Export (0) Print
Expand All
11 out of 13 rated this helpful - Rate this topic

Domain Isolation Planning Guide for IT Managers

Updated: June 8, 2005

Applies To: Windows Server 2003 R2, Windows Server 2003 with SP1

Plan your domain isolation using the step-by-step planning information in this guide. This guide is designed to help you work with your IT staff to gather the necessary information, design your IPsec polices, and to create a deployment plan.

This document is intended for IT professionals who are investigating using IPsec in Microsoft® Windows® to deploy domain isolation in their environments. This guide is designed to help you work with your IT staff to gather the necessary information, design your IPsec polices, and to create a deployment plan.

This guide includes an overview of the deployment process, a step-by-step guide to the planning process, and links to other resources that you can use in the planning and design process. The material in this guide covers the planning of the deployment but not the actual deployment process itself.

This guide provides material relevant only to Windows-based computers and is not intended as a guide for deploying domain isolation on operating systems other than Windows. This guide does not provide background information about IPsec and related technologies.

Terminology Used in This Guide

These terms are defined so that you can more clearly understand how they are used in this guide:

Domain isolation - The use of Internet Protocol security (IPsec) to require authentication, encryption, or both, among members of a Windows domain as well as between members of the domain and unknown or unauthorized computers.

Isolated host - A computer that is a member of an isolated domain.

Non-isolated computer - A computer that is not a member of an isolated domain.

Isolated domain - A domain or network that requires authentication, encryption, or both, by using IPsec before allowing any domain member to communicate with any other computer.

Boundary computer - A computer in the boundary group of an isolated domain that accepts secure communication from members of the isolated domain and unsecured communication from computers that are not members of the isolated domain.

Proxy server - A firewall component that manages Internet traffic to and from a local area network (LAN) and that can provide other features, such as document caching and access control. A proxy server can improve performance by supplying frequently requested data, such as a popular Web page, and it can filter and discard requests that the owner does not consider appropriate, such as requests for unauthorized access to proprietary files.

IT Roles Used in This Guide

The IT roles used in this guide are generalizations derived from the IT industry and should closely approximate those in your IT structure. Your roles might differ from these, but they are offered to help you assign tasks to your staff members.

 

Role Primary Responsibilities

IT Manager

Coordinates the deployment effort and communicates status to upper management. Manages the IT staff responsible for the infrastructure, desktop and server deployment, and server administration and operations. Evaluates the impact of the technology solution on core business and IT resources. Uses this guide to assign tasks to staff members, collect and collate information, guide the overall process of planning, and make the major decisions.

Systems Architect

Provides information and assists in IPsec policy design. Responsible for designing the overall server infrastructure for all systems. Develops server deployment strategies and policies. Contributes to networking connectivity design. Ensures that deployment policies are followed. Provides overall architectural guidance and assists in designing the isolated domains and policies for establishing these segments.

Security Manager

Provides information, assists in IPsec policy design, and assists IT Manager in planning. Responsible for determining and implementing server security policy. Evaluates new technology and its effects upon security and availability. Responsible for security issues and solutions. Is the primary source of information about what security levels are needed for segments, how segments might be designed around security needs, what current security policies and tools can be made obsolete by domain isolation, and what security concerns might arise in the design and implementation of domain isolation.

Windows Systems Administrator

Provides information and implements polices on Windows-based computers. Responsible for determining and implementing server security policy. Evaluates new technology and its effects upon security and availability. Responsible for security issues and solutions. Is the primary source of information about what security levels are needed for segments, how segments might be designed around security needs, what current security policies and tools can be made obsolete by domain isolation, and what security concerns might arise in the design and implementation of domain isolation.

UNIX Systems Administrator

Provides information and assists Helpdesk and Security Managers in planning. Responsible for configuration and administration of UNIX servers, including upgrades, backups, capacity monitoring, and planning and interoperability issues with Windows systems. Is the primary source of information about IPsec interoperability between UNIX and Windows.

Network Administrator

Provides information and assists in IPsec policy design and implementation. Responsible for overall connectivity for the entire network, including hardware. Manages connectivity between heterogeneous systems (Windows and UNIX). Troubleshoots all performance issues across the network. Provides significant input regarding how the network will influence the design of, or be affected by, IPsec policies.

