Re: GPO, IPSec and network utilization

From: Seth Hummel [MSFT] (sethh@microsoft.com)
Date: 03/10/03 

From: "Seth Hummel [MSFT]" <sethh@microsoft.com>
Date: Mon, 10 Mar 2003 14:51:37 -0800

If you deploy IPSec, consider using Network cards that support IPSec offload
especially on your high traffic machines like your member servers. This
will keep the CPU utilization down. Both Intel and 3Com make these cards. 

-- 
Seth Hummel [MSFT]
IP Security
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
"Steven L Umbach" <n9rou@attbi.com> wrote in message
news:Ejeaa.4976$6b3.23945@rwcrnsc51.ops.asp.att.net...
>      I have read that it can slow network communications somehwat though
not
> usually drastically.  There can be issues using it on domain controllers.
> Critical traffic such as authentication and Active Directory replication
is
> encrypted already. Ipsec is best for reservered for traffic that you want
to
> be confidential and authenticated. W95/98 and NT4.0 computers are not
ipsec
> capable, so if you have a server with a require policy they will not be
able
> to communicate with it (a request policy would though). But yes in
> situations where you have all W2K/XP workstations that need to access a
> server with sensitive information it would make sense to have a require
> policy on the server and client policy on the workstations.  --- Steve
>
> "Silmar" <silmar@talex.pl> wrote in message
> news:OMkYwkK5CHA.2324@TK2MSFTNGP10.phx.gbl...
> > Hello!
> >
> > How much will increase network utilization after applying IPSec Server
> > Policy on Domain Controlers and member servers and IPSec Client on
> > workstations?
> > BTW is it recomended or it shall not be done?
> >
> > Regards
> > Silmar
> >
> >
>
>

Relevant Pages

  • Re: Securing the communication between all workstations in a domain
    ... I am no expert at Ipsec. ... I would try using the server (request ... security) policy in that OU - the secure policy is rather extreme and can ... exempt the domain controllers from ipsec traffic - a request policy may work ...
    (microsoft.public.win2000.security)
  • Re: Green Admin - Brute Force Attack - Pls Help
    ... Ipsec configuration is very similar [if ... specifics on how to use ipsec "filtering" policy to protect computers. ... is managing a network - particularly one in a hostile environment. ...
    (microsoft.public.security)
  • Re: ACL login security access
    ... users plug laptops into your network. ... Make sure the users understand the policy, sign it, have their own ... Having said that you possibly could use ipsec to protect your servers. ... traffic that involves authentication and Active Directory with domain ...
    (microsoft.public.windows.server.security)
  • Re: IPSec / domain isolation: confusing MS documents
    ... workstation, he is able to attach to server ressources again, but for our ... The user right for access this computer from the network ... will not work for computer accounts unless ipsec is being used. ... securing a domain controller. ...
    (microsoft.public.windows.server.security)
  • Re: Require connecting systems to be a Domain Computers
    ... something in which I include the group Domain Computers. ... >kerberos computer authentication for the ipsec SA then the computer must be ... In such case the server must not be a domain controller, ... >ipsec require policy will need to exempt all domain controllers with a rule ...
    (microsoft.public.security)