Create IPsec Rules for an Isolated Domain on Earlier Versions of Windows

  • Article

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

IP Security rules for Windows 2000, Windows XP, and Windows Server 2003 are composed of filter lists, filter actions, and authentication methods. In this section, you combine those elements into complete IPsec rules that can be used by the computers to which the GPO is applied.

You need the same basic set of rules for the main isolated domain, boundary zone, or isolated server zone. Although you can reuse the IPsec filters and filter actions that you created for other GPOs, you must re-create the rules that combine them for each new GPO. The rules you must create include the following:

  • A rule that permits ICMP traffic. This rule combines the All ICMP Traffic filter list with the Permit filter action. This rule must be added to all of the IPsec policies for all of the GPOs for computers that run Windows 2000, Windows XP, or Windows Server 2003.

  • A rule that permits traffic from members of the exemption list. This rule combines the All Exempted Computers filter list with the Permit filter action. This rule must be added to all of the IPsec policies for all of the GPOs for computers that run Windows 2000, Windows XP, or Windows Server 2003.

  • A rule that requests authentication for all other traffic. This rule combines the All IP Traffic filter list with the Request Authentication filter action. This rule is used by the main isolated domain, the boundary zone, and the client computers that must communicate with servers in a standalone isolated server zone when encryption is not required. For the isolated domain and isolated server zones, you will later modify the rule to use the Require Security filter action after you confirm that the rules are working correctly. You do not modify the rule for the boundary zone.

  • A rule that supports authentication for IP traffic to servers in a standalone isolated server zone. This rule combines the IP Traffic to Isolated Servers filter list with the Request Authentication filter action. This rule is used only by client computers that must be able to access servers in an isolated server zone when there is no isolated domain. You later modify this rule to require authentication after you have confirmed that the rules are working correctly.

  • A rule that requires authentication and encryption for all other traffic. This rule combines the All IP Traffic filter list with the Request Authentication filter action. After testing has confirmed that network traffic is properly secured, the rule is modified to use the Require Both Authentication and Encryption filter action. This rule is used by the encryption zone in an isolated domain, and can be used by the servers in an isolated server zone.

Administrative credentials

To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.

To create a rule that permits ICMP network traffic

  1. Open the Group Policy Management Console to IP Security Policies.

  2. In the details pane, double-click the IPsec policy in which you want to create the rule.

  3. On the Rules tab, click Add.

  4. On the Welcome page of the Security Rule Wizard, click Next.

  5. On the Tunnel Endpoint page, select This rule does not specify a tunnel, and then click Next.

  6. On the Network Type page, select All network connections, and then click Next.

  7. On the IP Filter List page, select All ICMP Traffic, and then click Next.

  8. On the Filter Action page, select Permit, and then click Next.

  9. On the Completing the Security Rule Wizard page, click Finish.

  10. Continue adding other required rules, including those shown in the next two procedures. When you have added the rules, make sure that the rules identified in this topic are selected, and that the <Dynamic> Default response rule is not selected, and then click OK to save your rules in the policy.

To create a rule that permits network traffic from members of the exemption list

  1. Open the Group Policy Management Console to IP Security Policies.

  2. In the details pane, double-click the IPsec policy in which you want to create the rule.

  3. On the Rules tab, click Add.

  4. On the Welcome page of the Security Rule Wizard, click Next.

  5. On the Tunnel Endpoint page, select This rule does not specify a tunnel, and then click Next.

  6. On the Network Type page, select All network connections, and then click Next.

  7. On the IP Filter List page, select All Exempted Computers, and then click Next.

  8. On the Filter Action page, select Permit, and then click Next.

  9. On the Completing the Security Rule Wizard page, click Finish.

  10. Continue adding other required rules, including the one in the next procedure. When you have added the rules, make sure that all of your rules are selected, and that the <Dynamic> Default response rule is not selected, and then click OK to save your rules in the policy.

To create a rule that requests authentication for all other network traffic

  1. Open the Group Policy Management Console to IP Security Policies.

  2. In the details pane, double-click the IPsec policy in which you want to create the rule.

  3. On the Rules tab, click Add.

  4. On the Welcome page of the Security Rule Wizard, click Next.

  5. On the Tunnel Endpoint page, select This rule does not specify a tunnel, and then click Next.

  6. On the Network Type page, select All network connections, and then click Next.

  7. On the IP Filter List page, select All IP Traffic, and then click Next.

  8. On the Filter Action page, select Request Security (Optional), and then click Next.

  9. On the Authentication Method page, select Active Directory default (Kerberos V5 protocol), and then click Next. You can add only one method on this wizard page. If your design requires more than one authentication method, you can another in the next step.

