That would do it. Almost certainly enforced by GPO in that case so at least it's easy to change if you need to.
On Thu, Sep 3, 2015 at 10:25 AM, Robert Webb <rw...@ropeguru.com> wrote: > Yes, we are looking at this now. > > Thanks for everyone's help. I think we are heading in the right direction > tracking this down. This just showed up in our monitoring and makes sense > as we just brought up a new locked down domain. > > Robert > > > > On Thu, 3 Sep 2015 10:19:53 -0400 > "Oliver O'Boyle" <oliver.obo...@gmail.com> wrote: > >> You can configure Windows to encrypt traffic based on protocol >> definitions. >> E.g., Use IPSEC to encrypt all traffic on port 80 between hosts X and >> hosts >> Y. >> >> It's possible that such a policy is in place locally on the workstations >> and/or servers and it's also possible that it's being enforced using GPOs. >> >> On Thu, Sep 3, 2015 at 9:53 AM, Robert Webb <rw...@ropeguru.com> wrote: >> >> There is no VPN in the picture here. These are straight workstations on >>> the network that the packets are coming from. >>> >>> According to a pcaket capture in wireshark, these are isakmp packets >>> reaching out to host names of web sites that are being browsed. So >>> destinations are sites like twitter, facebook, amazon, cnn, etc.. >>> >>> We have further discovered that they seem to be initiated from the >>> Windows >>> 7 svchost, but we have not been able to find documentation as to how or >>> why >>> this is ocurring. >>> >>> Robert >>> >>> >>> On Thu, 3 Sep 2015 13:42:21 +0000 >>> "Bjoern A. Zeeb" <bzeeb-li...@lists.zabbadoz.net> wrote: >>> >>> >>>> On 03 Sep 2015, at 13:35 , Robert Webb <rw...@ropeguru.com> wrote: >>>> >>>>> >>>>> We are seeing udp 500 packets being dropped at our firewall from user's >>>>> browsing sessions. These are users on a 2008 R2 AD setup with Windows >>>>> 7. >>>>> >>>>> Source and destination ports are udp 500 and the the pattern of drops >>>>> directly correlate to the web browsing activity. We have confirmed this >>>>> with tcpdump of port 500 and a single host and watching the pattern of >>>>> traffic as they browse. This also occurs no matter what browser is >>>>> used. >>>>> >>>>> Can anyone shine some light on what may be using udp 500 when web >>>>> browsing? >>>>> >>>>> >>>> The VPN using IPsec UDP-Encap connection that supposedly gets through >>>> NAT? Have you checked the content with tcpdump? Do you have >>>> fragments >>>> by any chance? >>>> >>>> >>>> -- >> :o@> >> > > > -- :o@>
