If your network topology includes a back-end firewall between security servers and View Connection Server instances, you must configure certain protocols and ports on the firewall to support IPsec. Without proper configuration, data sent between a security server and View Connection Server instance will fail to pass through the firewall.

By default, IPsec rules govern the connections between security servers and View Connection Server instances. To support IPsec, the View Connection Server installer can configure Windows firewall rules on the Windows Server hosts where View servers are installed. For a back-end firewall, you must configure the rules yourself.

Note

It is highly recommended that you use IPsec. As an alternative, you can disable the View Administrator global setting, Use IPsec for Security Server Connections.

The following rules must allow bidirectional traffic. You might have to specify separate rules for inbound and outbound traffic on your firewall.

Different rules apply to firewalls that use network address translation (NAT) and those that do not use NAT.

Non-NAT Firewall Requirements to Support IPsec Rules

Source

Protocol

Port

Destination

Notes

Security server

ISAKMP

UDP 500

View Connection Server

Security servers use UDP port 500 to negotiate IPsec security.

Security server

ESP

N/A

View Connection Server

ESP protocol encapsulates IPsec encrypted traffic.

You do not have to specify a port for ESP as part of the rule. If necessary, you can specify source and destination IP addresses to reduce the scope of the rule.

The following rules apply to firewalls that use NAT.

NAT Firewall Requirements to Support IPsec Rules

Source

Protocol

Port

Destination

Notes

Security server

ISAKMP

UDP 500

View Connection Server

Security servers use UDP port 500 to initiate IPsec security negotiation.

Security server

NAT-T ISAKMP

UDP 4500

View Connection Server

Security servers use UDP port 4500 to traverse NATs and negotiate IPsec security.