Configure IPsec GPOs

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Three Group Policy objects (GPOs) are used to apply IPsec policies. There will be an IPsec boundary GPO for computers with NAP exemption certificates that request, but do not require, that incoming communications are authenticated with a health certificate. There will be a Vista IPsec secure GPO for computers running the Windows Vista® or Windows Server® 2008 operating system, and an XP IPsec secure GPO for computers running Windows XP with Service Pack 3. The secure GPOs will require that incoming communications are authenticated with a health certificate.

Note

To complete these procedures, you must have already created organizational units (OUs) for IPsec. For more information, see Configure IPsec OUs. You can also deploy IPsec policies using security groups with security filtering in Group Policy. For more information, see Configure NAP Enforcement Clients in Group Policy.

Membership in the local Domain Admins group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Configure the IPsec boundary GPO

Use the following procedure to create a GPO to enforce IPsec policies on boundary computers.

To configure the IPsec boundary GPO

  1. On a domain controller or member server with the Group Policy Management feature installed, click Start, click Run, type gpme.msc, and then press ENTER.

  2. In the Browse for a Group Policy Object dialog box, double-click the IPsec Boundary OU (for example, IPsec Boundary.woodgrovebank.local).

  3. Click the Create New Group Policy Object icon to the right of IPsec Boundary.woodgrovebank.local, type Boundary Policy, and then click OK.

  4. The Group Policy Management Editor window will open. In the console tree, open Boundary Policy\Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP.

  5. Right-click Windows Firewall with Advanced Security - LDAP, and then click Properties.

  6. On the Domain Profile tab, next to Firewall state, choose On (recommended). Next to Inbound connections, choose Block (default). Next to Outbound connections, choose Allow (default). The same settings will be used for the private and public profiles.

  7. Click the Private Profile tab. Next to Firewall state, choose On (recommended). Next to Inbound connections, choose Block (default). Next to Outbound connections, choose Allow (default).

  8. Click the Public Profile tab. Next to Firewall state, choose On (recommended). Next to Inbound connections, choose Block (default). Next to Outbound connections, choose Allow (default), and then click OK.

  9. In the Group Policy Management Editor window, under Windows Firewall with Advanced Security - LDAP, right-click Connection Security Rules, and then click New Rule.

  10. In the New Connection Security Rule Wizard, on the Rule Type page, verify that Isolation is selected, and then click Next.

  11. On the Requirements page, select Request authentication for inbound and outbound connections, and then click Next.

  12. On the Authentication Method page, select Computer certificate, select the Only accept health certificates check box, and then click Browse.

  13. Click the name of the root CA in your NAP certification authority (CA) hierarchy, click OK, and then click Next.

  14. On the Profile page, verify that the Private, Public, and Domain check boxes are selected, and then click Next.

  15. On the Name page, under Name, type Boundary Rule, and then click Finish.

  16. Close the Group Policy Management Editor window.

Configure the Vista IPSec secure GPO

Use the following procedure to create a GPO to enforce IPsec policies on NAP client computers running Windows Vista.

To configure the Vista IPsec secure GPO

  1. On a domain controller or member server with the Group Policy Management feature installed, click Start, click Run, type gpme.msc, and then press ENTER.

  2. In the Browse for a Group Policy Object dialog box, double-click the Vista IPsec Secure OU (for example, Vista IPsec Secure.woodgrovebank.local).

  3. Click the Create New Group Policy Object icon to the right of Vista IPsec Secure.woodgrovebank.local, type Vista Secure Policy, and then click OK.

  4. The Group Policy Management Editor window will open. Open Vista Secure Policy\Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP.

  5. Right-click Windows Firewall with Advanced Security - LDAP, and then click Properties.

  6. On the Domain Profile tab, next to Firewall state, choose On (recommended). Next to Inbound connections, choose Block (default). Next to Outbound connections, choose Allow (default). The same settings will be used for the private and public profiles.

  7. Click the Private Profile tab. Next to Firewall state, choose On (recommended). Next to Inbound connections, choose Block (default). Next to Outbound connections, choose Allow (default).

