Deploying IPSec Across Your Network

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The general steps for assigning IPSec policy by using Group Policy are:

1. Create the IPSec policy in the directory. If you have a computer dedicated to using local IPSec policy, you can use the netsh ipsec static importpolicy command or the IP Security Policy Management snap-in.

2. Create a new GPO or identify an existing GPO to use to deliver the IPSec policy assignment. Remember that only members of the Domain Admins group can modify the GPO and assign IPSec policy.

3. Assign the GPO to the domain level or an appropriate OU level, and then resolve any IPSec policy precedence issues. Group Policy objects, which include IPSec policies, can be configured to not be updated over slow links. IPSec policy should always be implemented, regardless of whether the updates must use slow links. If you prevent IPSec policy updates over slow links, communication failures might occur.

4. Plan the rollout of the IPSec policy on both the client and server side. Determine whether to use Group Policy, the IP Security Policy Management snap-in, executable files, or some combination to deploy this technology. If you are going to secure a server, make sure to enable client-side IPSec policy first, allow time for all clients to retrieve the policy, then enable the server-side policy. When configuring the Negotiate security filter action, select the Allow unsecured communication with non-IPSec aware computers check box, so that IKE can fall back to unsecured communication if a remote computer has not yet retrieved IPSec policy.

5. Ensure that IPSec authentication methods are ready before rolling out IPSec policy. All certificate autoenrollment problems must be investigated and resolved before assigning IPSec policy. Any cross-certificate trusts must be established and deployed to all systems first. Likewise, if Kerberos is being used, ensure that all domain trusts between clients and servers are mutually trusted and that Kerberos traffic is permitted. After IPSec policy is applied, if IKE authentication fails, communication will be blocked. For more information about certificate autoenrollment, see "Designing a Public Key Infrastructure" in Designing and Deploying Directory and Security Services of this kit.