KB Home
Active Directory
Anti-Virus / Anti Spam
Backup & Storage
Cisco & Routing
Disaster Recovery
Disk Management
DNS
Downloads
Exchange Server
Installation
Networking
Novell Netware
Patches
Printers
Recommended Sites
Security
Tips & Tricks
Windows 98
Windows XP
Windows Vista
Windows Server 2003
Windows Server 2008
 

Configure IPSec Policies through GPO

by Michael W. Wass - November 3, 2009

One method of configuring many computers to use the same IPSec Policy is to perform Exporting and Importing IPSec Policies. However in this article we will use the second method - use of Active Directory Group Policy Objects (or GPOs).

 

Important: Several features in the Windows Server 2003 family implementation of IPSec are not provided in Windows 2000 or in Windows XP. To ensure that the same IPSec policy functions as expected on computers running the Windows Server 2003 family and on computers running Windows 2000 or Windows XP, test the policy thoroughly on all relevant operating systems before deployment. If you plan to apply IPSec policies that use the new features that are available only in the Windows Server 2003 family implementation of IPSec, do not use the Windows 2000 or the Windows XP version of the IP Security Policy Management console to manage these policies. The settings in the earlier versions of the IP Security Policy Management console will override the settings in the Windows Server 2003 family IPSec policy, and the new features will not be functional.

 

Lets say you want to block PING traffic for a set of computers. In order for this tip to work, you need the following to be true:

  • An exiting Active Directory infrastructure (working with no errors, duh...).

  • All computers that need to be configured must be running Windows 2000 or higher.

  • An OU where the computer accounts should be placed. If no OU is applicable for your situation, you'll need to configure the GPO on the Domain level, and thus affect all the members in the domain. That's why I suggest creating an OU and placing the computer accounts in it.

Next we need to configure IPSec Policies inside the GPO. We can do so by editing the GPO, and manually configuring the IPSec Policy, just like you did in Block Ping Traffic with IPSec. The only difference is that here you're editing the IPSec policies as a part of a larger GPO, not just for the local computer.

 

If all the above exists we can now begin to configure the GPO.

 

    1.   Open Active Directory Users & Computers. Right-click the domain or OU. Choose

          Properties

    2.   In the Properties window click the Group Policy tab. Click New to configure a new GPO.

          Give it a descriptive name, such as Secure Services.

    3.   Click Edit to edit the GPO

    4.   Navigate to Computer Settings > Windows Settings > Security Settings > IP Security

          Policies on Active Directory. You can now manually configure the IPSec Policy.

    5.   After the new IPSec Policy is in place, right-click it and select Assign

    6.   In order for the changes to take place, either reboot the client computers or refresh their

          computer policy

 

Run the following command:

secedit /refreshpolicy machine_policy /enforce

 

In Windows XP and Windows Server 2003:

gpupdate /force

 

When assigning an IPSec policy in Active Directory, consider the following:

  • The list of all IPSec policies is available to assign at any level in the Active Directory hierarchy. However, only a single IPSec policy can be assigned at a specific level in Active Directory.
  • An IPSec policy that is assigned to an organizational unit in Active Directory takes precedence over a domain-level policy for members of that organizational unit.
  • An IPSec policy that is assigned to the lowest-level OU in the domain hierarchy overrides an IPSec policy that is assigned to a higher-level OU, for member computers of that OU.
  • An OU inherits the policy of its parent OU unless either policy inheritance is explicitly blocked or policy is explicitly assigned.
  • IPSec policies from different organizational units are never merged.
  • The highest possible level of the Active Directory hierarchy should be used to assign policies to reduce the amount of configuration and administration required.
  • An IPSec policy might remain active even after the Group Policy object to which it is assigned has been deleted. Because of this, you should unassign the IPSec policy before you delete the policy object. To prevent problems, use the following procedure:

    1.   Un-assign the IPSec policy in the Group Policy object.

    2.   Wait 24 hours to ensure that the change is propagated

    3.   Delete the Group Policy object

 

If you delete the Group Policy object without following this procedure, computers in the Active Directory container to which the IPSec policy is assigned treat the IPSec policy as if it cannot be located and continue to use a cached copy.

 

Before assigning an IPSec policy to a Group Policy object, verify the Group Policy settings that are required for the IPSec policy. For example, if an IPSec policy requires certificate authentication, assign the Group Policy settings that allow computers to enrol for certificates (usually one or two days before you assign the IPSec policy that requires use of the computer certificate). In addition, you should test the certificate enrolment process and resolve any errors before assigning the IPSec policy.

 

 
 
 
  Home   |   About Us   |   Policies   |   Distributor Info   |   Contact Us   |   Jobs   |   Follow us on Twitter   |   IT Knowledge Base   |   FAQ  
 
 
 
  Copyright © 2010 TecTrax Network Technologies. All rights reserved.

Send mail to WebMaster@tectrax.com with questions or comments about this web site. Last modified: 06/15/10