Re: IPSEC Policy to secure TS
From: David Beder (dbeder@online.microsoft.com)
Date: 02/20/03
- Next message: PaulP: "Software Update Service"
- Previous message: Sheraz: "Explorer.exe"
- In reply to: Steven L Umbach: "Re: IPSEC Policy to secure TS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "David Beder" <dbeder@online.microsoft.com> Date: Thu, 20 Feb 2003 00:11:57 -0800
If you don't want to read all the stuff about l2tp/ipsec, here's some quick
steps to get you going.
I'll interlace the steps betweed those that you've already done from
315055.
"How to Create and Enable IPSec Policy to Secure Terminal Services
Communications"
Start the Local Security Settings Microsoft Management Console (MMC),
right-click IP Security Policies in the left pane, and then click Create IP
Security Policy.
After the IP Security Policy Wizard starts, click Next.
On the IP Security Policy Name page, type secure terminal services
connection in the Name box, and then click Next.
Click to clear the Activate the default response rule check box, and then
click Next.
On the Completing the IP Security Policy Wizard page, verify that the Edit
properties check box is selected, and then click Finish.
Click the Rules tab, click to clear the Use Add Wizard check box, and then
click Add.
Click the IP Filter List tab, and then click Terminal Services IP Filter
List.
Click the Filter Action tab, and then click Require Security.
--> Click the Authentication Methods tab, select the default method of
Kerberos and click Edit.
--> Select the Preshared Key option (probably called something else but
you'll figure it out) then type in the shared secret.
Click Apply, and then click OK.
Verify that the Terminal Services Filter List check box is selected, and
then click Close.
Right-click the new policy, and then click Assign.
"How to Ensure That Clients Respond to the Terminal Server's Requests for
Security"
Click Start, point to Programs, point to the Administrative Tools, and then
click Local Security Policy.
Click to expand Security Settings in the left pane, right-click the Client
(respond only) policy, and then click Assign.
-->Double click the policy to bring up its property dialog box for editing.
Select the default response rule and click edit.
-->On the Authentication Methods tab edit the default Kerberos option and
enter the shared secret.
Some important things to consider:
1) the shared key should be rather complicated along the same lines as a
strong user password.
2) the client policy is rather broad and might need narrowing down. It
essentially says that the machine will not request IPSec, but if the other
peer requests it, it will try. However, it really only knows one way of
trying to negotiate mutual authentication which is going to be to use the
preshared key. Any other computer that requests to do IPSec with this
machine (on any protocol/port) must also be able to authenticate using this
identical preshared key, otherwise the peers will be blocked from
communicating.
3) if you decide to not use the default client response policy on the
client, and instead implement a policy based on the instructions given for
the server, you'll want to remember to swap the port settings. The client
sends from random/any port to 3389 while the server responds from 3389 to
the random/any port.
4) if you have a firewall in the picture, you'll want to also open UDP 500
to allow the ipsec negotiation to pass through.
5) the event logs on both machines may contain some useful info to help
debug any problems you may have. even the lack of any logged info can be
useful.
Good luck, and post any additional problems as arise and we'll try and give
you a hand.
"Steven L Umbach" <n9rou@attbi.com> wrote in message
news:B5Q4a.164240$2H6.3066@sccrnsc04...
> Hi Chris. Sounds like you would need to use pre shared key in your
> situation if you decide to use it. Ipsec will also require additional
> firewall rules other than 3389 of course. KB24062 gives information about
> setting up a pre-shared key for L2TP/IPSEC. Not all the article pertains
to
> your situation, but the part about configuring the shared key does. Good
> luck. -- Steve
>
>
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.a
> sp
> http://support.microsoft.com/?kbid=240262
>
>
> "Chris" <firenet@optonline.net> wrote in message
> news:04ad01c2d83c$16ab5600$2f01280a@phx.gbl...
> > Thanks for responding!
> >
> > The computers are not in the same network. This is for
> > computers accessing the TS from across the internet.
> >
> > Chris
> >
> > >-----Original Message-----
> > >Oops wrong KB. --- Steve
> > >
> > >http://support.microsoft.com/default.aspx?scid=kb;EN-
> > US;254949
> > >
> > >"Steven L Umbach" <n9rou@attbi.com> wrote in message
> > >news:Y_N4a.165146$iG3.19368@sccrnsc02...
> > >> Hi Chris. Are the computers in the same forest??
> > If not Kerberos
> > >> authentication will not work. If you are using a
> > secure server required
> > >> policy, try server request policy to see if that will
> > at least work and
> > >> troubleshoot from there using ipsecmon, ping, etc. Try
> > connecting to the
> > >> Terminal Server by tcp/ip address instead of name if
> > you have not tried
> > >that
> > >> yet. You may need to add a rule to your policy to
> > exempt ipsec traffic
> > >> to/from a domain controller per KB254728.. --- Steve
> > >>
> > >> http://support.microsoft.com/?kbid=254728
> > >>
> > >> "Chris" <firenet@optonline.net> wrote in message
> > >> news:093d01c2d7cc$2b976ec0$3301280a@phx.gbl...
> > >> > Hello,
> > >> > I created an IPSEC filter list to match Terminal
> > Service
> > >> > packet, created an IPSec Policy to enforce
> > protection and
> > >> > then I enabled the policy. I did all according to
> > the MS
> > >> > article 315055. But, now my Windows XP RDP client
> > can no
> > >> > longer connect to the Terminal Server on Port 3389.
> > Does
> > >> > anyone know what the problem could be? Many Thanks,
> > >> >
> > >> > Chris
> > >>
> > >>
> > >
> > >
> > >.
> > >
>
>
- Next message: PaulP: "Software Update Service"
- Previous message: Sheraz: "Explorer.exe"
- In reply to: Steven L Umbach: "Re: IPSEC Policy to secure TS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