Database Administrator

Provides information and assists in IPsec policy design. Also assists in the configuration and management of database solutions. Evaluates build images, deploys new databases and changes, and conducts server integration testing. Is the primary source of information about how domain isolation might affect database access and performance.

Desktop Configuration Manager

Provides information and assists in IPsec policy design and implementation. Responsible for provisioning desktop PCs and deploying service packs and updates to these PCs. Involved in setting the strategic direction for the desktop operating system and applications. Is the primary source of information about how IPsec polices might affect desktop configuration.

Helpdesk Manager

Provides information and creates user education and notification materials. Responsible for all Helpdesk operations. Is the primary contact for information about how users might be affected, or respond to, access issues during or after deployment, and how user education can help mitigate any issues that might arise.

Introduction to Deployment Planning Phases

This section provides a brief overview of the different phases involved in the domain isolation planning process. This process is suggested as a way of making domain isolation deployment as effective and efficient as possible and to suggest how you can work with your IT team to gather the needed information, discuss domain isolation issues, create a deployment plan, design IPsec policies, and test/refine these polices to reduce any user and operations issues that might arise from domain isolation.

Collect Information About Your IT Environment

You and your team will gather information about network topology, security policy and implementation, server operating systems and applications, service level agreements (SLAs), user types, any interoperability issues or concerns, and regulations or other external constraints. This information will be used along with other information, such as IT polices and guidelines and any business needs, to determine what domain isolation needs you have and then to design the IPsec policies that will be used to fulfill these domain isolation needs.

Determine Your Domain Isolation Needs

You and your team will use the collected information and determine what kind of isolation needs you have, based upon business needs, regulatory influences, security requirements, Service Level Agreements, the IPsec technology, user needs, and other factors.

Design Your IPsec Policies

This is probably the most crucial phase and requires close attention to the details for designing IPsec filter lists, filter actions, rules, and policies for each segment. Carefully-designed policies will make the deployment process smooth and efficient, the isolation effective, the protection of your assets solid, and it will keep user problems to a minimum while still meeting all SLAs, regulatory requirements, and other criteria.

Deploy the Policies in a Test Environment

Your team can test the domain isolation deployment and discover any refinements that should be made to the IPsec policies and the deployment process before deploying to a large or business-critical segment. The test environment can be designed specifically for deployment testing, or it can be a small, non-business-critical domain environment.

Refine Policies

The test phase might highlight some connectivity, security, or administration issues that can be addressed by refinements to your IPsec policies, by adjustments in operations and administration, or by improvements in user education. This information is important for a smooth and effective deployment.

Create a Deployment Schedule

Once you have completed your plans and IPsec policies, your team can discuss and solidify how, when, and where you will implement domain isolation. This phase is where you can discuss any potential problems with the schedule and agree on the best plan for actual deployment.

Prepare for User and Infrastructure Support

Before deployment you can develop plans, documents, and tools to assist your Helpdesk staff to deal with pre-deployment notification and education, user issues during deployment, and any post-deployment issues that might arise as a result of domain isolation deployment.

Inform Team Members About IPsec

The planning and design of domain isolation will be more efficient and effective if your team has a good understanding of what IPsec is and how it can be used for domain isolation. The following table lists the type of IPsec information that might be useful before you begin the domain isolation planning phases.

 

Action Owner

Review IPsec concepts.

As needed

Review examples of domain isolation deployment.

IT Manager, Systems Architect, Security Manager

Review IPsec limitations.

IT Manager, Systems Architect, Security Manager, others as needed

Review IPsec interoperability information.

IT Manager, Systems Architect, Security Manager, others as needed

Phase 1: Collect Information About Your IT Environment

Collect Computer Information

Because not all computers in your environment will implement IPsec the same way, you must document the operating systems and service pack versions on your computers, both servers and desktop computers.

 

Action Owner

Identify IPsec-compatible Windows-based computers (Microsoft Windows 2000, Microsoft Windows XP, and Microsoft Windows Server™ 2003).

