If your network topology includes a back-end firewall between security servers and View Connection Server instances, you must configure certain protocols and ports on the firewall to support IPsec. Without proper configuration, data sent between a security server and View Connection Server instance will fail to pass through the firewall.

By default, IPsec rules govern the connections between security servers and View Connection Server instances. To support IPsec, the View Connection Server installer can configure Windows firewall rules on the Windows Server hosts where View servers are installed. For a back-end firewall, you must configure the rules yourself.

Note: It is highly recommended that you use IPsec. As an alternative, you can disable the View Administrator global setting, Use IPsec for Security Server Connections.

The following rules must allow bidirectional traffic. You might have to specify separate rules for inbound and outbound traffic on your firewall.

Different rules apply to firewalls that use network address translation (NAT) and those that do not use NAT.

Table 1. Non-NAT Firewall Requirements to Support IPsec Rules
Source Protocol Port Destination Notes
Security server ISAKMP UDP 500 View Connection Server Security servers use UDP port 500 to negotiate IPsec security.
Security server ESP N/A View Connection Server ESP protocol encapsulates IPsec encrypted traffic.

You do not have to specify a port for ESP as part of the rule. If necessary, you can specify source and destination IP addresses to reduce the scope of the rule.

The following rules apply to firewalls that use NAT.

Table 2. NAT Firewall Requirements to Support IPsec Rules
Source Protocol Port Destination Notes
Security server ISAKMP UDP 500 View Connection Server Security servers use UDP port 500 to initiate IPsec security negotiation.
Security server NAT-T ISAKMP UDP 4500 View Connection Server Security servers use UDP port 4500 to traverse NATs and negotiate IPsec security.