Create IPsec Rules for an Isolated Server Zone on Earlier Versions of Windows

Article
07/02/2012

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

IP Security rules for Windows 2000, Windows XP, and Windows Server 2003 are composed of filter lists, filter actions, and authentication methods. In this section, you combine those elements into complete IPsec rules that can be used by the computers to which the GPO is applied.

In these procedures, you create the rules required for a server isolation zone that is part of an isolated domain by combining IPsec filters and filter actions. The rules you create include the following:

A rule that permits ICMP traffic. This rule combines the All ICMP Traffic filter list with the Permit filter action. This rule is added to all of the IPsec policies for all of the GPOs for computers running Windows 2000, Windows XP, or Windows Server 2003.
A rule that permits traffic from members of the exemption list. This rule combines the All Exempted Computers filter list with the Permit filter action. This rule is added to all IPsec policies for all of the GPOs for computers running Windows 2000, Windows XP, or Windows Server 2003.
A rule that requires authentication for all other traffic. This rule initially combines the All IP Traffic filter list with the Request Authentication filter action. After testing has confirmed that the rules are working correctly, you will modify the rule to use the Require Security filter action. This rule is used by the servers in the isolated server zone when encryption is not required.
A rule that requires authentication and encryption for all other traffic. This rule initially combines the All IP Traffic filter list with the Request Authentication and Encryption filter action. After testing has confirmed that the rules are working correctly, the rule is modified to use the Require Authentication and Encryption filter action. This rule is used by the servers in the isolated server zone when encryption, in addition to authentication, is required.

Administrative credentials

To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.

To create a rule that permits ICMP network traffic

Open the Group Policy Management Console to IP Security Policies.
In the details pane, double-click the IPsec policy in which you want to create the rule.
On the Rules tab, click Add.
On the Welcome page of the Security Rule Wizard, click Next.
On the Tunnel Endpoint page, select This rule does not specify a tunnel, and then click Next.
On the Network Type page, select All network connections, and then click Next.
On the IP Filter List page, select All ICMP Traffic, and then click Next.
On the Filter Action page, select Permit, and then click Next.
On the Completing the Security Rule Wizard page, click Finish.

To create a rule that permits network traffic from members of the exemption list

Open the Group Policy Management Console to IP Security Policies.
In the details pane, double-click the IPsec policy in which you want to create the rule.
On the Rules tab, click Add.
On the Welcome page of the Security Rule Wizard, click Next.
On the Tunnel Endpoint page, select This rule does not specify a tunnel, and then click Next.
On the Network Type page, select All network connections, and then click Next.
On the IP Filter List page, select All Exempted Computers, and then click Next.
On the Filter Action page, select Permit, and then click Next.
On the Completing the Security Rule Wizard page, click Finish.

To create a rule that requires authentication for all other network traffic

Open the Group Policy Management Console to IP Security Policies.
In the details pane, double-click the IPsec policy in which you want to create the rule.
On the Rules tab, click Add.
On the Welcome page of the Security Rule Wizard, click Next.
On the Tunnel Endpoint page, select This rule does not specify a tunnel, and then click Next.
On the Network Type page, select All network connections, and then click Next.
On the IP Filter List page, select All IP Traffic, and then click Next.
On the Filter Action page, select Request Authentication, and then click Next.

Note

Later, after testing has confirmed that authentication is working correctly, you change the filter action by selecting Require Authentication.

On the Authentication Method page, select Active Directory default (Kerberos V5 protocol), and then click Next. You can add only one method on this wizard page. If your design requires more than one authentication method, see Add Authentication Methods to an IPsec Rule on Earlier Versions of Windows.
On the Completing page, click Finish to save your rule in the policy.

To create a rule that requires both authentication and encryption for all other inbound network traffic

Open the Group Policy Management Console to IP Security Policies.
In the details pane, double-click the IPsec policy in which you want to create the rule.
On the Rules tab, click Add.
On the Welcome page of the Security Rule Wizard, click Next.
On the Tunnel Endpoint page, select This rule does not specify a tunnel, and then click Next.
On the Network Type page, select All network connections, and then click Next.
On the IP Filter List page, select All IP Traffic, and then click Next.
On the Filter Action page, select Require Both Authentication and Encryption, and then click Next.