Windows Systems Administrator

Identify IPsec-incompatible Windows-based computers (Microsoft Windows 98, Microsoft Windows Millennium Edition, and Microsoft Windows NT® 4.0).

Windows Systems Administrator, Desktop Configuration Manager

Identify IPsec-incompatible computers using operating systems other than Windows (UNIX, BSD UNIX, Macintosh OS X, Linux, IBM OS390, Sun Microsystems Solaris 8, etc.).

UNIX Systems Administrator, Desktop Configuration Manager

Collect Network Device Information

Network devices, such as routers or firewalls, are also involved in the domain isolation, and their IPsec capabilities must be documented to ensure that deployment planning takes them into account.

 

Action Owner

Identify IPsec-compatible network devices (Cisco IOS, Lucent VPN Firewall Bricks, Lucent Access Point IP services routers, 3Com SuperStack 3 Firewall, Nortel VPN Gateways, etc.).

Network Administrator

Identify IPsec-incompatible network devices - these devices cannot allow IPsec-protected packets to traverse the network.

Network Administrator, Systems Architect, UNIX Systems Administrator

Collect Active Directory/Domain Information

Your IPsec policy design will be strongly influenced by your domain structure. Document your domain structure to identify organizational and business units that might require different levels of security and other information.

 

Action Owner

Document your domain structure.

Systems Architect

Document your organizational units (OUs).

Systems Architect, IT Manager

Document your global security groups.

Security Manager

Collect Regulation and Other External Constraint Information

Your organization might be affected by regulations that require enhanced security, access to information, or other actions. By being aware of these impacts during the IPsec policy design, you can ensure compliance or plan for compliance issues.

 

Action Owner

Identify any government regulations that might affect planning and design.

IT Manager, Security Manager

Identify any business partner regulatory requirements that might affect planning and design.

IT Manager

Identify any international regulatory requirements that might affect planning and design.

IT Manager

Identify any company policies that might affect planning and design.

IT Manager

Collect Security Information

Your IPsec policy design will be strongly influenced by your current security policies and practices, such as firewall configurations. IPsec policies will also affect and expand your security policies.

 

Action Owner

Document your firewall configurations.

Security Manager

Document logon scripts or policies that might affect IPsec policies.

Security Manager

Document your software update policies and processes.

Security Manager

Document your application deployment policies.

Security Manager

Document your security response plan.

Security Manager

Collect Service Level Agreement Information

Your domain isolation planning process must be designed and deployed in a way that complies with your SLAs. By being aware of these SLAs during the planning and design process, you can ensure compliance or make plans for mitigating and dealing with any compliance problems.

 

Action Owner

Identify any internal/direct SLA requirements that might affect planning and design.

IT Manager, UNIX Systems Administrator, Database Administrator, Desktop Configuration Manager, Network Administrator

Identify any business partner SLA requirements that might affect planning and design.

IT Manager

Identify any international SLA requirements that might affect planning and design.

IT Manager

Collect User and Partner Connectivity Information

You need to consider how domain isolation will affect user connectivity during and after the deployment. This information can guide you in designing and deploying IPsec policies or in training staff and informing users before and after deployment.

 

Action Owner

Identify IT administrative staff that must have uninterrupted connectivity.

IT Manager

Identify knowledge workers.

Desktop Configuration Manager

Identify Helpdesk staff members that require detailed knowledge of the deployment.

Helpdesk Manager

Identify internal or external partners that require uninterrupted connectivity.

IT Manager

Document any applications that require uninterrupted connectivity.

Desktop Configuration Manager, Windows Systems Administrator, Database Administrator

Identify security personnel that must monitor security during the deployment.

Security Manager

Collect Interoperability Information

Understanding how your IPsec policy design and deployment might affect IPsec-incompatible computers and computers with other implementations of IPsec will help you to plan the security for these computers and to determine how they will connect to IPsec-incompatible computers.

 

Action Owner

Identify any servers that are incompatible with the Microsoft implementation of IPsec but must access resources on Windows servers.

