Re: two CA certificates for IPSec or something...

• Previous message: Edward M: "Windows NT 4.0. workstation logging into Win server 2003 ?"
• In reply to: Ondrej Sevecek: "Re: two CA certificates for IPSec or something..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 18 Sep 2005 20:23:33 -0500

You could put your computers into separate Organizational Units with
different ipsec polices. For instance you could use an ipsec policy for a
server that requires ESP and AH and then put the computers into an OU with
the same ipsec policy [ using ESP and AH] that you want to access the
server. Then you could have other OUs with ipsec policies that only use ESP
which would be the default settings. Then computers with an ipsec policy
that does not use AH could not access a server that requires AH regardless
of the computers IP address.. --- Steve

"Ondrej Sevecek" <ondra at my_surname dot com> wrote in message
news:OhA157CvFHA.4032@TK2MSFTNGP15.phx.gbl...
>I cannot imagine one. I would like the isolation to occure on another bases
>than IP, so I think, the authentication is the only solution.
> Installation of subordinate CA would require strict security on the
> machine, so we probably will install standalone subordinate on a separate
> server that will be used to only this purpose.
>
> O.
>
>
> "Brian Komar [MVP]" <bkomar@nospam.identit.ca> wrote in message
> news:MPG.1d964a45fbd29c0d989698@msnews.microsoft.com...
>> In article <e5oRO35uFHA.1560@TK2MSFTNGP09.phx.gbl>, "Ondrej Sevecek"
>> <ondra at my_surname dot com> says...
>>> > You could use two certificate templates to accomplish this, but if you
>>> > are applying different IPSec filters, the authentication can only
>>> > indicate *which* root CA the chain is rooted.
>>>
>>> .... and when I would use two templates, how to distinguish them in the
>>> filter rules?
>>>
>>>
>>> O.
>>>
>>>
>>>
>>>
>> This is the issue, the certificate templates would still chain to CAs
>> that chain to the same root.
>> Is there any other criteria that you could use, other than the
>> authentication to isolate?
>> Brian
>
>

• Previous message: Edward M: "Windows NT 4.0. workstation logging into Win server 2003 ?"
• In reply to: Ondrej Sevecek: "Re: two CA certificates for IPSec or something..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: New Update for #70-299 ... > Segment A contains a single server named TestKing1. ... > Segment B contains all other computers, ... > TestKing?s written security policy states that Segment B ... > Updates on all computers in Segment B to use ... (microsoft.public.cert.exam.mcse) Help with 070-217 ... The network contains 25,000 computers. ... single Windows 2000 domain named research.contoso.com. ... Server computers that are configured as domain controllers. ... (microsoft.public.cert.exam.mcse) Re: Help with 070-217 ... The network contains 25,000 computers. ... > single Windows 2000 domain named research.contoso.com. ... > Server computers that are configured as domain controllers. ... (microsoft.public.cert.exam.mcse) RE: Help with 070-217 ... The network contains 25,000 computers. ... > single Windows 2000 domain named research.contoso.com. ... > Server computers that are configured as domain controllers. ... (microsoft.public.cert.exam.mcse) Re: Cannot browse or open shared printers or server on sbs 2003 from client pc ... i think the network problem has taken a different turn. ... meanwhile if i access the mapped drives to the server which we setup in the ... my thought now is what is the update mechanism for the printers from the ... I understand the issue to be: client computers can ... (microsoft.public.windows.server.sbs)