  10. If you only need one authentication method, click Finish, and then skip to step 14. Otherwise, select Edit properties, and then click Finish.

  11. On the New Rule Properties dialog box, select the Authentication Methods tab.

  12. Click Add.

  13. Configure your second authentication method. For example, if you want to add certificate-based authentication for when you need to interoperate with computers running operating systems other than Windows:

    1. Select Use a certificate from this certification authority (CA).

    2. On the Warning dialog box, click Yes.

    3. Select the appropriate certification authority from the list, and then click OK.

Important

You must separately distribute the certificate to all computers that must be able to use this IPsec rule. You can use X.509 version 3 certificates either generated by a certification authority running on a server in your organization or purchased from a commercial certification authority. For more information, see Checklist: Implementing a Certificate-based Isolation Policy Design in this guide.

  1. When you have added authentication methods, click OK to save your rule in the policy.

To create a rule that requests authentication for all network traffic to a standalone isolated server zone

  1. Open the Group Policy Management Console to IP Security Policies.

  2. In the details pane, double-click the IPsec policy in which you want to create the rule.

  3. On the Rules tab, click Add.

  4. On the Welcome page of the Security Rule Wizard, click Next.

  5. On the Tunnel Endpoint page, select This rule does not specify a tunnel, and then click Next.

  6. On the Network Type page, select All network connections, and then click Next.

  7. On the IP Filter List page, select IP Traffic to Isolated Servers, and then click Next.

  8. On the Filter Action page, select Request Security (Optional), and then click Next.

  9. On the Authentication Method page, select Active Directory default (Kerberos V5 protocol), and then click Next. You can add only one method on this wizard page. If your design requires more than one authentication method, you can add another in the next step.

  10. If you only need one authentication method, click Finish, and then skip to step 14. Otherwise, select Edit properties, and then click Finish.

  11. On the New Rule Properties dialog box, select the Authentication Methods tab.

  12. Click Add.

  13. Configure your second authentication method. For example, if you want to add certificate-based authentication for when you need to interoperate with computers running operating systems other than Windows:

    1. Select Use a certificate from this certification authority (CA).

    2. On the Warning dialog box, click Yes.

    3. Select the appropriate certification authority from the list, and then click OK.

Important

You must separately distribute the certificate to all computers that must be able to use this IPsec rule. You can use X.509 version 3 certificates either generated by a certification authority running on a server in your organization or purchased from a commercial certification authority. For more information, see Checklist: Implementing a Certificate-based Isolation Policy Design in this guide.

  1. When you have added authentication methods, click OK to save your rule in the policy.

To create a rule that requires both authentication and encryption for all other inbound network traffic

  1. Open the Group Policy Management Console to IP Security Policies.

  2. In the details pane, double-click the IPsec policy in which you want to create the rule.

  3. On the Rules tab, click Add.

  4. On the Welcome page of the Security Rule Wizard, click Next.

  5. On the Tunnel Endpoint page, select This rule does not specify a tunnel, and then click Next.

  6. On the Network Type page, select All network connections, and then click Next.

  7. On the IP Filter List page, select All IP Traffic, and then click Next.

  8. On the Filter Action page, select Require Both Authentication and Encryption, and then click Next.

  9. On the Authentication Method page, select Active Directory default (Kerberos V5 protocol), and then click Next. You can add only one method on this wizard page. If your design requires more than one authentication method, you can add another in the next step.

  10. If you only need the one authentication method, click Finish, and then skip to step 14. Otherwise, check Edit properties, and then click Finish.

  11. On the New Rule Properties dialog box, select the Authentication Methods tab.

  12. Click Add.

  13. Configure your second authentication method. For example, if you want to add certificate-based authentication for when you need to interoperate with computers running operating systems other than Windows:

    1. Select Use a certificate from this certification authority (CA).

    2. On the Warning dialog box, click Yes.

    3. Select the appropriate certification authority from the list, and then click OK.

Important

You must separately distribute the certificate to all computers that must be able to use this IPsec rule. You can use X.509 version 3 certificates either generated by a certification authority running on a server in your organization or purchased from a commercial certification authority. For more information, see Checklist: Implementing a Certificate-based Isolation Policy Design in this guide.

  1. When you have added authentication methods, click OK to save your rule in the policy.

  2. Continue adding any other rules required by your design. When you have added rules, make sure that all of your rules are selected, and that the <Dynamic> Default response rule is not selected, and then click OK to save your rules in the policy.