Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
How to Enable IPSec Traffic Through a Firewall
Article ID: 233256 - View products that this article applies to.
This article was previously published under Q233256
NoticeThis article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center
(http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fwin2000)is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy
IP Security (IPSec) is used to securely transmit data between computers. It is implemented at the Networking layer (Layer 3) of the Open Systems Interconnection (OSI) model. This provides protection for all IP and upper-layer protocols in the TCP/IP protocol suite. The primary benefit of securing information at Layer 3 is that all programs and services using IP for data transport can be protected.
IPSec does not disturb the original IP header and can be routed as normal IP traffic. Routers and switches in the data path between the communicating hosts simply forward the packets to their destination. However, when there is a firewall or gateway in the data path, IP forwarding must be enabled at the firewall for the following IP protocols and UDP ports:
It may be necessary to allow Kerberos traffic through the firewall, if so then UDP port 88 and TCP port 88 would also need to be forwarded. For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/253169/EN-US/ )Traffic That Can--and Cannot--Be Secured by IPSec
(http://support.microsoft.com/kb/254949/ )IPSec support for client-to-domain controller traffic and domain controller-to-domain controller traffic
(http://support.microsoft.com/kb/254728/EN-US/ )IPSec Does Not Secure Kerberos Traffic Between Domain Controllers