Re: ipsec help

• Previous message: Yaroslav Bulatov: "Re: Detecting hidden processes?"
• In reply to: Matt: "ipsec help"
• Next in thread: Matt: "Re: ipsec help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 25 May 2003 22:00:41 GMT

           My experience is a straight require policy for the whole domain
will not work. The reason is that there are issues with having a domain
controller assigned the require policy do to the nature of the traffic it
handles. I have read that others have claimed to make it work with certain
exemptions to the require rule. Generally it is recommended to have a
require rule on those computers that contain sensitive data and
client/respond rule on the other W2K domain computers. You would need to put
the require policy computers in a separate OU to assign that policy to them.
Domain controllers already encypt traffic such as user passwords and Active
Directory replication data. I believe a domain controller will also work
with a request policy - do not remove domain controllers from their default
container. If you try to use a request policy on domain controller, you may
want to modify policy by adding rules to exempt dns traffic to maintain
network responsiveness. By the way you do not need to use certificates in a
domian for ipsec - kerberos will work very nicely. Use ipsecmon to view
security associations as policy is appplied. Refer to KB links for helpful
info. --- Steve

http://support.microsoft.com/?kbid=254949
http://support.microsoft.com/default.aspx?scid=kb;EN-US;257225

"Matt" <evolmatt@hotmail.com> wrote in message
news:OEduJsrIDHA.1392@TK2MSFTNGP10.phx.gbl...
> Hi,
>
> I would like to use ipsec in my windows 2000 network, but am not having
any
> success. I want to make it so that ipsec is required for communication,
by
> assigning the "require security" policy in group policy.
> Setup is 15 win2000pro workstations, 2 win2000server (1 domain controller,
1
> file server), all have and need internet access through a hardware router.
>
> I have installed certificate services on the domain controller, and added
> the ipsec certificate as a "certificate to issue" in certsrv.msc. (not
sure
> if I had to do this or not, can someone tell me?)
>
> After I enable the policy to require security, network communication
fails.
> I need to find out all the steps I have missed.
>
> Can someone please tell me else needs to be done, or point me to an idiots
> guide to ipsec, or any other website that could help me??
>
> thanks
>
>

• Previous message: Yaroslav Bulatov: "Re: Detecting hidden processes?"
• In reply to: Matt: "ipsec help"
• Next in thread: Matt: "Re: ipsec help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]