Automate IPSEC Domain/Network Isolation implementation in a blended environment

Posted on 2014-07-17
Last Modified: 2014-07-22
Thank you for taking time to review this post.
We have been tasked to implement Domain Isolation using IPSEC to secure the departmental server resources. The environment is a large campus area network. Picture a large college campus, hospital, or other enterprise network with multiple departments on the same "network".
Number of servers: ~75
Number of users: ~1200
The environment has the following OS(s):
XP, WIN7, WIN8, W2K3, W2K8, W2K8R2, W2K12, W2K12R2, OSX (mac)

My colleague's question: Is there a way to incorporate Mac, XP, Win7, various server OS(s) all together for an automated deployment? Realizing the >Vista machines can be deployed by GPO, we are struggling with how to do so with the XP and MACs.

My colleague and I have spent quite some time researching this to no avail.

I appreciate any guidance.

    LVL 38

    Expert Comment

    by:Rich Rumble
    I don't know of a more central way beyond AD, and as for Mac's I have no idea how well they play with IPSEC in windows. The Windows IPSEC is built on standards, mostly, but it does have some proprietariness that may cause issues.
    I do remember that there are some limitations in Vista and 2008, but not win7/win8, when it comes to NAT+IPSEC

    I have configured Linux/Unix hosts to talk to windows IPSEC host's using certificates and preshared keys, but I don't think it worked when we tried to use kerberos tickets.

    Author Comment

    by:Bob Avritt MCSE:Security
    Thanks for the reply. I am unfortunately hindered by the fact that I am coming into this late in the game and am not the principal in this initiative. With that said...

    I am pretty sure that OS 10.9 can be managed directly by AD (from what I have read). Again not being the principal in this I have now way of testing to verify the solution.

    There are 3rd party AD plugins which claim to integrate the MACs. Perhaps that will be the solution.

    Again thanks for the reply.


    LVL 38

    Accepted Solution

    I know you can use Centrify and other 3rd parties, but I don't have any exp in Mac+AD integration. I do use and deploy IPSEC, and if Linux can do it, I know a mac could, but again I'm not sure what program is best for all OS's to manage the IPSEC portions. We use scripts for linux and GPO's for AD (M$).
    LVL 27

    Assisted Solution

    Macs can already join AD, but they only get the benefit of having the ability to use the same password.  Group policy doesn't work without additional 3rd party software like Centrify or PowerBroker Enterprise.  You could also join LDAP or OpenDirectory at the same time and manage other aspects of the Mac from there, but you'd have to manage both AD and LDAP or OpenDirectory.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Join & Write a Comment

    You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
    Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
    This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now