This article just appeared on our support site (7th April), I know from conversations the amount of filters in IPsec has been an issue for many of you. It seems the ‘simple policy’ achieves a dramatic saving…here is the gist of the problem and resolution:
This article describes an update that you can apply to simplify the creation and maintenance of Internet Protocol security (IPsec) filters in a Microsoft Windows Server 2003-based environment. This update adds functionality to Windows that enables you to use an IPsec “Simple Policy.” For most environments, the installation of this update lets you reduce the number of IPsec filters that are required for a Server Isolation deployment or for a Domain Isolation deployment. You can reduce the number of IPsec filters from many hundreds of filters to only two filters.
You can read more and download the update from http://support.microsoft.com here.
For more information on Server and Domain isolation check out the main TechNet site http://www.microsoft.com/technet/itsolutions/network/sdiso/default.mspx and also look at the data sheet I mentioned before here.
Another resource is Ian’s blog