IAS and firewalls

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

IAS and firewalls

In the most common configuration, the firewall is connected to the Internet and the IAS server is another intranet resource that is connected to the perimeter network.

To reach the domain controller within the intranet, the IAS server might have:

  • An interface on the perimeter network and an interface on the intranet (IP routing is not enabled).

  • A single interface on the perimeter network. In this configuration, IAS communicates with intranet domain controllers through another firewall that connects the perimeter network to the intranet. This configuration is shown in the following drawing.

Configuration of IAS and firewalls

Configuring the Internet firewall

The firewall that is connected to the Internet must be configured with input and output filters on its Internet interface (and, optionally, its network perimeter interface), to allow the forwarding of RADIUS messages between the IAS server and RADIUS clients or proxies on the Internet. Additional filters can be used to allow the passing of traffic to Web servers, VPN servers, and other types of servers on the perimeter network.

Separate input and output packet filters can be configured on the Internet interface and the perimeter network interface.

Filters on the Internet interface

Configure the following input packet filters on the Internet interface of the firewall to allow the following types of traffic:

  • Destination IP address of the IAS server's perimeter network interface and UDP destination port of 1812 (0x714).

    This filter allows RADIUS authentication traffic from Internet-based RADIUS clients to the IAS server. This is the default UDP port that is used by IAS, as defined in RFC 2865. If you are using a different port, substitute that port number for 1812, which is used in this example.

  • Destination IP address of the IAS server's perimeter network interface and UDP destination port of 1813 (0x715).

    This filter allows RADIUS accounting traffic from Internet-based RADIUS clients to the IAS server. This is the default UDP port that is used by IAS, as defined in RFC 2866. If you are using a different port, substitute that port number for 1813, which is used in this example.

  • (Optional) Destination IP address of the IAS server's perimeter network interface and UDP destination port of 1645 (0x66D).

    This filter allows RADIUS authentication traffic from Internet-based RADIUS clients to the IAS server. This is the UDP port that is used by older RADIUS clients.

  • (Optional) Destination IP address of the IAS server's perimeter network interface and UDP destination port of 1646 (0x66E).

    This filter allows RADIUS accounting traffic from Internet-based RADIUS clients to the IAS server. This is the UDP port that is used by older RADIUS clients.

Configure the following output filters on the Internet interface of the firewall to allow the following types of traffic:

  • Source IP address of the IAS server's perimeter network interface and UDP source port of 1812 (0x714).

    This filter allows RADIUS authentication traffic from the IAS server to Internet-based RADIUS clients. This is the default UDP port that is used by IAS, as defined in RFC 2865. If you are using a different port, substitute that port number for 1812, which is used in this example.

  • Source IP address of the IAS server's perimeter network interface and UDP source port of 1813 (0x715).

    This filter allows RADIUS accounting traffic from the IAS server to Internet-based RADIUS clients. This is the default UDP port that is used by IAS, as defined in RFC 2866. If you are using a different port, substitute that port number for 1813, which is used in this example.

  • (Optional) Source IP address of the IAS server's perimeter network interface and UDP source port of 1645 (0x66D).

    This filter allows RADIUS authentication traffic from the IAS server to Internet-based RADIUS clients. This is the UDP port that is used by older RADIUS clients.

  • (Optional) Source IP address of the IAS server's perimeter network interface and UDP source port of 1646 (0x66E).

    This filter allows RADIUS accounting traffic from the IAS server to Internet-based RADIUS clients. This is the UDP port that is used by older RADIUS clients.

Filters on the perimeter network interface

Configure the following input filters on the perimeter network interface of the firewall to allow the following types of traffic:

  • Source IP address of the IAS server's perimeter network interface and UDP source port of 1812 (0x714).

    This filter allows RADIUS authentication traffic from the IAS server to Internet-based RADIUS clients. This is the default UDP port that is used by IAS, as defined in RFC 2865. If you are using a different port, substitute that port number for 1812, which is used in this example.

  • Source IP address of the IAS server's perimeter network interface and UDP source port of 1813 (0x715).

    This filter allows RADIUS accounting traffic from the IAS server to Internet-based RADIUS clients. This is the default UDP port that is used by IAS, as defined in RFC 2866. If you are using a different port, substitute that port number for 1813, which is used in this example.

  • (Optional) Source IP address of the IAS server's perimeter network interface and UDP source port of 1645 (0x66D).

    This filter allows RADIUS authentication traffic from the IAS server to Internet-based RADIUS clients. This is the UDP port that is used by older RADIUS clients.

  • (Optional) Source IP address of the IAS server's perimeter network interface and UDP source port of 1646 (0x66E).

    This filter allows RADIUS accounting traffic from the IAS server to Internet-based RADIUS clients. This is the UDP port that is used by older RADIUS clients.

Configure the following output packet filters on the perimeter network interface of the firewall to allow the following types of traffic:

  • Destination IP address of the IAS server's perimeter network interface and UDP destination port of 1812 (0x714).

    This filter allows RADIUS authentication traffic from Internet-based RADIUS clients to the IAS server. This is the default UDP port that is used by IAS, as defined in RFC 2865. If you are using a different port, substitute that port number for 1812, which is used in this example.

  • Destination IP address of the IAS server's perimeter network interface and UDP destination port of 1813 (0x715).

    This filter allows RADIUS accounting traffic from Internet-based RADIUS clients to the IAS server. This is the default UDP port that is used by IAS, as defined in RFC 2866. If you are using a different port, substitute that port number for 1813, which is used in this example.

  • (Optional) Destination IP address of the IAS server's perimeter network interface and UDP destination port of 1645 (0x66D).

    This filter allows RADIUS authentication traffic from Internet-based RADIUS clients to the IAS server. This is the UDP port that is used by older RADIUS clients.

  • (Optional) Destination IP address of the IAS server's perimeter network interface and UDP destination port of 1646 (0x66E).

    This filter allows RADIUS accounting traffic from Internet-based RADIUS clients to the IAS server. This is the UDP port that is used by older RADIUS clients.

For added security, you can use the IP addresses of each RADIUS client that sends the packets through the firewall to define specific filters for traffic between the client and the IP address of the IAS server on the perimeter network.

Configuring the intranet firewall

The firewall that is connected to the intranet must be configured with input and output filters on its perimeter network interface (and, optionally, its intranet interface), to allow the forwarding of RADIUS messages between the IAS server on the perimeter network and domain controllers in the intranet. Additional filters can allow the passing of traffic to Web, VPN, and other types of servers on the perimeter network.

Separate input and output packet filters can be configured on the perimeter network interface and the intranet interface.

Filters on the perimeter network interface

Configure the following input packet filters on the perimeter network interface of the intranet firewall to allow the following types of traffic:

  • Source IP address of the IAS server's perimeter network interface.

    This filter allows traffic from the IAS server on the perimeter network.

Configure the following output filters on the perimeter network interface of the intranet firewall to allow the following types of traffic:

  • Destination IP address of the IAS server's perimeter network interface.

    This filter allows traffic to the IAS server on the perimeter network.

Filters on the intranet interface

Configure the following input filters on the intranet interface of the firewall to allow the following types of traffic:

  • Destination IP address of the IAS server's perimeter network interface.

    This filter allows traffic to the IAS server on the perimeter network.

Configure the following output packet filters on the intranet interface of the firewall to allow the following types of traffic:

  • Source IP address of the IAS server's perimeter network interface.

    This filter allows traffic from the IAS server on the perimeter network.