We have two KMS servers (1 Server 2008 R2 and 1 Windows 7 Enterprise). The KMS clients are all Windows 7 Enterprise. We are testing creating connection security rules to use isolation and protect the KMS service as outlined in the Microsoft guide. This all works well when the client attempts a connection to the 2008 R2 server. However it never works when it is Windows 7 -> Windows 7. The rules are failry basic and state that anything on TCP 1688 require in/request out using Computer Kerberos authenticaiton. All these computers are on the same LAN in a lab environment. Is it possible for a Windows 7 machine to act as an isolation endpoint "host" for the lack of a better term? Are there specific services that must be enabled for this to work. I created a generic inbound rule to allow all TCP traffic on any port to rule out a firewall issue and that has not helped. The second I drop the connection security rule I have no problems but defeats the purpose of what I'm trying to accomplish. Thanks, Brian

Have you read the document for using Server Isolation to Protect the KMS? That should be helpful. Using Server Isolation to Protect the Key Management Service (KMS) Following the steps exactly may work. Arthur Xie TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Yes, I followed that guide for both the 2008 R2 machine and Windows 7 KMS host. However, the connection security rule does not seem to work when it is windows 7 to windows 7. If I make a connection to the server 2008 R2 box the rules work fine. It makes me think a service is missing or disabled but I cannot seem to find it.

Is the Windows 7 KMS host a domain member? How does it work if you do not apply the firewall policy on the Windows 7 KMS host? Did you install any third party programs such as antivirus on the Windows 7 KMS host? If so I suggest you remove them. Another possible issue is the port 1688. It may be taken by other processes. I suggest you check the port status by enter the following command. netstat –ano Is KMS service listing on the port TCP 1688? You may also need to check the rules. In the step 8 of the instruction, Endpoint 2 should include IP address of KMS servers. Please ensure that the IP address of the Windows 7 computer is included. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Arthur, Thanks for the reply Yes the KMS host is a member of the domain. If I do not apply the Connection Security Rule then everything works as expected. I removed anti-virus from this host and it did not make a difference, however for the record the same anti-virus program is installed on the server 2008 KMS host and does not affect operation. I verified that thet sppsvc.exe process is listening on port 1688 or both 0.0.0.0 and [ :: ] local addresses. The rules appear correct to me but I can export them and send them to you if you like. On the Windows 7 client, I have a range of IPs configured on the connection security rule to include both the server 2008 R2 and Windows 7 KMS host. If I configure the opposing rule on the Server 2008 R2 KMS Host it works fine, but the same rule will not work on the Windows 7 KMS host. Thanks, Brian

You may send the information of the rule into the following workspace. Microsoft File Transfer Password is: aCwk+mw)lNhEnzGA How did you confirm that the Windows 7 host does not work, just by pinging the host or trying to activate a client?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

ok, i exported the policies on uploaded to the site. The PC i'm currently testing with is 8.50 but none of the other IPs listed work with the connection security rule enabled. The host will work as long as I don't require the connection security rule. Once I configure that is when it breaks. The only way I know to test IPSEC is to attempt the activation unless there is another method you can suggest. Thanks for your assistance. Regards, Brian

Hi Arthur, After re-reading my post I realize I need to expand on my statements further. The KMS servers are in a resource domain. All of the KMS clients are in a trusted domain with a forest level trust between them. The KMS host that is running server 2008 R2 is also the domain controller for the resource domain. The KMS host running Windows 7 is obviously just a member of the resource domain. Since the isolation requires kerberos authentication for the computer accounts, i'm curious if the Windows 7 host cannot verify the computer account because it is not a DC. Usually, when the client attempts to activate where an isolation rule is in place I will see a plain text attempt but I do not see any information in the security event logs. I did enable auditing by issuing the following auditpol.exe /set /category:"Logon/Logoff" /SubCategory:"IPsec Main Mode" auditpol.exe /set /category:"Logon/Logoff" /SubCategory:"IPsec Quick Mode" auditpol.exe /set /category:"System" /SubCategory:"IPsec Driver" Hope this helps

I think you hit the point. Windows 7 can recognize the objects in a trusted domain. Otherwise it would not work if you remove the rule. I just suspect that the rule does block Kerberos v5 authentication because it only opens the port 1688. The authentication works with DC so when you try to activate with the Windows Server 2008 R2 DC the authentication does not communicate with other DCs but runs locally. Actually the isolation rules should be very simple. You just need to create rule under Connection Security Rules, but not Inbound or Outbound rules. Only allow connections that pass Kerberos v5 authentication. If you do not want certain computers to access it, just add the IP addresses in the block list. Creating Connection Security RulesPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Just want to confirm if you have resolved the issue.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Arthur, I will try your suggestions out today and see if it resolves the issue. I will get back with you. Thanks, Brian

Just to make sure I am clear on what you are saying (1) Create a connection security rule for Kerberos (computer) authentication (2) Don't specify any specific ports, leave them at any any (3) Don't specify any IP endpoints. Leave them at any any When I do this, it still does not activate. I don't see anything in the event logs either. Is there somewhere else I can look or any additional logging I can enable?

Hi, (3) Don't specify any IP endpoints. Leave them at any any According to the document, you need to specify the IP for endpoints 2, which should be the address of the Windows 7 KMS host. Additionally from the files you uploaded I see that you create inbound and outbound rules for Windows Firewall. However the document indicate that you should add the rule in “Connection Security Rules”. Please check it. The document can be downloaded here: Download details Using Server Isolation to Protect the Key Management Service (KMS)Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Have you got it work?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Arthur, Actually no, not working yet. I opened a support ticket with Microsoft support to assist me in getting this resolved because I'm at a loss at this point. Thanks for all your help. Regards, Brian Wiggins