UNIX Systems Administrator, Desktop Configuration Manager

Identify any Windows servers that are incompatible with servers configured for a non-Microsoft implementation of IPsec but must access resources on these servers.

Windows Systems Administrator

Identify any applications that might require IPsec policy exemptions for business reasons.

Desktop Configuration Manager, Windows Systems Administrator

Phase 2: Determine Your Domain Isolation Needs

Business Needs

Your IPsec policies must also take into account your business needs and the financial impact that the deployment might have.

 

Action Owner

Document how knowledge workers, internal customers, and partners will be affected by domain isolation deployment and the business impact of this. Document how these effects will be mitigated.

Helpdesk Manager, Desktop Configuration Manager, Security Manager

Document how the operations infrastructure will be affected by domain isolation deployment and the business impact of this.

Security Manager, Systems Architect, IT Manager

Regulation Needs

Government and international regulations might influence your IPsec policy designs. You should enumerate the regulations and restrictions you must comply with and take these into account during the design phase.

 

Action Owner

Document the regulations you must comply with.

IT Manager, Security Manager

Determine the time-frame you have to comply.

IT Manager

Determine how you can use domain isolation to comply with these regulations.

IT Manager, Security Manager, Systems Architect

Security Management Needs

You might have sensitive data or servers that require additional security in your environment. You should enumerate these and take into account what levels and types of security you want domain isolation to provide.

 

Action Owner

Document any effects of deploying domain isolation upon current security polices.

Security Manager

Identify whether any additional security administration will be required.

Security Manager, Desktop Configuration Manager, IT Manager

Determine whether any of your current security technologies are incompatible with domain isolation.

Security Manager, Network Administrator, Systems Architect

Identify where you will need boundary computers.

Security Manager, Network Administrator, UNIX Systems Administrator

Determine and document what additional security methods will be used to protect boundary hosts.

Security Manager, Network Administrator, Systems Architect

Service Level Agreement Needs

During the planning process, determine whether the deployment will negatively affect your SLAs.

 

Action Owner

Determine how domain isolation will affect deployment and administration of SLAs.

IT Manager

Document how any effects on deployment and administration of SLAs will be measured.

IT Manager

Document how any effects on deployment and administration of SLAs will be mitigated or corrected.

IT Manager, Security Manager

Determine how any effects upon SLAs will be communicated to the appropriate parties.

IT Manager, Helpdesk Manager

IPsec Technology Needs

Some of the policy design decisions are based on the IPsec technology itself and how it secures traffic and data.

 

Action Owner

Document which of the four IPsec-negotiated security modes will be used, where they will be used, and why.

The four modes are:

  • Request Mode. A host responds to both IPsec and unauthenticated (non-IPsec) requests. It initiates communications with IPsec and, if that fails, allows unauthenticated communications.

  • Secure Request Mode. A host responds to requests secured by IPsec and ignores unauthenticated requests. It initiates communications with IPsec and, if that fails, returns to unauthenticated communication.

  • Secure Require Mode. A host requires IPsec-secured communications for both incoming and outgoing requests.

  • Default Response. A host responds to IPsec requests, but never initiates IPsec.

Security Manager

Identify where IPsec tunnel mode will be needed.

Security Manager, Network Administrator

Identify where data integrity using Authenticated Header (AH) will be needed.

Security Manager, Systems Architect

Identify where data integrity and encryption (using ESP) will be needed.

Security Manager, Network Administrator

Document which forms of encryption will be used and where.

Security Manager

Document which forms of authentication will be used and where.

Security Manager

Identify which infrastructure applications or servers, such as DNS and DCHP servers, will need to be added to the default exemptions so that all clients can access them.

Security Manager, Systems Architect

Identify which ports/protocols will need to be opened in firewalls for IPsec.

Security Manager, Network Administrator

Identify where no IPsec protection will be needed.

Security Manager, Network Administrator, UNIX Systems Administrator, Desktop Configuration Manager

User and Partner Needs

Your domain isolation design and deployment plans should also take into account how the process might affect the ability of users and partners to access information stored on your network.

 

Action Owner

Determine how users might be affected by the deployment.

Helpdesk Manager

Determine what user education steps can be taken to prepare users for the deployment and any possible issues resulting from it.

