Coordinating IPSec Client and Server Policies in a Domain

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Both clients and servers need IPSec policy before secure communications can be enabled. Because the initial application of IPSec policy and policy changes can briefly interrupt connectivity, make sure to schedule these tasks during low use periods as much as possible. When policies are changed, the IPSec system might be forced to delete existing IPSec SAs, so that new SAs can be negotiated according to the new IPSec policy. This can cause a temporary loss of communication.

Remember that domain IPSec policy will override local IPSec policy. If a local administrator has secured a server with local IPSec policy, applying a domain policy might make the server less secure or break its secure communication. If persistent policy was used, the domain policy cannot override it, but can enhance that baseline security.