Export (0) Print
Expand All

Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone

Updated: January 27, 2010

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client computers that must connect to servers in an isolated server zone. The way in which these rules and settings are configured depends on whether the computers to which the GPO applies are running Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 or an earlier version of the Windows operating system.

In this topic:

Checklist Checklist: Configuring isolated server zone client rules for computers running Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2

noteNote
The GPOs for computers running Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 are usually similar. If this is true for your design, create one GPO, configure it by using the tasks in this checklist, and then create a copy of the GPO. For example, create and configure the GPO for Windows 7, create a copy of it for Windows Server 2008 R2, and then follow the steps in this checklist to make the required changes (if any) to the copy.

 

  Task Reference

Checkbox

Create a GPO for the client computers that must connect to servers in the isolated server zone, and that are running one of the versions of Windows. After you have finished the tasks in this checklist, you can make a copy of it.

Checklist topic Checklist: Creating Group Policy Objects

Checklist topic Copy a GPO to Create a New GPO

Checkbox

To determine which computers receive the GPO, assign the NAG for the isolated servers to the security group filter for the GPO. Make sure that each GPO has the WMI filter for the correct version of Windows.

Checklist topic Modify GPO Filters to Apply to a Different Zone or Version of Windows

Checkbox

Configure IPsec to exempt all ICMP network traffic from IPsec protection.

Procedure topic Exempt ICMP from Authentication on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Checkbox

Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.

Procedure topic Create an Authentication Exemption List Rule on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Checkbox

Configure the key exchange (main mode) security methods and algorithms to be used.

Procedure topic Configure Key Exchange (Main Mode) Settings on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Checkbox

Configure the data protection (quick mode) algorithm combinations to be used.

Procedure topic Configure Data Protection (Quick Mode) Settings on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Checkbox

Configure the authentication methods to be used.

Procedure topic Configure Authentication Methods on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Checkbox

Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior in Windows Vista and Windows Server 2008 has no delay when communicating with computers that cannot use IPsec, you can use the same any-to-any rule used in an isolated domain.

Procedure topic Create an Authentication Request Rule on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Checkbox

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Procedure topic Link the GPO to the Domain

Checkbox

Add your test computers to the NAG for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.

Procedure topic Add Test Computers to the Membership Group for a Zone

Checklist Checklist: Configuring isolated server zone client rules for computers running Windows XP, Windows Server 2003, or Windows 2000

noteNote
The GPOs for computers that run Windows Server 2003, Windows XP, and Windows 2000 are usually similar. If this is true for your design, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO to capture all of the settings. For example, create and configure the GPO for Windows XP, create a copy of it for Windows Server 2003, and then follow the steps in this checklist to make the few required changes to the copy.

 

  Task Reference

Checkbox

Create a GPO for the client computers that must connect to servers in the isolated server zone, and that are running one of the versions of Windows. After you have finished the tasks in this checklist and configured the GPO for one version of Windows, you can create a copy of it. To determine which computers receive the GPO, assign the NAG for the isolated servers to the security group filter for the GPO.

Checklist topic Create a Group Policy Object

Checklist topic Copy a GPO to Create a New GPO

Checkbox

To determine which computers receive the GPO, assign the NAG for the isolated servers to the security group filter for the GPO. Make sure that each GPO has the WMI filter for the correct version of Windows.

Checklist topic Modify GPO Filters to Apply to a Different Zone or Version of Windows

Checkbox

Add registry settings that optimize IPsec behavior to the GPO.

Procedure topic Configure Settings to Optimize IPsec Behavior on Earlier Versions of Windows

Checkbox

Create a new IP Security policy in the GPO.

Procedure topic Create a New IP Security Policy in a GPO for Earlier Versions of Windows

Checkbox

Configure the key exchange (main mode) security methods and algorithms to be used.

Procedure topic Configure Key Exchange (Main Mode) Settings on Earlier Versions of Windows

Checkbox

Create IP filter lists for ICMP traffic, the exemption list, and all other IP traffic. This filter list is potentially different from the filter list for an isolated domain.

Procedure topic Create Filter Lists for Clients of Isolated Server Running Earlier Versions of Windows

Checkbox

Create filter actions to allow traffic and request authentication. If the isolated servers require encryption, make sure that you include the appropriate encryption algorithms in the data protection (quick mode) settings of the request filter action.

Procedure topic Create Filter Actions on Earlier Versions of Windows

Checkbox

Combine the filter lists and filter actions into the required IPsec rules.

Procedure topic Create IPsec Rules for an Isolated Domain on Earlier Versions of Windows

Checkbox

Assign the IPsec policy for the isolated domain to your GPO.

Procedure topic Assign an IPsec Policy to a GPO for Earlier Versions of Windows

Checkbox

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Procedure topic Link the GPO to the Domain

Checkbox

Add your test computers to the membership group for the isolated domain. Be sure to add at least one for each operating system supported by a different GPO in the group.

Procedure topic Add Test Computers to the Membership Group for a Zone

Checkbox

Verify that the connection security rules are protecting your network traffic.

Procedure topic Verify That Network Traffic Is Authenticated

Do not change the rules for any of your zones to require authentication until all of the zones have been set up and thoroughly tested.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft