Re: IPSEC Policy to secure TS
From: Chris (Firenet@optonline.net)
Date: 02/21/03
- Next message: James Raaymakers MCSE: "Built-In Groups or GPO?"
- Previous message: James Raaymakers MCSE: "Password policy for mobile users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Chris" <Firenet@optonline.net> Date: Fri, 21 Feb 2003 13:40:59 -0800
Thank you both Steven and David. I will try David's
solution on Monday and let you know how it goes.
Chris
>-----Original Message-----
>If you don't want to read all the stuff about
l2tp/ipsec, here's some quick
>steps to get you going.
>I'll interlace the steps betweed those that you've
already done from
>315055.
>
>"How to Create and Enable IPSec Policy to Secure
Terminal Services
>Communications"
>Start the Local Security Settings Microsoft Management
Console (MMC),
>right-click IP Security Policies in the left pane, and
then click Create IP
>Security Policy.
>After the IP Security Policy Wizard starts, click Next.
>On the IP Security Policy Name page, type secure
terminal services
>connection in the Name box, and then click Next.
>Click to clear the Activate the default response rule
check box, and then
>click Next.
>On the Completing the IP Security Policy Wizard page,
verify that the Edit
>properties check box is selected, and then click Finish.
>Click the Rules tab, click to clear the Use Add Wizard
check box, and then
>click Add.
>Click the IP Filter List tab, and then click Terminal
Services IP Filter
>List.
>Click the Filter Action tab, and then click Require
Security.
>--> Click the Authentication Methods tab, select the
default method of
>Kerberos and click Edit.
>--> Select the Preshared Key option (probably called
something else but
>you'll figure it out) then type in the shared secret.
>Click Apply, and then click OK.
>Verify that the Terminal Services Filter List check box
is selected, and
>then click Close.
>Right-click the new policy, and then click Assign.
>
>"How to Ensure That Clients Respond to the Terminal
Server's Requests for
>Security"
>Click Start, point to Programs, point to the
Administrative Tools, and then
>click Local Security Policy.
>Click to expand Security Settings in the left pane,
right-click the Client
>(respond only) policy, and then click Assign.
>-->Double click the policy to bring up its property
dialog box for editing.
>Select the default response rule and click edit.
>-->On the Authentication Methods tab edit the default
Kerberos option and
>enter the shared secret.
>
>Some important things to consider:
>1) the shared key should be rather complicated along the
same lines as a
>strong user password.
>2) the client policy is rather broad and might need
narrowing down. It
>essentially says that the machine will not request
IPSec, but if the other
>peer requests it, it will try. However, it really only
knows one way of
>trying to negotiate mutual authentication which is going
to be to use the
>preshared key. Any other computer that requests to do
IPSec with this
>machine (on any protocol/port) must also be able to
authenticate using this
>identical preshared key, otherwise the peers will be
blocked from
>communicating.
>3) if you decide to not use the default client response
policy on the
>client, and instead implement a policy based on the
instructions given for
>the server, you'll want to remember to swap the port
settings. The client
>sends from random/any port to 3389 while the server
responds from 3389 to
>the random/any port.
>4) if you have a firewall in the picture, you'll want to
also open UDP 500
>to allow the ipsec negotiation to pass through.
>5) the event logs on both machines may contain some
useful info to help
>debug any problems you may have. even the lack of any
logged info can be
>useful.
>
>Good luck, and post any additional problems as arise and
we'll try and give
>you a hand.
>
>
>"Steven L Umbach" <n9rou@attbi.com> wrote in message
>news:B5Q4a.164240$2H6.3066@sccrnsc04...
>> Hi Chris. Sounds like you would need to use pre
shared key in your
>> situation if you decide to use it. Ipsec will also
require additional
>> firewall rules other than 3389 of course. KB24062
gives information about
>> setting up a pre-shared key for L2TP/IPSEC. Not all
the article pertains
>to
>> your situation, but the part about configuring the
shared key does. Good
>> luck. -- Steve
>>
>>
>http://www.microsoft.com/windows2000/techinfo/planning/se
curity/ipsecsteps.a
>> sp
>> http://support.microsoft.com/?kbid=240262
>>
>>
>> "Chris" <firenet@optonline.net> wrote in message
>> news:04ad01c2d83c$16ab5600$2f01280a@phx.gbl...
>> > Thanks for responding!
>> >
>> > The computers are not in the same network. This is
for
>> > computers accessing the TS from across the internet.
>> >
>> > Chris
>> >
>> > >-----Original Message-----
>> > >Oops wrong KB. --- Steve
>> > >
>> > >http://support.microsoft.com/default.aspx?
scid=kb;EN-
>> > US;254949
>> > >
>> > >"Steven L Umbach" <n9rou@attbi.com> wrote in message
>> > >news:Y_N4a.165146$iG3.19368@sccrnsc02...
>> > >> Hi Chris. Are the computers in the same
forest??
>> > If not Kerberos
>> > >> authentication will not work. If you are using a
>> > secure server required
>> > >> policy, try server request policy to see if that
will
>> > at least work and
>> > >> troubleshoot from there using ipsecmon, ping,
etc. Try
>> > connecting to the
>> > >> Terminal Server by tcp/ip address instead of name
if
>> > you have not tried
>> > >that
>> > >> yet. You may need to add a rule to your policy to
>> > exempt ipsec traffic
>> > >> to/from a domain controller per KB254728.. ---
Steve
>> > >>
>> > >> http://support.microsoft.com/?kbid=254728
>> > >>
>> > >> "Chris" <firenet@optonline.net> wrote in message
>> > >> news:093d01c2d7cc$2b976ec0$3301280a@phx.gbl...
>> > >> > Hello,
>> > >> > I created an IPSEC filter list to match Terminal
>> > Service
>> > >> > packet, created an IPSec Policy to enforce
>> > protection and
>> > >> > then I enabled the policy. I did all according
to
>> > the MS
>> > >> > article 315055. But, now my Windows XP RDP
client
>> > can no
>> > >> > longer connect to the Terminal Server on Port
3389.
>> > Does
>> > >> > anyone know what the problem could be? Many
Thanks,
>> > >> >
>> > >> > Chris
>> > >>
>> > >>
>> > >
>> > >
>> > >.
>> > >
>>
>>
>
>
>.
>
- Next message: James Raaymakers MCSE: "Built-In Groups or GPO?"
- Previous message: James Raaymakers MCSE: "Password policy for mobile users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
