Solved

IP Sec

Posted on 2011-03-03
1
325 Views
Last Modified: 2012-05-11
Is there a easy way that help to configure IPSec on Windows 2008 Server R2
0
Comment
Question by:tommym121
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 6

Accepted Solution

by:
rnicolaus earned 500 total points
ID: 35031473
Here's a link to detailed instructions (I've also posted below for reference)

http://www.caryglobal.com/MIKLOS/post/How-to-configure-IPSec-on-Windows-20008---Example-and-detailed-steps.aspx

To begin with this let’s say that you have the Machine "A", and want to use IPSec for the communication that is between port 3389, we will use the ‘non recommended procedure’, but the good thing is that you can configure this very quickly and test it in your non production environment. So let’s begin:

1. Create an IPsec Negotiation policy on Computer "A"
1.    On Computer "A", click Start, click All Programs, click Administrative Tools, and then click Local Security Policy.

2.    Right-click the IP Security Policies on Local Computer node, and then click Create IP Security Policy.
3.     On the Welcome screen of the IP Security Policy Wizard, click Next.

4.    In the Name box, type Secure3389. In the Description field, type Policy to encrypt SMB, and then click Next.
5.     If you will NOT have in your environment machines earlier than Windows Vista then ensure that Activate the default response rule is not selected and go to step 7, and then click Next.

6.    In the Default Response Rule Authentication Method, choose the option: Use this string to protect the key exchange (preshared key): and type $ecrET
7.     In the Completing the IP Security Policy Wizard dialog box, ensure that Edit properties is selected, and then click Finish.

8.    In the Secure3389 Properties dialog box, click Add.
9.     In the Welcome to the Create IP Security Rule Wizard, click Next.

10.            In the Tunnel EndPoint dialog box, click This rule does not specify a tunnel. Click Next.
11.      In the Network Type dialog box, click All network connections, and then click Next.

12.            In the IP Filter List dialog box, click Add.
13.      A new dialog box called IP Filter List appears. Type Secure3389TCP, and then Add.

14.            On the Welcome screen of the IP Filter Wizard, click Next.
15.      In the Description text box, type 3389 IPsec Filter. Click Next.

16.            In the IP Traffic Source dialog box, click Any IP Address, and then click Next.
17.      In the IP Traffic Destination dialog box, click Any IP Address, and then click Next.

18.            In the IP Protocol Type dialog box, click TCP in the drop-down list, and then click Next.
19.      In the Protocol Port dialog box, select From this port, type 3389 in the text box, select To Any port, and then click Next.

20.            On the Completing the IP Filter Wizard screen, click Finish, and then click OK.
21.      In the IP Filter list, select Secure3389TCP, and then click Next.

22.            In the Filter Action dialog box, click Add.
23.      In the Filter Action Wizard dialog box, click Next.

24.            In the Filter Action Name dialog box, type Secure3389Filter, and then click Next.
25.      In the Filter Action General Options dialog box, select Negotiate Security, and then click Next.

26.            In the Communicating with computers that do not support IPsec dialog box, select Do not allow unsecured communications, and then click Next.
27.      In the IP Traffic Security dialog box, select Integrity and encryption, and then click Next.

28.           On the Completing the IP Security Filter Action Wizard screen, click Finish.
29.      In the Filter Action dialog box, select Secure3389Filter, and then click Next.

30.            In the Authentication Method dialog box, select Use this string to protect the key exchange (preshared key), type $ecrET and then click Next.

31.      On the Completing the Security Rule Wizard screen, click Finish.
32.             In the Secure3389 Properties dialog box, click OK.

Task 2: Assign the Policy

Since you already have the policy created this is still not active until you activate it, so to do it, you need to:

1.    On Computer "A", click Start, click All Programs, click Administrative Tools, and then click Local Security Policy.
2.    Go to the IP Security Policies on Local Computer node and in the right pane right click the Secure3389 Policy and select Assign.

You are done!, you configure IPSec under the 3389 port, now let’s see how you need to configure the clients in order to be able to communicate between them.

Windows Vista or Machine "B"

In Windows Vista client, the process is similar to the one that I presented before, so you can execute the steps 1 trough 32 and then you will be able to connect, or you can export the policy from windows 2008 and import it on Windows Vista, with this procedure:

1.    In the Local Security Policy Microsoft Management Console (MMC) console, right-click IP Security Policies on Local Computer, click All Tasks, and then click Export Policies.
2.    In the Save As dialog box, type C:\IPSecPolicy\IPsecurityPolicy3389.ipsec, and then click Save. (and then save that ipsec policy on a USB key)

Import the security policy to Windows Vista machine (Machine "B"):

1.    On Windows Vista machine, open the local security policy. To do this, click Start, click the Start Search dialog, and then type: gpedit.msc.
2.    Navigate to Computer Configuration ¿ Windows Settings ¿ IP Security Policies on Local Computer.

3.    Right-click IP Security Policies on Local Computer, click All Tasks, and then click Import Policies.
4.     Is good to Read the IP Security Import warning, after that click Yes.

5.    In the Open dialog box, navigate to the USB key (where you should have the file), and then double-click IPsecurityPolicy3389.ipsec.
We finish!, of course if you have access (in a LAN) to the file you can share in a directory and copy more easily.

Now you can try, and have the 3389 communication protected under IPSec!

Another thing is the enforcement, for that you need to use the Advanced Windows Firewall and configure a Security Association with this procedure:

Configure a Security Association rule in the Windows Firewall with Advanced Security MMC
1.    On Computer "A", click Start, click Administrative Tools, and then click Windows Firewall with Advanced Security.

2.    Select and then right-click Connection Security Rules, and then click New Rule.
3.     In the New Connection Security Rule Wizard, select Server-to-server, and then click Next.

4.    In the Endpoints dialog box, select Any IP Address for both options, and then click Next.
5.    In the Requirements dialog box, select Require authentication for inbound and outbo und connections, and then click Next.

6.    In the Authentication Method dialog box, select PreShared key, type $ecrET in the text box, and then click Next.
7.    On the Profile page, verify that the Domain, Private, and Public options are selected, and then click Next.

8.    In the Name box, type SecureServerAuthenticationRule, and then click Finish.
9.     Perform steps 1 through 8 on Computer "B".

And now you are completely done… enjoy your IPsec connection between them
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question