Re: Using IPSec Filter to block Internet Access does not work from GPO (but works fine as part of local security policy)
From: Louise Bowman [MSFT] (lbowman_at_microsoft.com)
Date: 07/03/03
- Next message: Kent W. England [MVP]: "Re: Pop Ups"
- Previous message: L Weiss: "Pop Ups"
- In reply to: Shant Hotoyan: "Re: Using IPSec Filter to block Internet Access does not work from GPO (but works fine as part of local security policy)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 3 Jul 2003 08:36:50 -0700
.Shant,
The only thing I can think is that the policies themselves are the problem.
Do the DC's have the same IPSec Policy that you are trying to apply to the
other machines?
If so they may be blocking all traffic from all address, if ICMP traffic
between the DC and the other machines is blocked, then the IPSec Policy
won't get applied. There needs to be ICMP traffic to apply GPO delivered
policy.
Louise (MSFT)
IPSec Test Team
-- This posting is provided "AS IS" with no warranties, and confers no rights. "Shant Hotoyan" <shotoyan@scelectric.ca> wrote in message news:#209CYWQDHA.304@tk2msftngp13.phx.gbl... > I've already tried that. I manually synced the domain to make sure all DC's > had the new GPO, then rebooted the test system. I then tried stopping and > restarting the policyagent. I even left the maching running for half a day > to see if there would be a difference after the 180 minute refresh. Nothing > changed. It receives the policy from the domain, but the contents of the > policy are not being applied. > > "Louise Bowman [MSFT]" <lbowman@microsoft.com> wrote in message > news:#5VrGiNPDHA.2476@TK2MSFTNGP10.phx.gbl... > > If the computer is a member of a domain - as it is in your case, policy > > retrieval happens when the system starts or at the defined IPSec policy > > polling interval(default 180 minutes) AD Policy. > > If you manually stop and start Policy Agent - i.e. net stop policyagent > > and net start policyagent - it should read the policy and apply it > > immediately. > > > > Louise (MSFT) > > IPSec > > > > > > -- > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > > > > > "Shant Hotoyan" <shotoyan@scelectric.ca> wrote in message > > news:OIU5xvMPDHA.1336@TK2MSFTNGP11.phx.gbl... > > > I'm trying to setup an IPSec Filter policy to block assigned systems > from > > > accessing the Internet. I've managed to create the filter lists and > > policy > > > successfully (created a policy with 2 filters, one blocks all traffic > > > to/from all addresses, and the other allows all traffic to/from all > > > addresses in our local subnet). > > > > > > If I create the filters and policy locally on a system, everything works > > > fine and the system cannot access the Internet but can access the local > > LAN. > > > However if I create the exact same filter lists and policy onto the > domain > > > and apply it through group policy, it doesn't work. GPResult shows that > > the > > > policy was applied to the system, and IPSecMon shows that IPSec is > enabled > > > on the system, but the filter lists simply do not work. > > > > > > Any ideas? > > > > > > Thank you, > > > Shant Hotoyan, MCSE, CCNP > > > Network Administrator > > > S&C Electric Canada Ltd. > > > > > > > > > > > > > > >
- Next message: Kent W. England [MVP]: "Re: Pop Ups"
- Previous message: L Weiss: "Pop Ups"
- In reply to: Shant Hotoyan: "Re: Using IPSec Filter to block Internet Access does not work from GPO (but works fine as part of local security policy)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
