Solved

Client Respond Only Vs Request Security

Posted on 2009-04-12
9
402 Views
Last Modified: 2012-05-06
1- Can someone explain to me the difference between:
Client Respond Only Vs Server Request Security
They sound the same

2- if I assign the Require Security to the domain controller I can't access them using \\DCname or \\DCIPaddress.  what's the purpose of using it?

Thanks


0
Comment
Question by:jskfan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 24130048
Client respond only will respond to encryption requests...it won't initiate them.  Communications will be encrypted if the other machine it is communicating with is set to Request or Require (secure server).  If the other machine is set to Client respond only, then communications will not be encrypted.  Additionally Client Respond only will only secure the port or socket connection it is communicating on with the server.

Server (request security), will request ipsec everytime...but not require it.

Secure server (require security), requires ipsec on all ports commuinicating unless the client is trusted.  Untrusted clients incapable of ipsec, will not be able to communicate with the server.
0
 

Author Comment

by:jskfan
ID: 24130723
I have created a GPO on The Domain Controllers OU.
I set it up for All IP Traffic to Require Security.

on the computers OU (not domain controllers), I have permitted all IP Traffic to and from the domain controller. The option is just one IP address so I picked up one IP of one domain controller.

I don't know if my settings are secure or not.

what do you suggest?


0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 24131188
I usually set the servers to Server / Request...and clients to respond only...

If you want to get really tough, you set servers to Require, but that would make them unavailable to untrusted machines or machines/devices that are incapable of negotiating ipsec.  This could potentially "break" access to any number of services you are offering inside an outside your network on policy affected servers..
0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 

Author Comment

by:jskfan
ID: 24131269
in our network we have DCs that are all windows 2003, we have XP and Vista machines.
I want to apply Require security for All IP trafic between domain controllers.
I am afraid if I apply Require security for computers(WXP and Vista) I will not be able to join them to the domain.

I also want to be able to access domain controllers shares by typing \\domaincontrollername from a workstation or a server whic is a member of the domain.
I am not sure how to tweak it. Because in IPsec if you apply require security for All IP traffice,it's more restrictive rule and you can't add a rule that let you browse to a DC by typing \\domaincontrollername. You won;t even be able to ping the DC even if you Permit all ICMP traffic
0
 

Author Comment

by:jskfan
ID: 24131355
On this link :http://support.microsoft.com/kb/254949

it says "ou may want to add a rule to the IPSec policy to exempt ICMP traffic from IPSec security negotiation"

how do you do that, I added this rule and gave it permit, but could not ping the DC
0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 24131555
You might also want to exempt DNS traffic...

I would do a lot of reading before assuming the policy setup you've chosen is right for your network.
Joining machines to the network shouldn't be an issue, provided they have the ipsec key/cert or you are relying on kerberos which is not an encryptable protocol by ipsec policy.

Start here: http://technet.microsoft.com/en-us/network/bb531150.aspx
0
 

Author Comment

by:jskfan
ID: 24133015
Ok..

From DC to DC you select Require security
What about from Client to DC and DC to Client?
What about from client to client?

I say client, anything WXP and Windows 2003
0
 
LVL 25

Accepted Solution

by:
Ron Malmstead earned 500 total points
ID: 24134212
Have a look here.
These are supported configurations.
http://support.microsoft.com/kb/254949
0
 

Author Comment

by:jskfan
ID: 24137160
Ok..

Can you show me how to use IPsec from:
DC to DC only, without preventing client (XP or Vista,) to joing the domain or browse to the DC by typing \\DCcomputername.
Server to Server.

Thanks
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question