IPSEC with Kerberos
I have a task to enable IPSEC for computer/server communications. However, there are TONS of systems, 8500 Desktops and boat loads of servers. They are all nicely placed into OU's based on department. Both Server/Workstations are nested in an OU IE
Root
Department A
Servers
Desktops
Users
Department B
I was considering creating a single GPO linked to the Department OU that configures "Secure Server" since it will initiate encryption to the target if supported. This way all traffice for that OU will be secured and I wont have to make TONS of filters to allow for other systems. The clinets not only communicate with the OU servers but other servers in other OUs. Same with the Servers. They need to be able to respond to non ipsec based systems. The objective is to secure all communications WITHIN the OU.
In the future they may required servers to be required, in that event filters will be needed.
Also, there is a mix of WIndows 7/Vista/XP for desktops 2003/2008 for servers.
As far as filtering the GPO I was just going to link it the OU and leave security filtering to "Authenticated Users" Edit my ipsec policy and assign it.
If I am not doing this correct please help me out.
Root
Department A
Servers
Desktops
Users
Department B
I was considering creating a single GPO linked to the Department OU that configures "Secure Server" since it will initiate encryption to the target if supported. This way all traffice for that OU will be secured and I wont have to make TONS of filters to allow for other systems. The clinets not only communicate with the OU servers but other servers in other OUs. Same with the Servers. They need to be able to respond to non ipsec based systems. The objective is to secure all communications WITHIN the OU.
In the future they may required servers to be required, in that event filters will be needed.
Also, there is a mix of WIndows 7/Vista/XP for desktops 2003/2008 for servers.
As far as filtering the GPO I was just going to link it the OU and leave security filtering to "Authenticated Users" Edit my ipsec policy and assign it.
If I am not doing this correct please help me out.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Once the policy is applied you need to reboot the worksation PC.Ran gpresult to see if the policy is applied on the PC or you can also ran rsop.msc to check if the policy is applied.
Also check the application log event id 1704 should occur if the policy is applied sucessfully.
Also check the application log event id 1704 should occur if the policy is applied sucessfully.
ASKER
Do I only reboot the workstations? Servers?
Reboot only workstation after the policy is applied.
ASKER
Everything appears to be working ONLY if I add the computer object to the security filter of the GPO.
I had removed the authenticated users and pult in my AD Group that contained 10 test servers/destktops.
They wont apply the policy unless I enter them in manually to the security filtering.
Why are they not pulling from the defined AD Security group? I have tried Global/Universal
I had removed the authenticated users and pult in my AD Group that contained 10 test servers/destktops.
They wont apply the policy unless I enter them in manually to the security filtering.
Why are they not pulling from the defined AD Security group? I have tried Global/Universal
ASKER
I also believe this requires a reboot of the PC once the GPO is applied..
I know this sounds dumb but how do you know if the policy is in effect and functioning? I looked into netsh/ipsec and could not find a STATUS if you willl. I just need to verity the policy IS in fact operational on the server/client.