How do I configure IPSec in my local network?
I have a server running server 2008 and 3 workstation running xp pro. The workstations are joined to the domain. I would like for communication between the workstations and server to have data integrity so IPSec looks like the right choice,
I have looked at books on this subject but still feel inadequate about configuring the policies on the server and on the workstation.
On the workstation I create the IP Security Policy, then create outbound and inbound filters, then outbound and inbound rules? I assume that I do the same on the server but I am not certain on this subject. Any help would be greatly appreciated.
November 16th, 2011 9:20pm
You already have the basic steps that you need to create the same policy on both the client and server that are going to communicate/apply IPSec. The Policies must be identical so you can configure the policies on either the client or server and use export
and import to duplicate the same policies on the other side in the test lab or just use group policies to deploy the policies. Please consider the following TechNet guides for more information about IPSec policies compatible with Windows XP.
IPSec Policy Rules Overview
http://technet.microsoft.com/en-us/library/cc786197(WS.10).aspx
Creating and Using IPsec Policies
http://technet.microsoft.com/en-us/library/cc730656(WS.10).aspx
Setting Up IPsec Domain and Server Isolation in a Test Lab
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=4963
/Hasain
Free Windows Admin Tool Kit Click here and download it now
November 17th, 2011 2:48am
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/07dde657-e37e-40aa-b9dc-136b4877c47a/
Do I import into the server as instructed in the above link?
In one of the links, you can not use the default response rule in server 2008, even though it is selectable in xp. It does not really show what authentication method is compatible with xp and server 2008. I assume that whatever authentication
method is selectable in xp is compatible with server 2008?
November 17th, 2011 9:32am
You already have the basic steps that you need to create the same policy on both the client and server that are going to communicate/apply IPSec. The Policies must be identical so you can configure the policies on either the client or server and use export
and import to duplicate the same policies on the other side in the test lab or just use group policies to deploy the policies. Please consider the following TechNet guides for more information about IPSec policies compatible with Windows XP.
IPSec Policy Rules Overview
http://technet.microsoft.com/en-us/library/cc786197(WS.10).aspx
Creating and Using IPsec Policies
http://technet.microsoft.com/en-us/library/cc730656(WS.10).aspx
Setting Up IPsec Domain and Server Isolation in a Test Lab
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=4963
/Hasain
Free Windows Admin Tool Kit Click here and download it now
November 17th, 2011 10:34am
You only need to export the IPSec policies and either import in the server directly using secpol.msc or into a GPO replacing the IPSec setting in it.
You can manually create a rule that mimic the default response rule, please check KB942964 http://support.microsoft.com/kb/942964.
You are correct about the authentication methods in 2008
/Hasain
November 17th, 2011 10:56am
Ok, im thinking about using group policy. In the domain, there are 3 default policies. Would assigning "secure server (require security)" work without any configuring? Just right click and select assign? It can't be that easy, can
it?
Free Windows Admin Tool Kit Click here and download it now
November 17th, 2011 7:25pm
Hi plp384,
Thank you for your post.
Generally, we could use one of 3 default policy which already set IP filter(any IP,any Protocol,any ports) and filter action.
A.Client (Respond Only), could response IPSec and non-IPSec
B.Secure Server (Require Security), always request and response IPSec
C.Server (Request Security), could request IPSec and non-IPSec
D.Assume D not configured policy, not support IPSec device or non-domain device
If you want to IPSec server traffic, assign B to server and assign A to clients.
If you want to IPSec all server and client traffic, assign B to server and clients.
If you want to traffic with other device like D, policy B will drop the traffic. You need to modify IP filter to exclude D or assign policy C.
Here is
Step-by-Step Guide to Internet Protocol Security (IPSec) article, hope it helps you.
If there are more inquiries on this issue, please feel free to let us know.
Regards,
Rick Tan
November 18th, 2011 2:20am
Okay, thank you. One more question...If I assign secure server in group policy on the server......do I have to change anything on the workstations that are already joined to the domain? I notice in your reply you imply that i must assign to
both server and clients.
Free Windows Admin Tool Kit Click here and download it now
November 18th, 2011 10:13am
Hi plp384,
Thank you for your post.
Generally, we could use one of 3 default policy which already set IP filter(any IP,any Protocol,any ports) and filter action.
