Information Technology Reference
In-Depth Information
See Also
Recipe 7-15 for configuring startup protection
Recipe 7-17 for creating a persistent IPSec policy
Microsoft TechNet: “Understanding IPSec Driver Startup Modes” (
http://
www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/
b0b6adaa-6b38-4952-b055-14559f46e561.mspx
)
7-17. Creating a Persistent Policy
Problem
You want to configure a persistent IPSec policy for a Windows Server 2003 computer. This will
ensure that an IPSec policy is applied even if a Group Policy-based IPSec policy cannot be loaded.
Solution
The following command assigns a policy called Failsafe Policy and configures it as a persistent
policy:
> netsh ipsec static set policy name = "Failsafe Policy" assign = yes
> netsh ipsec static set store location = persistent
How It Works
Persistent IPSec policies are a new feature in Windows Server 2003. Unlike Group Policy-
assigned IPSec policies, which are stored in Active Directory, persistent polices are maintained in a
Windows Server 2003 computer's local Registry and are in effect whether or not another IPSec
policy can load successfully.
You can use a persistent policy to provide a unique protection configuration for one or two
specific computers within an Active Directory container that has a Group Policy-based policy
applied to it, as well as to provide a consistent IPSec configuration even when Group Policy
or a local policy is not in use, or cannot be applied due to some error. If a persistent policy is
configured for a computer that also has a local or Group Policy-based policy assigned, the
persistent policy will override Group Policy to take effect. (This is the only instance where you
can have more than one IPSec policy assigned to a single computer at a time.)
■
Caution
If the persistent policy configured for a computer cannot be applied for any reason, the IPSec
Policy Agent will revert to a blocking mode, where no network communication will be permitted.
See Also
Microsoft TechNet: “New Features for IPSec” (
http://www.microsoft.com/
technet/prodtechnol/windowsserver2003/library/ServerHelp/
c30640b7-19e4-4750-82f6-61ca16e727d8.mspx
)