Helpdesk Manager

Determine how partners might be affected by the deployment.

IT Manager

Determine what steps can be taken to prepare partners for the deployment and any possible issues resulting from it.

IT Manager, Helpdesk Manager

Interoperability Needs

If your environment includes computers that either cannot implement IPsec or whose implementation of IPsec is not the same as the Microsoft implementation, then you need to determine how, or even if, you will allow these computers to communicate with IPsec-incompatible computers.

 

Action Owner

Determine how IPsec-incompatible servers and Macintosh clients will communicate.

UNIX Systems Administrator, Security Manager

Determine how IPsec-compatible computers will communicate with IPsec-incompatible Windows clients.

Desktop Configuration Manager, Security Manager

Document how any effects of denied communications will be mitigated or corrected.

UNIX Systems Administrator, Desktop Configuration Manager, Security Manager

Determine which Windows services cannot be used with higher levels of IPsec protection.

Security Manager, Windows Systems Administrator

Determine whether there are any current IPsec policies (local or global) that might conflict with ones being designed.

Security Manager

Phase 3: Design Your IPsec Policies

Review IPsec Policy Design Documentation

 

Action Owner

Designing IPSec Policies

Security Manager, Systems Architect

Understanding Default IPSec Policies

Security Manager, Systems Architect

Determining Your IPSec Needs

Security Manager, Systems Architect

Special IPSec considerations

Security Manager, Systems Architect

Weighing IPSec Tradeoffs

Security Manager, Systems Architect

Establishing an IPSec security plan

Security Manager

Create a Naming Convention

You can create a naming convention for policies, filter lists, and filter actions. A naming convention can make backing up, restoring, and managing changes to policies, much easier.

Policy names should include the isolated domain and the date issued, for example, "Accounting_3.28.2005." Filter list names should describe the type of network traffic they match, for example, "All ICMP Traffic." Filter action names should describe the level of security they provide and the type of negotiation they use, for example, "Request Security."

 

Action Owner

Determine a naming convention for policies.

Security Manager, Systems Architect

Determine a naming convention for filter lists.

Security Manager, Systems Architect

Determine a naming convention for filter actions.

Security Manager, Systems Architect

Create an IPsec Policy Management Process

A policy management process can reduce confusion and make backing up, restoring, and managing changes to policies much easier.

If you plan to create policies for a Windows Server 2003-based computer, you should keep in mind that Windows Server 2003 incorporates some new features that are not available in Windows XP or Windows 2000. For more information, see "IPsec Policy Compatibility Considerations" in Using Microsoft Windows IPsec to Help Secure an Internal Corporate Network Server.

 

Action Owner

Document how policies will be created.

Systems Architect

Document where policies will be backed up.

Systems Architect

Document how policies will be backed up.

Systems Architect

Document how policies will be changed, adjusted, and deployed.

Systems Architect

Determine how changes and backups will be documented.

Systems Architect

Determine how policies will be secured.

Security Manager

Review Example IPsec Policies

Microsoft provides default IPsec policies with Windows, and also in the Windows Server 2003 Security Guide, that you might be able to use, with modifications, in your environment. These can also be used as examples in your policy design process.

 

Action Owner

Review the default policies.

Security Manager

Determine whether any of these policies can be used with modifications for your environment.

Security Manager

Review the policies provided in the Windows Server 2003 Security Guide.

Security Manager

Determine whether any of these policies can be used with modifications for your environment.

Security Manager

Design IPsec Filter Actions

If the intranet traffic is to be secured, filter actions specify an ordered set of security methods (such as which integrity and encryption methods are used) and other settings. A combination of a filter action and a filter list make up a rule in an IPsec policy.

Try to create the fewest filter actions that meet your needs. For example, Microsoft IT was able to use only three for its environment. Your environment might be more diverse and might require more.

 

Action Owner

Determine where encryption of packet contents is required.

Security Manager

If encryption is used, determine which encryption algorithm is appropriate.

Security Manager

If encryption is not being used, determine whether packet integrity (signing) is necessary or desired.

