XP SP2 authenticated IPSEC firewall bypass

I have deployed both IPSEC and Windows XP SP2 on my LAN. My idea was to have the Windows Firewall fully locked-down on client PCs, but allow authenticated IPSEC bypass. This would mean that users in the office would be able to talk to each other, but laptops that travel to other locations would be locked-down, and client PCs would also appear fully locked-down to any guest laptop that might appear in our conference room.

In Group Policy, I have enabled Computer Settings - Administrative Templates - Network - Network Connections - Windows Firewall - Allow authenticated IPSEC bypass, and set the IPSec peers value to:

O:DAG:DAD:(A;;RCGW;;;S-1-5-21-1123561945-861567501-1801674531-515)

Since I want all of our XP SP2 computers to follow this policy, the SID is that of "Domain Computers" which contains every computer account. (I retrieved the SID using getsid.exe, as recommended.) After reading the documentation, I'm still not sure if the SID is supposed to specify which computers the policy applies to, or if the policy applies to all computers that receive the group policy but the SID indicates which other computers are permitted to bypass the firewall. If I can get it to work at all, then I can determine this by trial and error.

My problem is, it doesn't work at all; the firewall policy is never bypassed, regardless of which group I set the SID to.

Has anyone gotten this to work? What am I missing?

-Graham
LVL 1
ghjmAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ghjmAuthor Commented:
Oh, one other thing: I know that IPSEC is working. I have set up a firewall rule that permits port 500 udp traffic, to allow isakmp to operate; and I have verified using the IP Security Monitor management console that IPSEC is actually being established between the two peers. When I permit an exception in Windows Firewall, everything works, and I get IPSEC packet counts, etc. I haven't actually run network captures, but I am pretty confident that the two computers are speaking IPSEC to each other. The problem appears to be that the bypass policy isn't being applied, or doesn't work the way I think it should.

-Graham
0
ghjmAuthor Commented:
Ok, the answer was: In my IPSEC policy, "Enable certificate to account mapping" was not checked. This is required so that the IPSEC engine can look up group memberships on the computer account.
0
moduloCommented:
Closed, 500 points refunded.

modulo
Community Support Moderator
Experts Exchange
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.