  8. Click the Public Profile tab. Next to Firewall state, choose On (recommended). Next to Inbound connections, choose Block (default). Next to Outbound connections, choose Allow (default), and then click OK.

  9. In the Group Policy Management Editor window, under Windows Firewall with Advanced Security - LDAP, right-click Connection Security Rules, and then click New Rule.

  10. In the New Connection Security Rule Wizard, on the Rule Type page, verify that Isolation is selected, and then click Next.

  11. On the Requirements page, select Require authentication for inbound connections and request authentication for outbound connections, and then click Next.

  12. On the Authentication Method page, select Computer certificate, select the Only accept health certificates check box, and then click Browse.

  13. Click the name of the root CA in your NAP CA hierarchy, click OK, and then click Next.

  14. On the Profile page, verify that the Private, Public, and Domain check boxes are selected, and then click Next.

  15. On the Name page, under Name, type Vista Secure Rule, and then click Finish.

  16. Close the Group Policy Management Editor window.

Note

You can use this GPO to configure additional NAP client settings for the IPsec enforcement method, or you can use a different GPO for these settings. For more information, see Deploying NAP Client Settings.

Configure the XP IPSec secure GPO

Use the following procedure to create a GPO to enforce IPsec policies on NAP client computers running Windows XP with SP3.

To configure the XP IPsec secure GPO

  1. On a domain controller, or member server with the Group Policy Management feature installed, click Start, click Run, type gpme.msc, and then press ENTER.

  2. In the Browse for a Group Policy Object dialog box, double-click the XP IPsec Secure OU (for example, XP IPsec Secure.woodgrovebank.local).

  3. Click the Create New Group Policy Object icon to the right of XP IPsec Secure.woodgrovebank.local, type XP Secure Policy, and then click OK.

  4. The Group Policy Management Editor window will open. Open XP Secure Policy\Computer Configuration\Policies\Windows Settings\Security Settings\IP Security Policy on Active Directory.

  5. Right-click IP Security Policy on Active Directory, and then click Create IP Security Policy. The IP Security Policy Wizard will open.

  6. On the Welcome to the IP Security Policy Wizard page, click Next.

  7. On the IP Security Policy Name page, type XP Secure Rule, click Next twice, and then click Finish. The XP Secure Rule Properties dialog box opens.

  8. Click Add. The Security Rule Wizard opens. Click Next.

  9. On the Tunnel Endpoint page, choose This rule does not specify a tunnel, and then click Next.

  10. On the Network Type page, choose All network connections, and then click Next.

  11. On the IP Filter List page, under IP filter lists, select All IP Traffic, and then click Next.

  12. On the Filter Action page, clear the Use Add Wizard check box, and then click Add. The New Filter Action Properties dialog box opens.

  13. On the Security Methods tab, choose Negotiate security, and select the Allow fallback to unsecured communication if a secure connection cannot be established check box. If you receive a message warning you about enabling unsecured communication, click Yes.

  14. Next to Security method preference order, click Add, choose Integrity only, and then click OK.

  15. Click the General tab, under Name, type Require in / Request out, and then click OK.

  16. Select the new filter action you just created, and then click Next.

  17. On the Authentication Method page, choose Use a certificate from this certification authority (CA), and then click Browse. If you receive a warning that Active Directory does not contain a shared certificate store, click Yes.

  18. Click the name of the root CA in your NAP CA hierarchy, click OK, click Next, and then click Finish.

  19. Verify that All IP Traffic is selected under IP Filter List, that Filter Action is Require in / Request out, and that Authentication Method is Certificate, and then click OK.

  20. In the Group Policy Management Editor, right-click XP Secure Rule, and then click Assign.

  21. Close the Group Policy Management Editor window.

Note

You can use this GPO to configure additional NAP client settings for the IPsec enforcement method, or you can use a different GPO for these settings. For more information, see Deploying NAP Client Settings.

See Also

Concepts

Configure IPsec OUs