IPSec Policy rule order of operations - Network

This is a discussion on IPSec Policy rule order of operations - Network ; Hi. I am trying to use an IPSec policy to firewall my servers. I've created a policy that has the following rules Exchange Servers - whitelists all incoming traffic from the exchange servers Email Traffic - whitelists all incoming pop3 ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: IPSec Policy rule order of operations

  1. IPSec Policy rule order of operations

    Hi.

    I am trying to use an IPSec policy to firewall my servers.

    I've created a policy that has the following rules

    Exchange Servers - whitelists all incoming traffic from the exchange servers
    Email Traffic - whitelists all incoming pop3 and smtp traffic
    Domain Controllers - whitelists all incoming traffic from our DC's
    Outgoing Traffic - permits all outgoing traffic (so I can get updates from
    windowsupdate and browse web, etc...)
    Incoming Traffic - Anything else not specified in the rules above needs to
    be blocked.

    I have 3 questions reguarding how this policy will be applied:

    1) How do I set the order in which these rules are applied to incoming
    traffic? I want the "Incoming Traffic" rule to be applied only if all the
    other rules don't apply.

    2) Is there a way to monitor which rules are applied to which packets? On
    server1, the policy works fine, but on server2, I suspect that the "Outgoing
    Traffic" rule doesn't apply correctly.

    3) What is the command that immediatly flushes the existing GPO's and
    re-loads them again from the DC?

    Thanks in advance for responses,

    -- Jason



  2. Re: IPSec Policy rule order of operations

    You can not order ipsec rules like you can with a normal firewall. Ipsec
    rules are weighted by the operating system to criteria where the more
    specific rules override general rules. You could use the two ipsec mmc
    snapins on your server for IP security to see information about ipsec
    policies with IP Security Monitor showing all the gory details. Gpupdate
    /force will cause the client computer to reapply most GP settings from the
    domain controller it access for such however I believe that ipsec may not
    work exactly like other GP settings in that regard though it should be easy
    enough to check after doing the refresh and rsop.msc can help check that as
    can the command netdiag and netsh. For more information be sure to check the
    link below for what I consider the best source of Windows ipsec information
    available. You may not be interested in using ipsec for domain isolation but
    I would still check out appendix A for ipsec policy concepts and chapter 7
    for troubleshooting ipsec. --- Steve

    http://technet2.microsoft.com/Window...5ed901033.mspx
    --- netsh for ipsec
    http://www.microsoft.com/technet/sec.../ipsecapa.mspx
    --- Server and Domain Isolation Using IPSec and Group Policy
    http://www.microsoft.com/technet/com...uy/cg0205.mspx ---
    IPsec Filter Ordering

    "Jason" wrote in message
    news:FpGdnZxZn-UnFKPZnZ2dnUVZ_v2dnZ2d@giganews.com...
    > Hi.
    >
    > I am trying to use an IPSec policy to firewall my servers.
    >
    > I've created a policy that has the following rules
    >
    > Exchange Servers - whitelists all incoming traffic from the exchange
    > servers
    > Email Traffic - whitelists all incoming pop3 and smtp traffic
    > Domain Controllers - whitelists all incoming traffic from our DC's
    > Outgoing Traffic - permits all outgoing traffic (so I can get updates from
    > windowsupdate and browse web, etc...)
    > Incoming Traffic - Anything else not specified in the rules above needs to
    > be blocked.
    >
    > I have 3 questions reguarding how this policy will be applied:
    >
    > 1) How do I set the order in which these rules are applied to incoming
    > traffic? I want the "Incoming Traffic" rule to be applied only if all
    > the other rules don't apply.
    >
    > 2) Is there a way to monitor which rules are applied to which packets? On
    > server1, the policy works fine, but on server2, I suspect that the
    > "Outgoing Traffic" rule doesn't apply correctly.
    >
    > 3) What is the command that immediatly flushes the existing GPO's and
    > re-loads them again from the DC?
    >
    > Thanks in advance for responses,
    >
    > -- Jason
    >




+ Reply to Thread