Hi I have two node web farm with windows nlb (Windows 2008 R2). I want to enable IPSEC policy on them to require IPSEC for inbound connection (IPSEC with kerberos Computer account) How can machines connect using IPSEC to the NLB name of the web farm node?ammarhasayen

Hi Customer, You could first to test to setup outbound to server farm IP connection security rules on one client, setup inbound from client ip connection security rules on all NLB servers. If test passed, use IPsec GPO to deploy these two policy: 1. outbound to server farm IP port 80 2. inbound from client ip port 80 Creating Connection Security Rules http://technet.microsoft.com/en-us/library/cc725940(WS.10).aspx Configure IPsec GPOs http://technet.microsoft.com/en-us/library/dd314176(WS.10).aspx How to configure Network Load Balancing to work with IPsec http://support.microsoft.com/kb/820752Regards, Rick Tan

Hi Customer, You could first test with create IP connection security rule: 1.outbound to NLB IP rule on one client 2.inbound to NLB IP rule on one NLB server which this client visit If test pass, use IPsec GPO to deploy these two policy: 1. outbound to NLB IP policy to clients 2. inbound to NLB IP policy to NLB all server Creating Connection Security Rules http://technet.microsoft.com/en-us/library/cc725940(WS.10).aspx Configure IPsec GPOs http://technet.microsoft.com/en-us/library/dd314176(WS.10).aspx How to configure Network Load Balancing to work with IPsec http://support.microsoft.com/kb/820752 Regards, Rick Tan

My question is how will IPSEC using kerberos computer authentication work when you hit an NLB name which is int security principle. Any one ?ammarhasayen

Hi Customer, When you create connection security rules, you could select computer kerberos v5 authenticate method in the wizards. Windows firewall with advanced security--connection security rules--new rule--custom--choose IP--choose inbound/outbound authentication--choose computer kerberos v5.Regards, Rick Tan