Security Manager

Determine whether the correct action is to block, permit, or negotiate security.

Security Manager, Systems Architect

Determine whether the negotiation allows unsecured connections with IPsec-incompatible computers or IPsec-compatible computers with which IPsec negotiations fail.

Security Manager, Systems Architect

Design IPsec Filters and Filter Lists

IP filters define matching criteria for a computer or a group of computers by specifying source and destination IP addresses, IP protocols, and source/destination TCP or UDP ports. Filter lists are a collection of one or more IP filters that logically belong together as a unit and that should have only one filter action associated with them. A rule combines a filter list with a filter action.

As a best practice use the Any IP address setting rather than the My IP address setting to mitigate problems with DHCP changing IP addresses. Additional best practices are provided in Improving Security with Domain Isolation.

 

Action Owner

Determine which IP addresses or subnets should be included in the filter lists.

Systems Architect, Security Manager

Determine which protocol/port combinations belong in the filter lists.

Systems Architect, Security Manager

Determine where the filters within the filter lists should and should not be mirrored.

Systems Architect, Security Manager

Design IPsec Policy Rules

An IPsec policy rule combines a filter list with a filter action. If the filter action requires security, then the rule also specifies authentication methods, tunnel mode settings, and the types of interfaces to which this rule applies.

 

Action Owner

Pair the filter lists with the appropriate filter actions to define the set of rules for the IPsec policy.

Systems Architect, Security Manager

Determine whether the default response rule needs to be enabled or disabled.

Systems Architect, Security Manager

For rules requiring security, determine which authentication methods the rule uses to establish trust.

Systems Architect, Security Manager

Design IPsec Policies

IPsec policies are a collection of one or more rules. Policies should group together all the rules that are appropriate for distribution to an organizational unit (OU), domain, or security group of the Active Directory® directory service.

Each segment will typically have an associated IPsec policy. The same policy might apply to many segments. Each computer can have only one policy assigned (active) at a time.

 

Action Owner

Determine where the policy will be deployed.

Security Manager, Systems Architect

Determine which rules need to added to the policy.

Security Manager, Systems Architect

Determine which computers or subnets will need to be added to an exemption list.

Security Manager, Systems Architect

Phase 4: Deploy the Policies in a Test Environment

Determine the Appropriate Test Environment

The test environment will help you find and resolve any issues that could arise from your domain isolation deployment. The more closely the test environment represents your actual IT environment, the more effective this testing will be.

 

Action Owner

Determine whether the current test environment is appropriate for testing domain isolation.

Security Manager, Systems Architect, Network Administrator

If the test environment is not appropriate, determine what changes need to be made to the test environment to properly test policy design and deployment.

Security Manager, Systems Architect, Network Administrator

Determine the cost/benefit of making changes to the test environment.

IT Manager, Security Manager, Systems Architect, Network Administrator

Determine whether testing can be accomplished in a smaller, non-critical domain or subdomain.

IT Manager, Security Manager, Systems Architect, Network Administrator

Deploy the Policies to the Test Environment

You should deploy the policies using the plan you have created. If you are also deploying non-Microsoft IPsec solutions, such as those for UNIX or Apple Macintosh computers, you should deploy the one with the largest operating base first and refine and stabilize it before deploying the other solutions. If you are using these solutions, be sure to test them all together before deploying to your IT environment.

 

Action Owner

Deploy the least restrictive policy.

Security Manager

Monitor the communications in this segment for failures, etc.

Network Administrator

Correct any policy design issues (see "Refine Policies" below).

Security Manager, Systems Architect, Network Administrator

Continue to deploy, monitor, and correct until the deployment is successful.

Security Manager, Systems Architect, Network Administrator

Deploy other policies in order of increasing restriction.

Security Manager, Systems Architect, Network Administrator

Phase 5: Refine Policies

During your test deployment, you might have issues that require a change to existing policies or the addition of new policies. The testing and refining process might require more than one cycle to find all the issues and redesign your policies to fit your environment.

For more information about troubleshooting IPsec issues, see "Testing and Monitoring Successful IPsec Operation" in Using Microsoft Windows IPsec to Help Secure an Internal Corporate Network Server.

