IPSec Policy Agent service

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

IPSec Policy Agent service

The purpose of the IPSec Policy Agent is to retrieve policy information and pass it to other IPSec components that require this information to perform security services, as shown in the following illustration.

IPSec Policy Agent

The IPSec Policy Agent is a service that resides on each computer running a Windows ServerĀ 2003 operating system, appearing as IPSec services in the list of system services in the Services console. The IPSec Policy Agent:

  • Retrieves the appropriate IPSec policy (if one has been assigned) from Active Directory, if the computer is a domain member, or from the local registry, if the computer is not a member of a domain.

  • Polls for changes in policy configuration.

  • Sends the assigned IPSec policy information to the IPSec driver.

If the computer is a member of a domain, policy retrieval occurs when the system starts, at the interval specified in the IPSec policy, and at the default Winlogon polling interval. You can also manually poll Active Directory for policy using the gpupdate /target:computer command.

The following are additional aspects of IPSec policy behavior for a computer that is a member of a domain:

  • If IPSec policy information is centrally configured for computers that are domain members, the IPSec policy information is stored in Active Directory and cached in the local registry of the computer to which it applies.

  • If the computer is temporarily not connected to the domain and policy is cached, new policy information for that computer replaces old, cached information when the computer reconnects to the domain.

  • If the computer is a stand-alone computer or a member of a domain that is not using Active Directory for policy storage, IPSec policy is stored in the local registry.

The IPSec Policy Agent starts automatically at system start time. If there are no IPSec policies in Active Directory or the registry, or if the IPSec Policy Agent cannot connect to Active Directory, the IPSec Policy Agent waits for policy to be assigned or activated.