IPSec between FileServer and Client
Was just wondering if somebody could help me out with this test lab i'm trying?
I've created two OUs, one called FileServer and one called Client Computers.
On the FileServer OU, the GPO has a computer policy with the IPSec 'Require Security' assigned.
On the Client Computer OU, the GPO has a computer policy with the IPSec 'Client respond only' assigned.
I've done a gpupdate /force, then tried to load Resultant Set of Policy to see if IPSec has been assigned to the Client PC (Windows XP), but it doesn't seem to show IPSec on there at all. I'm simply trying to use IPSec for accessing a local IIS website on the FileServer (Windows Server 2003) from the Client PC and looking for an easy way to see if it is working or not.
Is what I have done above correct? I'm not sure if you can use IPSec through GPOs or if it needs to be done with the local security policy on each individual machine? I found this on a website that explained how to enable IPSec for all traffic. If not, if anybody would care to explain what I need to do in detail or provide a link, I would be grateful.
Thanks.
I've created two OUs, one called FileServer and one called Client Computers.
On the FileServer OU, the GPO has a computer policy with the IPSec 'Require Security' assigned.
On the Client Computer OU, the GPO has a computer policy with the IPSec 'Client respond only' assigned.
I've done a gpupdate /force, then tried to load Resultant Set of Policy to see if IPSec has been assigned to the Client PC (Windows XP), but it doesn't seem to show IPSec on there at all. I'm simply trying to use IPSec for accessing a local IIS website on the FileServer (Windows Server 2003) from the Client PC and looking for an easy way to see if it is working or not.
Is what I have done above correct? I'm not sure if you can use IPSec through GPOs or if it needs to be done with the local security policy on each individual machine? I found this on a website that explained how to enable IPSec for all traffic. If not, if anybody would care to explain what I need to do in detail or provide a link, I would be grateful.
Thanks.
Comments
-
Ahriakin Member Posts: 1,799 ■■■■■■■■□□Did you set up ipsec rules on the server aswell (ie. identified the traffic you wanted encrypted, IPSec authentication/encryption/hash types etc)?We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
-
mr2nut Member Posts: 269Ahriakin wrote:Did you set up ipsec rules on the server aswell (ie. identified the traffic you wanted encrypted, IPSec authentication/encryption/hash types etc)?
It's in my above post. I have a fileserver that isn't promoted to a domain controller as i've heard this shouldn't be done as it confuses authenticating computers and new users onto the domain as it encrypts the logon process and fails (i've also learnt this from experience when I set IPSec up on a DC for the whole domain.
I have simply 'assigned' Server Require Security in the IPSec policy on the FileServer OUs GPO, then for the client PC OU, I have 'assigned' the default client Respond Only policy for the GPO that attaches to the client PC OU. I haven't changed any of the default rules as ICMP is already on require security as default, but I am unable to ping the hostname of the client PC from the Server, but I CAN however ping the fileserver hostname from the client machine.
The only way I can ping the client machine from the file server is via IP address and this isn't a DNS issue as I was able to ping it fine before applying IPSec. -
mr2nut Member Posts: 269Am I right then, in saying that to require security for everything on the Server, you just assign server require security for the fileserver OUs GPO, then assign client respond only to the client OUs GPO?
-
rossonieri#1 Member Posts: 799 ■■■□□□□□□□hi mr2nut,
ahriakin is correct - you have to set the IPSec rules first - that is between the clients and the servers - can be done in either locally (local secpol.msc) or centrally using OUs GPO. you need to change/add the default or create a new IPSec policy according your client-server communication requirements.
for the default IPSec communication (that is between clients or file servers to non IPSec aware machines) - you dont require a Required IPSec negotiation policy otherwise there will be no communication at all.
theres not much of room here to explain - but, do try to explore the secpol.msc - you'll find that there are IPSec negotiation options that you must fulfill to build a point-to-point IPSec communication.
HTH.the More I know, that is more and More I dont know. -
mr2nut Member Posts: 269Ok, i've now customized my ipsec policy. I've created an ipsec policy on my fileserver and exported it, then reimported it onto my client to.
I have set ICMP requests to require security and to require security for TCP port 80 for a website I have on my fileserver. How can I tell if HTTP requests to and from my fileserver are being encrypted with IPSec? I've heard you can use the built in network monitor tool on Server 2003 but I don't see where you can see this happening? I can see the requests going up with the relevant MAC address, but no obvious signs of encrypted data?
I did however ping my fileserver from my xppro machine and it said negotiating ipsec policy for the first ping request, then the remaining 3 successfully pinged so thats good. I assume once an ipsec policy has been negotiated from any participating machine, that from then on you never get another negotiation as all pings bar the very first one, now just ping as per usual. -
jamesp1983 Member Posts: 2,475 ■■■■□□□□□□do a packet capture with wireshark or an equivalent. do similar transfers in plaintext and then with ipsec. compare the captures"Check both the destination and return path when a route fails." "Switches create a network. Routers connect networks."
-
jibbajabba Member Posts: 4,317 ■■■■■■■■□□Nice Step-by-Step guide using NAP / IPSec
http://www.microsoft.com/downloads/details.aspx?familyid=298ff956-1e6c-4d97-a3ed-7e7ffc4bed32&displaylang=en&tmMy own knowledge base made public: http://open902.com