 

Action Owner

Determine whether any computers that should be able to connect are blocked.

Network Administrator, Windows Systems Administrator, Desktop Configuration Manager

Determine whether any computers that should be blocked can connect.

Network Administrator, Security Manager

Determine whether any computer's performance is significantly affected by the policies.

Network Administrator, Database Administrator, Windows Systems Administrator

Determine whether any computers already have a conflicting IPsec policy implemented.

Network Administrator, Security Manager, Windows Systems Administrator, Desktop Configuration Manager

Determine whether any computers need to be updated so they can implement IPsec properly (for example, computers running Windows 2000, Windows XP with no service packs installed, and Windows XP with SP1 need to be updated for IPsec NAT-T support).

Network Administrator, Security Manager, Windows Systems Administrator, Desktop Configuration Manager

Determine whether any computers or network devices that were thought to be IPsec-compatible are not.

Network Administrator, Security Manager

Determine whether any computers that can use IPsec must have policies changed to work correctly (for example, any VPN servers that are not domain members, and therefore cannot use Kerberos v5 authentication, must use a certificate or preshared key).

Network Administrator, Security Manager

Determine where VPN or other remote connections do not work with IPsec.

Network Administrator, Security Manager

Determine whether there are any features or configurations that will not work with IPsec.

Network Administrator, Security Manager

Phase 6: Create a Deployment Schedule

The policy testing and refinement processes will provide you with valuable information about how the deployment is best implemented for a given segment. You can also use the answers to the planning questions earlier to help you determine the best sequence of, and time frame for, IPsec deployment to your environment. Information based on the actions listed below might help you determine your deployment schedule.

As a best practice, Microsoft IT found that it worked for them to deploy to smaller, non-critical domains first, then to larger domains, and finally to mission-critical domains. They also deployed "Request Mode" first and then "Secure Mode." Additional best practices are provided in Improving Security with Domain Isolation.

 

Action Owner

Document the order in which the segments will be deployed.

IT Manager, Systems Architect, Security Manager

Document the best date and time for the deployment.

IT Manager, Systems Architect

Document how you will monitor the segment to make sure it is working properly.

Systems Architect, Security Manager

Document a contingency plan if connectivity is blocked.

Systems Architect, Security Manager

Document how you will back-out a change if something goes wrong.

Systems Architect, Security Manager

Determine when all parties should be informed of a pending change.

Helpdesk Manager

Determine how you will know that the deployment is sound enough to be implemented on the next segment.

Systems Architect, Security Manager, Helpdesk Manager

Determine how you will know that the entire deployment is sound and the goals have been achieved.

IT Manager, Systems Architect, Security Manager, Helpdesk Manager

Phase 7: Prepare for User and Infrastructure Support

After you have finalized your deployment schedule, you can finalize when and how you will inform the operations staff, department heads, server owners, application owners, users, and partners of the pending changes. The availability of information about the process is important to a smooth deployment and the information should be available online (and in written form) well ahead of the actual deployment. The actions listed below might help you determine your Helpdesk needs.

 

Action Owner

Inform the Helpdesk staff of the changes, what they need to do to prepare for them, what they can expect to experience, and who to contact in case of problems.

Helpdesk Manager

Train Helpdesk staff using simulation drills with problems that are likely to arise.

Helpdesk Manager

Inform the Helpdesk staff about IPsec and the deployment process, possible problems that might arise, resources for helping users with these problems, and escalation of problems.

Helpdesk Manager

Inform the following groups of the changes, what they need to do to prepare for them, what they can expect to experience, and who to contact in case of problems:

  • Department heads

  • IT Operations staff

  • IT Security staff

  • Server owners

  • Application owners

  • Users

  • Partners

Helpdesk Manager, Windows Systems Administrator

Document confirmation of compliance from all parties, signifying that they understand and have made all changes necessary for compliance.

Helpdesk Manager, IT Manager

Other Resources

IPsec concepts and overview
Examples of IPsec deployments
IPsec interoperability
IPsec limitations
Designing IPsec policies
IPsec implementation details
IPsec testing
IPsec troubleshooting
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.