IPSEC & GP
Posted on 2007-11-21
Hopefully you have a good day;
As security threats of losing data by using portable devices increased, I'm interested of the concept of using Domain Isolation, so I started to implement it on a test lap wishing to get the following results :-
1- There will be two domain controllers (2003 R2 with SP2 32 bit) DC1 and DC2, DC1 acts as a DHCP and file server (which contains very critical data) and it also PDC and global catalog server.
2- DC2 is Exchange 2003 (Enterprise Edition) and it can be left without IPSEC security (for allowing clients to get group policy from this server).
3- There is an ISA 2004 (Standard Edition) and it may be used as VPN access server.
4- All client computers must use Kerberos authentication.
So configured this lab as follows
The IP filter list contain the following Protocols
LDAP (both TCP & UDP)
NETBIOS Datagram Service
NETBIOS Name Resolution
NETBIOS Session Service
From DC1 to DC2 Permit all network traffic.
From DC1 to all other devices on the network (Except DC2) require authentication with pre-shared key authentication.
From any client (XP SP2) device on the network to any other client (XP SP2). Require authentication with Kerberos authentication.
For ISA 2004 server, all local area network traffic require authentication with Kerberos authentication and pre-shared authentication for remote connection.
I configured this policy with two locations, first in domain controller security policy and second as a group policy with clients computers OU.
The problem started here after I assigned this IPSEC policy, as sometimes it working with some machines and not working with others and after restarting also situation changes.
So my question is; why this solution is not stable? And what I can do to make it running?
Thanks in advance for your sincere cooperation.