Automate IPSEC Domain/Network Isolation implementation in a blended environment

Thank you for taking time to review this post.
We have been tasked to implement Domain Isolation using IPSEC to secure the departmental server resources. The environment is a large campus area network. Picture a large college campus, hospital, or other enterprise network with multiple departments on the same "network".
Number of servers: ~75
Number of users: ~1200
The environment has the following OS(s):
XP, WIN7, WIN8, W2K3, W2K8, W2K8R2, W2K12, W2K12R2, OSX (mac)

My colleague's question: Is there a way to incorporate Mac, XP, Win7, various server OS(s) all together for an automated deployment? Realizing the >Vista machines can be deployed by GPO, we are struggling with how to do so with the XP and MACs.

My colleague and I have spent quite some time researching this to no avail.

I appreciate any guidance.

Bob Avritt MCSE:SecuritySystems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rich RumbleSecurity SamuraiCommented:
I don't know of a more central way beyond AD, and as for Mac's I have no idea how well they play with IPSEC in windows. The Windows IPSEC is built on standards, mostly, but it does have some proprietariness that may cause issues.
I do remember that there are some limitations in Vista and 2008, but not win7/win8, when it comes to NAT+IPSEC

I have configured Linux/Unix hosts to talk to windows IPSEC host's using certificates and preshared keys, but I don't think it worked when we tried to use kerberos tickets.
Bob Avritt MCSE:SecuritySystems AdministratorAuthor Commented:
Thanks for the reply. I am unfortunately hindered by the fact that I am coming into this late in the game and am not the principal in this initiative. With that said...

I am pretty sure that OS 10.9 can be managed directly by AD (from what I have read). Again not being the principal in this I have now way of testing to verify the solution.

There are 3rd party AD plugins which claim to integrate the MACs. Perhaps that will be the solution.

Again thanks for the reply.


Rich RumbleSecurity SamuraiCommented:
I know you can use Centrify and other 3rd parties, but I don't have any exp in Mac+AD integration. I do use and deploy IPSEC, and if Linux can do it, I know a mac could, but again I'm not sure what program is best for all OS's to manage the IPSEC portions. We use scripts for linux and GPO's for AD (M$).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Macs can already join AD, but they only get the benefit of having the ability to use the same password.  Group policy doesn't work without additional 3rd party software like Centrify or PowerBroker Enterprise.  You could also join LDAP or OpenDirectory at the same time and manage other aspects of the Mac from there, but you'd have to manage both AD and LDAP or OpenDirectory.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.