ipsec filter shooting ads in foot?

[frank brown]

I created an ipsec policy which blocks all incoming traffic except for http,
https, and rdp (per MS official hands-on lab 2811: applying microsoft
security guidance, appendix a) and applied this policy to a server. Now I
am unable to connect to this server; it appears to be blocking ADS
authentication. If this is the case, when I deassign the blocking ipsec
policy, will it actually be deassigned or will the server block the message
which would deassign it? Has this server gotten into an ipsec black hole?

-Frank Brown
http://www.inwa.net/~frog/

 

[Jim Singh]

Setting up IPsec policies can take a toll specially if they are custom
build. I have ran into couple of similar issues where i lost the
connectivity, but i did recover from it after the a long painfull while.
There are some things to check when you setup ipsec policies:

A: decide what kind of ipsec topology would you are going to use i.e. AH or
ESP ! and how the traffic is going to authenticate between the servers,
permit, request or required.

B: Before setting up IPsec policies and assigning them, you need to setup
the kerberos realm for the target domain. ie. if you had a domain named domA
and DomB , and you are setting up ipsec between dc of these 2 domains, you
have to setup kerberos realm on both of the DC severs for the opposite
domains.You can use the Ksetup.exe resource kit utility to do this. at the
cmd prompt type the follwing cmd:
c:\>ksetup/addkdc domainname ipaddress

C: Make sure you know about the IPsec registry setting i.e. NoDefaultExempt.
You can set this ipsec registry setting key upto 4 levels from 0-4. each
level defines a certain kind of traffic that ipsec is going to filter out.
the registry key is located at
Hkey_Local_machine - system - CurrentControlSettings - services - ipsec
I would recommend to set it to 2 on both the source and target dc. You can
also read the following MS article:
http://support.microsoft.com/default.aspx?scid=810207

-Jim