Solved

IP Sec

Posted on 2011-03-03
1
284 Views
Last Modified: 2012-05-11
Is there a easy way that help to configure IPSec on Windows 2008 Server R2
0
Comment
Question by:tommym121
1 Comment
 
LVL 6

Accepted Solution

by:
rnicolaus earned 500 total points
Comment Utility
Here's a link to detailed instructions (I've also posted below for reference)

http://www.caryglobal.com/MIKLOS/post/How-to-configure-IPSec-on-Windows-20008---Example-and-detailed-steps.aspx

To begin with this let’s say that you have the Machine "A", and want to use IPSec for the communication that is between port 3389, we will use the ‘non recommended procedure’, but the good thing is that you can configure this very quickly and test it in your non production environment. So let’s begin:

1. Create an IPsec Negotiation policy on Computer "A"
1.    On Computer "A", click Start, click All Programs, click Administrative Tools, and then click Local Security Policy.

2.    Right-click the IP Security Policies on Local Computer node, and then click Create IP Security Policy.
3.     On the Welcome screen of the IP Security Policy Wizard, click Next.

4.    In the Name box, type Secure3389. In the Description field, type Policy to encrypt SMB, and then click Next.
5.     If you will NOT have in your environment machines earlier than Windows Vista then ensure that Activate the default response rule is not selected and go to step 7, and then click Next.

6.    In the Default Response Rule Authentication Method, choose the option: Use this string to protect the key exchange (preshared key): and type $ecrET
7.     In the Completing the IP Security Policy Wizard dialog box, ensure that Edit properties is selected, and then click Finish.

8.    In the Secure3389 Properties dialog box, click Add.
9.     In the Welcome to the Create IP Security Rule Wizard, click Next.

10.            In the Tunnel EndPoint dialog box, click This rule does not specify a tunnel. Click Next.
11.      In the Network Type dialog box, click All network connections, and then click Next.

12.            In the IP Filter List dialog box, click Add.
13.      A new dialog box called IP Filter List appears. Type Secure3389TCP, and then Add.

14.            On the Welcome screen of the IP Filter Wizard, click Next.
15.      In the Description text box, type 3389 IPsec Filter. Click Next.

16.            In the IP Traffic Source dialog box, click Any IP Address, and then click Next.
17.      In the IP Traffic Destination dialog box, click Any IP Address, and then click Next.

18.            In the IP Protocol Type dialog box, click TCP in the drop-down list, and then click Next.
19.      In the Protocol Port dialog box, select From this port, type 3389 in the text box, select To Any port, and then click Next.

20.            On the Completing the IP Filter Wizard screen, click Finish, and then click OK.
21.      In the IP Filter list, select Secure3389TCP, and then click Next.

22.            In the Filter Action dialog box, click Add.
23.      In the Filter Action Wizard dialog box, click Next.

24.            In the Filter Action Name dialog box, type Secure3389Filter, and then click Next.
25.      In the Filter Action General Options dialog box, select Negotiate Security, and then click Next.

26.            In the Communicating with computers that do not support IPsec dialog box, select Do not allow unsecured communications, and then click Next.
27.      In the IP Traffic Security dialog box, select Integrity and encryption, and then click Next.

28.           On the Completing the IP Security Filter Action Wizard screen, click Finish.
29.      In the Filter Action dialog box, select Secure3389Filter, and then click Next.

30.            In the Authentication Method dialog box, select Use this string to protect the key exchange (preshared key), type $ecrET and then click Next.

31.      On the Completing the Security Rule Wizard screen, click Finish.
32.             In the Secure3389 Properties dialog box, click OK.

Task 2: Assign the Policy

Since you already have the policy created this is still not active until you activate it, so to do it, you need to:

1.    On Computer "A", click Start, click All Programs, click Administrative Tools, and then click Local Security Policy.
2.    Go to the IP Security Policies on Local Computer node and in the right pane right click the Secure3389 Policy and select Assign.

You are done!, you configure IPSec under the 3389 port, now let’s see how you need to configure the clients in order to be able to communicate between them.

Windows Vista or Machine "B"

In Windows Vista client, the process is similar to the one that I presented before, so you can execute the steps 1 trough 32 and then you will be able to connect, or you can export the policy from windows 2008 and import it on Windows Vista, with this procedure:

1.    In the Local Security Policy Microsoft Management Console (MMC) console, right-click IP Security Policies on Local Computer, click All Tasks, and then click Export Policies.
2.    In the Save As dialog box, type C:\IPSecPolicy\IPsecurityPolicy3389.ipsec, and then click Save. (and then save that ipsec policy on a USB key)

Import the security policy to Windows Vista machine (Machine "B"):

1.    On Windows Vista machine, open the local security policy. To do this, click Start, click the Start Search dialog, and then type: gpedit.msc.
2.    Navigate to Computer Configuration ¿ Windows Settings ¿ IP Security Policies on Local Computer.

3.    Right-click IP Security Policies on Local Computer, click All Tasks, and then click Import Policies.
4.     Is good to Read the IP Security Import warning, after that click Yes.

5.    In the Open dialog box, navigate to the USB key (where you should have the file), and then double-click IPsecurityPolicy3389.ipsec.
We finish!, of course if you have access (in a LAN) to the file you can share in a directory and copy more easily.

Now you can try, and have the 3389 communication protected under IPSec!

Another thing is the enforcement, for that you need to use the Advanced Windows Firewall and configure a Security Association with this procedure:

Configure a Security Association rule in the Windows Firewall with Advanced Security MMC
1.    On Computer "A", click Start, click Administrative Tools, and then click Windows Firewall with Advanced Security.

2.    Select and then right-click Connection Security Rules, and then click New Rule.
3.     In the New Connection Security Rule Wizard, select Server-to-server, and then click Next.

4.    In the Endpoints dialog box, select Any IP Address for both options, and then click Next.
5.    In the Requirements dialog box, select Require authentication for inbound and outbo und connections, and then click Next.

6.    In the Authentication Method dialog box, select PreShared key, type $ecrET in the text box, and then click Next.
7.    On the Profile page, verify that the Domain, Private, and Public options are selected, and then click Next.

8.    In the Name box, type SecureServerAuthenticationRule, and then click Finish.
9.     Perform steps 1 through 8 on Computer "B".

And now you are completely done… enjoy your IPsec connection between them
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now