I'm trying to isolate a server within a domain to allow only specific uses and computers(from within the same domain) to access port 80 and 443. my research points me to IPSEC, afvance firewall. But from the articles i read, this requires access to configure GP and DC. http://technet.microsoft.com/en-us/library/deploy-ipsec-firewall-policies-step-by-step(WS.10).aspx http://technet.microsoft.com/en-us/library/cc947819(WS.10).aspx I DON"T have configuration access to the two in my environment. Can i still use IPSEC?

Actually not. You need to have access to the DC and of course the Group Policy settings if you want to configure that throughout the domain. By the way, if you have access to the DC and GP, you have to know which type of authentication you choose: -If you want the server to be able to communicate to the DC using IPSec, you cannot use Kerberos v5 authentication protocol, you should either use pre-shared key or digital certs. the reason is clear since in order for the server to use Kerberos it needs to contact the DC while the communication is filtered in the first place. -If you want the serve to be able to communicate to the other clients, you can choose any type of authentication that you want but if you want to choose specific users, then you must go for Kerberos. I know your question was something else. But I just wanted to mention it since it s often forgotten by so many people when configuring Domain and Server isolation. Cheers EsmaeilMCT, MCSA/MCSE Security http://esitech.spaces.live.com/

actually, Microsoft stated that GP is not required. it just makes thing easier if you want to deploy isolation to multiple server/client. http://www.microsoft.com/downloads/en/confirmation.aspx?FamilyID=0b937897-ce39-498e-bb37-751c00f197d9 All i need to do is to restrict a server to only 3 computers within a domain. i can't seem to find a way to do it.

Hi Customer, You could deploy server isolation on these server via certificate or pre-shared key if the server is not in domain. Just setup connection security rule for inbound/ outbound isolation to create IPSec tunnel. Regards, Rick Tan

I found a very good article that solves my problem. It uses local group policy to implement IPSEC without needing to configure/have access to domain group policy. It uses kerberos authentication and encryption as well. here is the link. the requirement is all components are joined to the domain. hopefully this helps someone. http://digitallibraryworld.com/?p=137#more-137