ip sec in a domain.

A

admir

Hi all,

I have a win2k SBS server and win2k pro clients. All are running in a
domain. I need to inplement IP Sec in the domain.
So what I want is to have all data comunication, between all machines in the
domain, go tru IP Sec. Clint-Client and Client-Server.

How do I do this?

I have made a policy that proceses all IP trafic and I created Filter that
would alowe HTTP, FTP, SMTP, HTTPS, POP and DNS querys from inside to pass
without being processed by IP Sec.

Now this policy applied fine on domain controlers but it did not aplie on
workstations. I checked on a netowrk connection and it didn,t show that
there was IP Sec aplied. At least I asigned this policy tru group policy on
a domain. Is this a right way to do it or do I need to aplie this policy
manuali on each machine?

any help would be great and apriciated.

regards,

Admir
 
S

Steven L Umbach

If all the domain computers and domain controller are configured properly,
especially with regard to dns the policy set at the domain level will apply
to all machines in the domain unless there are Organizational Units or
Domain Controller Security Policy with separate settings that would be
applied to computers in those containers. Netdiag /test:ipsec is the best
way to see what policy is actually being applied to a computer. Netdiag
needs to be installed by running setup from the install cd in the
support/tools folder.

You need to be careful with ipsec as ipsec negotiation is not supported by
MS for traffic between domain controllers and domain members which need to
have a rule in the policy to exempt them by IP address otherwise logons may
fail. It makes sense to start with a "request" policy on domain computers
other than domain controllers and see how that works where you may want to
eventually move to a require policy for non domain controller servers.
Ipsecmon can help determine what is going on with your ipsec policies. See
links below for more info. --- Steve

http://support.microsoft.com/?kbid=254949
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

"There are 0 filters" using IPSec via GPO 4
Error message when opening a Domain Group Policy Object 4
Cannot set TRUSTED_FOR_DELEGATION flag in userAccountControl for A 2
IP address in security event log? 2
problem setting up IP-based access control for ftp server in IIS 5 1
issue with browsing accross IP Sec tunnel 2
domain controllers policy (not working) 2
NT4 on a 2000 Domain 6

Top