Testing Your Policies in a Test Lab
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Before you roll out IPSec into your production environment, test your IPSec policies by following these steps:
Configure a lab in a controlled environment separate from your production network. Make the lab simulate your production environment as closely as possible. For example, you might want to include a perimeter network, a data center server, firewalls or filtering routers, clients with various operating systems, application test configurations, multiple domains with various OUs, and a network with varying connection speeds. Also, make sure to activate those Active Directory services that are running in your production environment.
Use the RSoP component of Group Policy to verify that the IPSec policies are being applied the way in which you assigned them, and that the policy you expect takes precedence if multiple policies are applied.
Implement your policies on the server and clients to test communication of all software and services. Use the IP Security Monitor snap-in or the netsh ipsec dynamic show mmfilter and netsh ipsec dynamic show qmfilter commands to verify that specific filters are being applied as expected. In the IP Security Monitor snap-in, the Specific Filters nodes display quick mode and main mode filters configured for persistent, local, or domain-based IPSec policies. However, default exemptions to IPSec filtering are not displayed.
Look for communications that have failed. Check if any network traffic was blocked by any of the IPSec polices that you have implemented.
Simulate a load on the network that is similar to what your network would experience, to test for performance impact.
Complete penetration tests to verify that the filters are configured properly and behave as you expect. Verify that the exemptions to IPSec filtering are appropriate.
Use the IP Security Monitor snap-in to gather information you can use to identify problems and optimize performance where IPSec is deployed. For example, you can view details about IPSec policies and filters, statistics about performance, and SAs.
For more information about the IP Security Monitor snap-in, see "Viewing details about active IPSec policies in IP Security Monitor" in Help and Support Center for Windows Server 2003. For more information about setting up a test environment, see "Designing a Test Environment" in Planning, Testing, and Piloting Deployment Projects of this kit.