WS2008R2 domain, all clients Win 6.1. IPSec domain isolation successfully deployed (auth only) (require inbound, request outbound). WS2008R2 EE CAs. I now have to add a WS2008R2 machine that is a workgroup member, and it needs SMB connectivity to the domain and RDP from the domain. If I add an Exception to Group Policy for the machine's IP, I have connectivity. But what I want is to have IPSec auth to this computer as I have for the domain. I've enrolled an "IPSec (offline request)" cert for the workgroup machine from the domain CA, and have imported root & intermediate certs such that the machine trusts the domain root and intermediate CAs. When I enable IPSec on the workgroup machine, I have outbound connectivity to the domain, but no inbound from the domain. Here is the "Advanced" auth dialog for the "Request Outbound, Require Inbound" rule, as it now stands: Correct certs are selected for the root & sub CAs, but it is not working. Is Advanced Auth configured incorrectly?

How does the IPSec policy/connection security rules on your domain members look like, do you have a matching policy on that end? /Hasain

Still have to get back to this. I do have a rule on the domain end but I'm thinking I didn't update it when I changed the one on the client, so you're probably right.