Create IPsec Rules for Clients of an Isolated Server Zone on Earlier Versions of Windows

  • Article

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

IP Security rules for Windows 2000, Windows XP, and Windows Server 2003 are composed of filter lists, filter actions, and authentication methods. In this section, you combine those elements into complete IPsec rules that can be used by the computers to which the GPO is applied.

In these procedures, you combine IPsec filters and filter actions to create the rules required for the client computers of a standalone server isolation zone that is not part of an isolated domain.

Important

The following steps use IPsec to communicate with all computers except ICMP and the exception list, and use fallback-to-clear behavior for computers outside of the isolated server zone. Alternatively, you can create a filter list that includes only the members of the isolated server zone, and then assign that filter list instead of the All IP Traffic filter list used in the last two procedures. This means that you must manually update the addresses in the filter list if the IP addresses of the isolated servers change. Failure to update the list results in failed connections to the server with the new address.

The rules you create include the following:

  • A rule that permits ICMP traffic. This rule combines the All ICMP Traffic filter list with the Permit filter action. This rule is added to all of the IPsec policies for all of the GPOs for computers running Windows 2000, Windows XP, or Windows Server 2003.

  • A rule that permits traffic from members of the exemption list. This rule combines the All Exempted Computers filter list with the Permit filter action. This rule is added to all IPsec policies for all of the GPOs for computers running Windows 2000, Windows XP, or Windows Server 2003.

  • A rule that requests authentication for all other traffic. This rule combines the All IP Traffic filter list with the Request Authentication filter action. This rule supports connecting to isolated servers that require authentication, but allows fallback-to-clear behavior for all other computers.

  • A rule that requests authentication and encryption for all other traffic. This rule combines the All IP Traffic filter list with the Request Authentication and Encryption filter action. This rule supports connecting to isolated servers that require authentication and encryption, but allows fallback-to-clear behavior for all other computers.

Administrative credentials

To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.

To create a rule that permits ICMP network traffic

  1. Open the Group Policy Management Console to IP Security Policies.

  2. In the details pane, double-click the IPsec policy in which you want to create the rule.

  3. On the Rules tab, click Add.

  4. On the Welcome page of the Security Rule Wizard, click Next.

  5. On the Tunnel Endpoint page, select This rule does not specify a tunnel, and then click Next.

  6. On the Network Type page, select All network connections, and then click Next.

  7. On the IP Filter List page, select All ICMP Traffic, and then click Next.

  8. On the Filter Action page, select Permit, and then click Next.

  9. On the Completing the Security Rule Wizard page, click Finish.

To create a rule that permits network traffic from members of the exemption list

  1. Open the Group Policy Management Console to IP Security Policies.

  2. In the details pane, double-click the IPsec policy in which you want to create the rule.

  3. On the Rules tab, click Add.

  4. On the Welcome page of the Security Rule Wizard, click Next.

  5. On the Tunnel Endpoint page, select This rule does not specify a tunnel, and then click Next.

  6. On the Network Type page, select All network connections, and then click Next.

  7. On the IP Filter List page, select All Exempted Computers, and then click Next.

  8. On the Filter Action page, select Permit, and then click Next.

  9. On the Completing the Security Rule Wizard page, click Finish.

To create a rule that requests authentication for all other network traffic

  1. Open the Group Policy Management Console to IP Security Policies.

  2. In the details pane, double-click the IPsec policy in which you want to create the rule.

  3. On the Rules tab, click Add.

  4. On the Welcome page of the Security Rule Wizard, click Next.

  5. On the Tunnel Endpoint page, select This rule does not specify a tunnel, and then click Next.

  6. On the Network Type page, select All network connections, and then click Next.

  7. On the IP Filter List page, select All IP Traffic, and then click Next.

  8. On the Filter Action page, select Request Authentication, and then click Next. Remember that this rule must not be changed to require mode after testing is complete.

  9. On the Authentication Method page, select Active Directory default (Kerberos V5 protocol), and then click Next. You can add only one method on this wizard page. If your design requires more than one authentication method, see Add Authentication Methods to an IPsec Rule on Earlier Versions of Windows.

  10. On the Completing page, click Finish to save your rule in the policy.

To create a rule that requests both authentication and encryption for all other inbound network traffic

  1. Open the Group Policy Management Console to IP Security Policies.

  2. In the details pane, double-click the IPsec policy in which you want to create the rule.

  3. On the Rules tab, click Add.

  4. On the Welcome page of the Security Rule Wizard, click Next.

  5. On the Tunnel Endpoint page, select This rule does not specify a tunnel, and then click Next.

  6. On the Network Type page, select All network connections, and then click Next.

  7. On the IP Filter List page, select All IP Traffic, and then click Next.

  8. On the Filter Action page, select Request Both Authentication and Encryption, and then click Next. Remember that this rule must not be changed to require mode after testing is complete.

  9. On the Authentication Method page, select Active Directory default (Kerberos V5 protocol), and then click Next. You can add only one method on this wizard page. If your design requires more than one authentication method, see Add Authentication Methods to an IPsec Rule on Earlier Versions of Windows.

  10. On the Completing page, click Finish to save your rule in the policy.

  11. When you have added rules, make sure that all of your rules are selected, and that the <Dynamic> Default response rule is not selected, and then click OK to save your rules in the policy.