I have a customer that wants to enable encrypted communicatons to around 20 servers and 1000 desktops. They are a subset of around 8000 workstations and 200 servers. They are all currently in a single OU that is for their specific operations. Do to healthcare requirments they need to encrypt LAN traffic. I am thinking using KERBEROS with an IPESEC policy using "Secure Server" This way they will initiate encrypting with said servers and still be able to communicate with servers not participating in the policy. The question I have is can I create a policy ONLY for that OU? From what i was reading they state to enable it in the Default Domain Policy. I really cant do this for other reasons. I simply want it for only the servers/clients in that OU. I also figure with Kerberos is much easier to implement and I dont require an internal PKI or have to deal with SSL. Is there anyting I might be over looking or need to condsider? I believe this can be accomplished with a single GPO linked at the OU correct? Its a mix of XP/2003/Windows 7/2008. I know I will need to use 3DES. Thanks, Grady Vogt

Yes, you can configure the required IPSec and Connection Security policies via group policies in one or multiple GPOs linked to the OU where you have the workstations and servers requiring LAN encryption using IPSec. It is recommended to filter the GPOs using security groups and or WMI filters to help limit the scope of clients and servers affected by the policy. You need to configure two different sets of policies, the first policy applies to the servers and configure the server to require IPSec protection for all inbound connections and request IPSec protection for all outbound connections. The second policy applies to all clients and configure the client to request IPSec protection for incoming and outgoing connections. Having a mixed environment of OS versions requires configuring a mix of the "legacy" IPSec policies and the "new" connection security policies. Please consider reading: "Windows Firewall with Advanced Security Design and Deployment Guide" http://www.microsoft.com/download/en/details.aspx?id=17077 for Windows 2008 servers and Windows 7 clients "Server and Domain Isolation Using IPsec and Group Policy" http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18358 for Windows XP and Windoes 2003 The general Microsoft landing page for IPSec technologies http://www.microsoft.com/ipsec includes many useful guides and discussions about implementing Server and Domain Isolation /Hasain

If I dont want the servers to require it I can simply do it in 1 GPO with kerberos/3des set to "Secure Server" Then create 2 new security groups, 1 for servers and 1 for clents and set that as my scope after linking it to the OU? Is that a correct statement?Thanks, Grady Vogt

The "Secure Server (Require Security)" IPSec policy is simply configuring the server to require IPSec on all connections. This policy is good for the severs but not the clients. Apply the "Client (Respond Only)" or "Server (Request Security)" IPSec policy to the clients to make sure the clients will be able to communicate with both servers requiring IPSec and other servers and clients without IPSec. Just to simplify, if the server requires IPSec the client should Respond with IPSec otherwise just continue without IPSec. So you need two GPO objects one for the servers and one for the clients filtered with security groups or linked to different OUs or a combination of linking and filtering. /Hasain

If I apply require secure server will that effect all traffic? What about the backup server that is not windows based? I need to make sure that communications are NOT restricted but allow communication. if BOTH are set to secure server (Request) wont they communicate in IPSEC since they BOTH request it?Thanks, Grady Vogt

You need to make an exemption filter for the IP addresses used in the backup network and set the action permit /Hasain