Information Technology Reference
In-Depth Information
How It Works
To enable IPSec for a Windows Server 2003 computer, you must configure an IPSec policy that
will apply to an individual computer or an Active Directory container. You can configure as
many IPSec policies as you wish, but only one policy can be applied to a computer at any given
time. (The only exception to this is
persistent policies
; see Recipe 7-17.)
Each policy provides you with almost unlimited configuration options, since it can consist
of any number of individual IPSec
rules
. An IPSec rule dictates how IPSec will process a partic-
ular type of traffic (see Recipes 7-2 and 7-3). For example, you might have one rule that will
block all inbound traffic on port 1433, another rule that will allow traffic to port 80 on your
internal web server, and a third rule that will use a particular IPSec security method to secure
traffic sent between workstations and servers. You'll combine all three of these (very different)
rules into a single IPSec policy that you can then apply to a Windows Server 2003 computer.
When you're working from the command line, by default,
netsh
commands will operate
against policies that are stored locally on a Windows Server 2003 computer. To manage IPSec
policies that are stored in Active Directory, you need to issue the
set store location = domain
command. This will allow you to manipulate domain-based IPSec policies from the command line.
See Also
Recipe 7-2 for managing IPSec rules
Recipe 7-9 for assigning IPSec policies
Microsoft TechNet: “Using Netsh Scripts to Assign IPSec Policies” (
http://
www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/
a42bead8-0627-4b7f-a075-988308b68f3d.mspx
)
7-2. Managing IPSec Rules
Problem
You want to configure an IPSec rule to determine how the local computer should respond to
traffic as part of an IPSec policy.
Solution
Using a Graphical User Interface
1.
Open the Group Policy Management Console or the IP Security Policy Management
MMC snap-in.
2.
Navigate to Computer Configuration\Windows Settings\Security Settings\IP Security
Policies.
3.
Right-click the policy for which you want to configure a new rule and select Properties.
4.
In the IPSec Security Rules section, remove the check mark next to Use Add Wizard, and
then click Add to create a new IPSec rule.
