Solved

IPSEC & GP

Posted on 2007-11-21
3
254 Views
Last Modified: 2013-12-19
Dear All
Hopefully you have a good day;
As security threats of losing data by using portable devices increased, I'm interested of the concept of using Domain Isolation, so I started to implement it on a test lap wishing to get the following results :-
1- There will be two domain controllers (2003 R2 with SP2 32 bit) DC1 and DC2, DC1 acts as a DHCP and file server (which contains very critical data) and it also PDC and global catalog server.
2- DC2 is Exchange 2003 (Enterprise Edition) and it can be left without IPSEC security (for allowing clients to get group policy from this server).
3- There is an ISA 2004 (Standard Edition) and it may be used as VPN access server.
4- All client computers must use Kerberos authentication.
So configured this lab as follows
The IP filter list contain the following Protocols
   LDAP (both TCP & UDP)
   RPC
   NETBIOS Datagram Service
   NETBIOS Name Resolution
   NETBIOS Session Service
  SMB
From DC1 to DC2 Permit all network traffic.
From DC1 to all other devices on the network (Except DC2) require authentication with pre-shared key authentication.
From any client (XP SP2) device on the network to any other client (XP SP2). Require authentication with Kerberos authentication.
For ISA 2004 server, all local area network traffic require authentication with Kerberos authentication and pre-shared authentication for remote connection.  
 I configured this policy with two locations, first in domain controller security policy and second as a group policy with clients computers OU.
The problem started here after I assigned this IPSEC policy, as sometimes it working with some machines and not working with others and after restarting also situation changes.
So my question is; why this solution is not stable? And what I can do to make it running?
Thanks in advance for your sincere cooperation.
0
Comment
Question by:melnahas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
3 Comments
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20334786
Windows 2000/3/XP/8 do not support communications between DCs and clients using IPsec.  This is because the IPsec protocol employed authenticates credentials, but that needs access to kerberos.

See http://www.microsoft.com/technet/security/guidance/architectureanddesign/ipsec/default.mspx for more on using IPsec with domain isolation.
0
 
LVL 19

Accepted Solution

by:
SteveH_UK earned 500 total points
ID: 20334812
You may be able to make it work, as you have attempted, using pre-shared keys, but your solution will not be supported by Microsoft and so I'd advise against it.

If you separate the file server onto another machine, then you can lock down communications with it to requiring IPsec.

You could also consider improving network access by managed switches that require connected devices to authenticate via a RADIUS server or 802.11x.
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20334820
I'm also not sure as to how you think that this will mitigate the loss of data from portable devices?

The correct solution is two-fold.  Firstly use encryption for local storage, and I recommend full-volume encryption.  Secondly, encrypt communications, but this is only really necessary for the file server and Exchange.  For Exchange, Outlook provides the facility, and I recommend that you use HTTPS/RPC.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question