A.Client (Respond Only), could response IPSec and non-IPSec
B.Secure Server (Require Security), always request and response IPSec
C.Server (Request Security), could request IPSec and non-IPSec
D.Assume D not configured policy, not support IPSec device or non-domain device
If you want to IPSec server traffic, assign B to server and assign A to clients.
If you want to IPSec all server and client traffic, assign B to server and clients.
If you want to traffic with other device like D, policy B will drop the traffic. You need to modify IP filter to exclude D or assign policy C.
Here is
Step-by-Step Guide to Internet Protocol Security (IPSec) article, hope it helps you.
If there are more inquiries on this issue, please feel free to let us know.
Regards,
Rick Tan
November 18th, 2011 10:16am
You must assign the "Respond Only" or any other policy that can respond to IPSec on the clients.
/Hasain
Free Windows Admin Tool Kit Click here and download it now
November 18th, 2011 10:40am
Looking at the IP security policy management in xp pro, it shows "select which computer or domain this snap in will manage"
I can select "Local computer" or "the active directory domain of which this computer is a member"
Which should I select? I figure that I should select "the active directory domain of which this computer is a member" since the workstation
is joined to a domain. But I also figure that selecting "Local computer" would affect all users of the particular workstation anyways.
November 18th, 2011 11:21am
The recommended is to use the local MMC snap-in to manage and assign local policies and use the group policy management to manage the IPSec policies through GPOs.
/Hasain
Free Windows Admin Tool Kit Click here and download it now
November 18th, 2011 11:27am
Today at work I went to the server and edited a GPO through which I assigned "secure server" (require security). Then turned on a workstation and found that it took the computer a whole lot longer to load. I could no longer access
a mapped drive so that kinda tells me that the server is ready for IPSec communication. On the workstation I went to MMC and snapped in the ip security policy management and selected for the snap-in to manage the local computer. Then assigned "secure
server" (require security). After restarting the workstation I noticed the same pattern of longer load time followed by the inability to access the mapped drive....I decided to unassign the policies from both the workstation and server. Luckily,
I can login now as normal.
My question is should I have assigned the secure server policy on the workstation first, then assign the same policy through group policy management on the server? Should I have selected for the snap-in on the workstation to manage "active directory
domain of which this computer is a member" instead of "local computer"?
Now I see something that I did not do, as Mr. Tan pointed out..I want to IPSec server traffic. So I would assign "secure server" (require security) on the server and then open MMC on the workstation and assign client "respond only". Should I assign
the workstations first, then the server?
November 18th, 2011 7:20pm
Can you describe the role of the server you are enabling IPSec on, is it just a member server or does it have other roles?
When using the default "Secure Server" policy, the machine requires IPSec on all IP traffic with no exemptions and for both incoming and outgoing connections. Additionally, that policy uses kerberos for authentication and you need to make
sure that kerberos is exempted from your IPSec, read more here http://support.microsoft.com/kb/810207
It does not matter the order you apply the policy but you need to understand the dependencies between IPSec and the incomming and outgoing connections as well as the authentication methods used.
What is your ultimate goal using IPSec?
/Hasain
Free Windows Admin Tool Kit Click here and download it now
November 19th, 2011 1:45am
Can you describe the role of the server you are enabling IPSec on, is it just a member server or does it have other roles?
When using the default "Secure Server" policy, the machine requires IPSec on all IP traffic with no exemptions and for both incoming and outgoing connections. Additionally, that policy uses kerberos for authentication and you need to make
sure that kerberos is exempted from your IPSec, read more here http://support.microsoft.com/kb/810207
It does not matter the order you apply the policy but you need to understand the dependencies between IPSec and the incomming and outgoing connections as well as the authentication methods used.
What is your ultimate goal using IPSec?
/Hasain
November 19th, 2011 9:42am
I assume it is a member server but there is not any other server controlling the domain.
It has active directory enabled, along with file services, and terminal services and DNS and DHCP. We configured the server so that workers can access an application remotely and local workstations can access a sql database through mapped
network drive
I figure that kerberos would be a good authentication method because it is the default and is compatible with xp pro, my other option would be a shared key but that's not as secure.
My ultimate goal using IPSec is to have data integrity between 3 workstations and the server. Right now the workstations connect wirelessly to the network with wpa2-AES but I think there is not any data integrity.
Free Windows Admin Tool Kit Click here and download it now
November 19th, 2011 11:07am
After reading some literature on WPA2... it looks as if there is data integrity in it's communications between computers.
Sorry for the confusion and again thank you for helping me with this issue.
November 20th, 2011 6:17pm