Information Technology Reference
In-Depth Information
The NAT-Traversal (NAT-T) feature, which allows IPSec-encrypted traffic to be trans-
mitted to and from hosts that reside behind a network address translation (NAT)-enabled
firewall or proxy server
Support for
network load balancing
Persistent policies that will protect the local computer even if a Group Policy-based
IPSec policy cannot be applied
Changes to the default IPSec exemptions, which allow more types of traffic to be secured
by IPSec out of the box
Using a Graphical User Interface
To create and manage an IPSec policy that will apply only to a single computer, you'll use the
IP Security Policy Management MMC snap-in. To manage IPSec policies that are stored in
Active Directory, you'll use the Group Policy Editor, which is accessible via either Active Directory
Users and Computers or the Group Policy Management Console.
When configuring IPSec policies via Active Directory, you can configure a separate IPSec
policy within each Group Policy object (GPO). For example, this would allow computers
located in the Finance OU (or some other OU containing sensitive resources) to be configured
with a more stringent IPSec policy than other containers in your Active Directory domain.
Using a Command-Line Interface
The primary tool that you'll use to administer IPSec from the command line is
netsh
. You can
use
netsh
commands to configure individual items on the fly, or you can combine multiple
commands into a batch file. In this way, you can create an entire IPSec policy through a
netsh
batch file, and then use this file to configure multiple computers on your network.
7-1. Creating an IPSec Policy
Problem
You want to create an IPSec policy on a Windows Server 2003 computer.
Solution
Using a Graphical User Interface
1.
Open the Group Policy Management Console or the IP Security Policy Management
MMC snap-in.
2.
Navigate to Computer Configuration\Windows Settings\Security Settings.
3.
Right-click IP Security Policies and select Create IP Security Policy.
4.
Click Next on the initial Welcome screen.
