Plan the Location and Integration of Your IPsec Policy

The easiest way to configure IPsec is through Group Policy. By creating a single Group Policy object (GPO) and configuring it to apply the computers in the SMS IPsec group, you can modify the IPsec configuration on all of those computers from one central location. The easiest way to create a single GPO that applies only to the SMS IPsec group is to move those computers into a separate OU and apply the GPO to that OU. If you cannot create a separate OU, you can create a security group, add the SMS IPsec computers into that security group, and configure the GPO to apply only to that security group. For more information about managing Group Policy, see the Help and Support Center.

Important

If you must use a preshared key for the authentication method, do not configure the IPsec policy in Group Policy because attackers can obtain the preshared key from the policy. Use only local IPsec policies and block domain policy override. Be aware that local IPsec policy still exposes the preshared key in the registry, and attackers with sufficient rights can view this key.

If you do not create a GPO, you will have to create individual IPsec policies for each computer in the group. To facilitate this, you can export the policy from one computer and import it to the other computers in the group. For information about exporting and importing IPsec policy, see the Help and Support Center.

Important

As with any Group Policy object, settings at the site, domain, or OU can override the local security policy. If you already have IPsec policies in your environment, coordinate your SMS IPsec policy design with other IPsec policies that may apply to the SMS site systems.