Network Isolation Using Group Policy and IPSec (Part 3 of 3): Webcast 2-24-2006

  • Article

Thank you for attending the web cast on IPSEC and Group Policies, as promised here is the scrubbed Q/A log.  Please comment if you need more information.  

 

Also if you can watch the stream of the web cast here: https://www.microsoft.com/events/EventDetails.aspx?CMTYSvcSource=MSCOMMedia&Params=%7eCMTYDataSvcParams%5e%7earg+Name%3d%22ID%22+Value%3d%221032289161%22%2f%5e%7earg+Name%3d%22ProviderID%22+Value%3d%22A6B43178-497C-4225-BA42-DF595171F04C%22%2f%5e%7earg+Name%3d%22lang%22+Value%3d%22en%22%2f%5e%7earg+Name%3d%22cr%22+Value%3d%22US%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcParams%5e 

 

Enjoy!

Question: Is it possible to define the type of communication to use IPSec? For an Exchange server I will allow SMTP over IP from "everywhere" and the "outlook connection (MAPI / POP3 / IMAP..." must be done over IPSec and only from specified computer?
Answer: Yes it is just a matter of setting the filter (see next question) and the ports appropriately.  Tale a look a this whitepaper to learn more on how to block or control specific protocols with IPSec:  https://support.microsoft.com/?id=813878

Question: Is there a whitepaper that describes how to use IPSec filters?
Answer: https://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/HTUseIPSec.asp

Question: I have been testing group policy and some of my test group receives the policy and some don't. Where should I look to troubleshoot this issue?
Answer: I would take a look here: https://support.microsoft.com/?kbid=810739  great troubleshooting guide.  Also take a look at the last question in this entry regarding XP fast booting.

Question: Can I convert IPSec rules applied by script to a GPO? How?
Answer: I was unable to find any way to do this, I do not think there is a way to accomplish this.  So if any one has, please comment below.  Thanks!

Question: Does Microsoft use Microsoft OS Built-in IPSec within your Enterprise network & in what area such as DC to DC communication?
Answer: Here's what Microsoft has done: https://www.microsoft.com/technet/itsolutions/msit/security/ipsecdomisolwp.mspx

Question: Is there a Windows Server 2003 Group Policy troubleshooting guide?
Answer: Yes take a look here: https://technet2.microsoft.com/WindowsServer/en/Library/0c627456-5dfa-44db-b43a-e41c8f4f09231033.mspx

Question: We have had trouble with IPSEC policies failing to work after a reboot if we rebuild the policy on both ends they work again. We change from Kerberos to Shared Key and have not had the problem again. Have you heard of this issue?
Answer: I really could not find much on this topic, but I was able to find this KB, I hope this helps: https://support.microsoft.com/kb/254728/

Question: How to disable fast boot for Windows XP Group Policies?
Answer:  This is fairly straight forward and I will post in more detail shortly.  To disable this go to a group policy and edit the GPO.  The setting is in Computer | Administrative Templates | System | Logon | enable the setting: Always wait for the network at computer startup and logon