Configurating IPSEC Selectively (W2K3) - Network

This is a discussion on Configurating IPSEC Selectively (W2K3) - Network ; Hello, I have a fairly simple question, which i hope can be answered just as simply: Is it possible, and how, to configure IPSEC among 7 hosts without severing other (non encrypted) traffic from other hosts.. ie the requirement would ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Configurating IPSEC Selectively (W2K3)

  1. Configurating IPSEC Selectively (W2K3)

    Hello,

    I have a fairly simple question, which i hope can be answered just as simply:

    Is it possible, and how, to configure IPSEC among 7 hosts without severing
    other (non encrypted) traffic from other hosts..

    ie the requirement would be:
    hosts 1 thorugh 7 must use IPSEC, but they must (all) also be able to fall
    back to non-encrypted conversations with hosts 8 through 20 (which do not
    need IPSEC).

    Thanks
    SAL

  2. Re: Configurating IPSEC Selectively (W2K3)

    Configure rules in your policy. One rule would contain a filter list that
    specifies the 7 hosts with a filter action of require with the needed
    authentication method and another rule would contain a filter list for IP's
    8 -20 with a filter action of permit. Another way could be to use a rule
    that requires ipsec for all IPs and then have the rule that exempts 8-20.
    Assign the ipsec policy to the 7 hosts.

    Steve


    "SALIG950" wrote in message
    news:B58DAA79-BE0C-487D-985F-C96A161DF94D@microsoft.com...
    > Hello,
    >
    > I have a fairly simple question, which i hope can be answered just as
    > simply:
    >
    > Is it possible, and how, to configure IPSEC among 7 hosts without severing
    > other (non encrypted) traffic from other hosts..
    >
    > ie the requirement would be:
    > hosts 1 thorugh 7 must use IPSEC, but they must (all) also be able to fall
    > back to non-encrypted conversations with hosts 8 through 20 (which do not
    > need IPSEC).
    >
    > Thanks
    > SAL




  3. Re: Configurating IPSEC Selectively (W2K3)

    My vote is to use an 'opt-out' design.

    I'd suggest setting up rules with the following formats. Note that the
    formats of 'My IP', Any, Subnet and IP designations are exact
    recommendations and intended to facilitate proper filter weighting for
    packet processing...

    Any < - > Network_Subnet, Negotiate IPsec.
    -Uncheck "Accept Unsecured" communication
    -Check "Allow Falback to unsecured communication"

    Any < - > Permitted_Hosts, Permit
    -Create a filter list with the IP adddresses of Hosts 8-20

    Any < - > Infrastructure_Systems
    -Create a filter list with your DNS, WINS, DHCP, Domain Controllers
    -IPsec btwn clients and domain controllers is not supported for a number
    of reasons, so these permits will prevent that from being a problem
    -This filter also eases issues with clients timing out while trying to
    'fallback to clear" when initiating connections to systems that are not
    running IPsec e.g. DNS servers etc.

    My IP < - > Any, ICMP, Permit
    -I permit ICMP for ease of tshooting as well as to support PMTU
    detection...

    Granted, the first rule (Any < -> Network_Subnet) appears to be securing
    more than just the hosts you want, but the explicit permits for the other
    hosts will opt them out of needing IPsec, while supporting the required use
    of IPsec for the others.

    You can also consider not using the Any <->Infrastructure_Systems permit if
    you use the Simple Policy update. THe fix along with the registry keys it
    uses allows IPsec-enabled systems to fallback to clear more efficiently when
    communicating with non-IPsec enabled hosts...

    http://www.microsoft.com/technet/its...plepolicy.mspx

    http://support.microsoft.com/kb/914841

    Jason



    "Steven L Umbach" wrote in message
    news:SIWdnY4dQdf79KHYnZ2dnUVZ_rSdnZ2d@comcast.com. ..
    > Configure rules in your policy. One rule would contain a filter list that
    > specifies the 7 hosts with a filter action of require with the needed
    > authentication method and another rule would contain a filter list for
    > IP's 8 -20 with a filter action of permit. Another way could be to use a
    > rule that requires ipsec for all IPs and then have the rule that exempts
    > 8-20. Assign the ipsec policy to the 7 hosts.
    >
    > Steve
    >
    >
    > "SALIG950" wrote in message
    > news:B58DAA79-BE0C-487D-985F-C96A161DF94D@microsoft.com...
    >> Hello,
    >>
    >> I have a fairly simple question, which i hope can be answered just as
    >> simply:
    >>
    >> Is it possible, and how, to configure IPSEC among 7 hosts without
    >> severing
    >> other (non encrypted) traffic from other hosts..
    >>
    >> ie the requirement would be:
    >> hosts 1 thorugh 7 must use IPSEC, but they must (all) also be able to
    >> fall
    >> back to non-encrypted conversations with hosts 8 through 20 (which do not
    >> need IPSEC).
    >>
    >> Thanks
    >> SAL

    >
    >



+ Reply to Thread