How to simplify the creation and maintenance of Internet Protocol (IPsec) security filters in a Windows Server 2003-based environment

There's a new hotfix for IPsec that makes life much easier for those of you who are interested in taking advantage of network traffic signing encryption and filtering. IPsec is a great way to enforce trust boundaries between groups of Server and Domains thereby isolating disparate types of traffic even when they share the same wire / airspace.

The hotfix can be found via knowledgebase article KB 914841. It is available on the hotfix servers and will be rolled into subsequent service packs for Windows XP and Windows Server 2003. KB reference: https://support.microsoft.com/kb/914841/en-us

Quoting directly from the release information:

"This hotfix (known as the “Simple Policy” update or ND-lite) adds functionality to Windows XP and Windows Server 2003 to greatly simplify IPsec policy creation and maintenance in Server and Domain Isolation scenarios. In the majority of cases, the installation of this hotfix significantly reduces the number of IPsec filters that are required for a Server or Domain Isolation deployment. We expect that this will result in the reduction of the number of IPsec filters from hundreds to only two (2).

The “Simple Policy” update will be most useful in the following scenarios:

  • Reducing the complexity of an existing Server Isolation and/or Domain Isolation deployment
  • Removing IPsec deployment blocking issues due to the complexity of the IPsec policy involved, e.g. where there are a large number of policy exceptions"  

For more information on Server and Domain Isolation, visit the following links:

TechNet: https://www.microsoft.com/sdisolation
Internal: https://windowsserver/sites/networking/

Thanks to Chris Black and Jamie Peebles for making me aware of this announcement