique - a full list of existing trust NetBIOS names can be found on the UWSADS KB site: UW System Active Directory Services Knowledge Base

IPsec Configuration:

We recommend configuring a GPO for your IPsec rules as opposed to modifying each individual host. The steps below can be extrapolated for both a local security policy, and a group policy object.

Using PowerShell:

  1. Create the group policy object and assign it to the Domain Controller's OU
    -> $gpo = New-GPO -Name 'Domain Controllers - IPsec for UWSADS' -comment 'IPsec settings for UWSADS trust'
    -> $gpo | New_GPLink -Target "ou=domain controllers,dc=contoso,dc=com" -LinkEnabled Yes
  2. Create the connection security rule.
    -> $gponame = 'contoso.com\Domain Controllers - IPsec for UWSADS'
    -> $proposal = New-NetIPsecAuthProposal -Machine -PreSharedKey 'som3 10ng PreSharedKey'
    -> $ipsecauth = New-NetIPsecPhase1AuthSet -DisplayName 'UWSADS IPsec PSK' -Proposal $proposal -PolicyStor GPO:$gponame
    -> $uwsadsips = @('144.92.104.76', '144.92.104.77')
    -> $campusips = @('192.168.1.1', '172.16.1.1')
    -> NewNetIPsecRule -DisplayName 'UWSADS <-> CAMPUS' -RemoteAddress $uwsadsips -LocalAddress $campusips -Phase1AuthSet $ipsecauth.InstanceID -InboundSecurity Require -OutboundSecurity Require -PolicyStore GPO:$gponame

Using gpmc.msc:

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security

  1. Right click "Connection Security Rules" and select "New Rule..."
    usinggpmc1.png
  2. Under "Rule Type", select "Server-to-server"
    usinggpmc2.png
  3. Click "Next"
  4. Under "Endpoints":
    1. Endpoint 1 contains the IP addresses of your local campus domain controllers - please share these addresses/friendly names with UWSADS administrators.
    2. Endpoint 2 contains the IP addresses of the uwsads.wisconsin.edu domain controllers. The current addresses/FQDNs are specified in the prerequisites of this document.
      usinggpmc3.png
  5. Click "Next"
  6. Under "Requirements", select the third radio dial, "Require authentication for inbound and outbound connections".
    usinggpmc4.png
  7. Click "Next"
  8. Under "Authentication Method", select "Advanced", and then click "Customize..."
    usinggpmc5.png
    Note: We will be using a pre-shared key which will require coordination between campus administrators and UWSADS administrators.
    usinggpmc6.png
  9. Click "Next"
  10. Select all profiles you wish to configure the rule for.
    usinggpmc7.png
  11. Click "Next"
  12. Under "Name", enter a descriptive name of the connection profile, e.g. "CAMPUS <-> UWSADS"
    usinggpmc8.png
  13. Click "Finish"
  14. Ensure the policy is in place on your domain controllers.
    1. wf.msc -> Connection Security Rules
    2. wf.msc -> Monitoring -> Connection Security Rules
      usinggpmc9.png
At this point, there should be ICMP communication between the campus domain controllers and UWSADS.
  1. This is testable by using ping tests from host to host.
  2. Connection statistics are able to be monitored in wf.msg -> Monitoring -> Security Associations -> Main Mode
    usinggpmc10.png
  3. An initial troubleshooting task if there is no connectivity would be to restart the Windows Firewall service, or restart the host.

DNS Configuration

We will be configuring a conditional forwarder in both the local campus doamin and the UWSADS domain. This allows the resolution of DNS entries, which may not be public to the internet.

Using PowerShell:

-> Add-DnsServerConditionalForwarderZone -Name "uwsads.wisconsin.edu" -ReplicationScope "Forest" -MasterServers 144.92.104.76,144.92.104.77

Using the DNS Management console:
  1. Open the DNS management console and connect to an authoritative DNS server.
  2. Right click "Conditional Forwarders"
    using_dns_1.png
  3. Select "New Conditional Forwarder"
  4. The "DNS Domain" is "uwsads.wisconsin.edu".
    using_dns_2.png
  5. "IP Addresses" are the UWSADS IP addresses specified in the prerequisites of this document.
    using_dns_3.png
  6. Select the option to "Store this conditional forwarder and replicate to all DNS servers in this forest"
    using_dns_4.png
  7. Click "Ok"
  8. Test DNS resolution of the FQDNs of the UWSADS domain controllers by using "nslookup uwsads.wisconsin.edu".

Establish a one-way trust:

  1. With appropriate administrative credentials, open "Active Directory Domains and Trusts"
    establish_trust_1.png
  2. Right click on the domain name and select "Properties"
    establish_trust_2.png
  3. Click "New Trust..."
  4. Click "Next"
  5. Enter "uwsads.wisconsin.edu
  6. Select "Forest Trust".
  7. Select "One-way incoming" (or outgoing if doing this from the UWSADS domain)
    Note: If working with a UWSADS administrator, there is the potential to establish the trust on both sides from either a campus domain controller, or UWSADS domain controller.
  8. Click "Next"
  9. Select "Forest-wide authentication".
    establish_trust_3.png
    establish_trust_4.png