Hi all!

I am planning a deployment of the SDI solution proposed bye MS
(http://www.microsoft.com/sdisolation) on an environment composed by:

- Win2k8: DCs
- SLES10: Virtualization hosts
- OpenSUSE: Firewall, www, File, Backup, SVN + others

I am wondering which the best arhcitecture would be. My thoughts drove me to:
- IKE: Use Kerberos v5. Linux boxes are joined to the Windows Domain.
- Auth: Use ESP-null as my network is segmented and I will need to NAT IPSec.
- IPSec in transport mode.
- Policies: Windows systems get the policy from the DC while Linux systems
has the policy deployed locally (As far as I know I cannot distribute the
policy via GPO to Linux systems)

I am aiming to secure the hole network using IPSec. I have ~100 Vista
workstations joined to this Win2k8 domain. A few questions are:

- Does the scope seems feasible? I have never deployed an IPSec solution
before.
- Do you smell any drawback?

Right now, I am driving a set of proof of concepts and your advice will be
more than useful.

Thanks in advance,
--
-beto