Click here to get back home

IPSEC, W2k3, Client-to-DC
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
IPSEC, W2k3, Client-to-DC Simon 08-08-2005
Posted by Simon on August 8, 2005, 10:36 am
Please log in for more thread options
 Hi all,
I remember for Windows 2000, IPSEC was not recommended to be used to secure
traffic between client to domain controllers, that scenario apparently was
not supported.

Is this scenario still not supported in a Windows Server 2003 based AD
domain?

Many thanks.




Posted by David Beder [MSFT] on August 8, 2005, 12:58 am
Please log in for more thread options
 Correct. It still isn't formally supported. That doesn't mean you probably
couldn't get it to work if you really try hard at it. There are likely some
whitepapers up on microsoft.com/ipsec which discuss the complexity of the
problem and some tips and deployment suggestions which might work for your
org.

--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.


> Hi all,
> I remember for Windows 2000, IPSEC was not recommended to be used to
> secure
> traffic between client to domain controllers, that scenario apparently was
> not supported.
>
> Is this scenario still not supported in a Windows Server 2003 based AD
> domain?
>
> Many thanks.
>
>




Posted by Steven L Umbach on August 14, 2005, 9:05 pm
Please log in for more thread options
That has not changed. What can not be secured is traffic used to
authenticate users/computers for the domain such as dns, file and print
sharing, ldap, kerberos, rpc, ICMP to/response from domain controllers.
However beyond that you may be able to secure traffic but be sure to test
any ipsec policy thoroughly and never test at the domain level. The ipsec
domain isolation guide is an excellent read for those who are considering
ipsec even if you do not want to read the whole thing. Chapter 7 on
Troubleshooting Ipsec and Appendix A on Ipsec Policy Concepts are must reads
in my opinion. --- Steve

http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/ipsecch1.mspx

> Hi all,
> I remember for Windows 2000, IPSEC was not recommended to be used to
> secure
> traffic between client to domain controllers, that scenario apparently was
> not supported.
>
> Is this scenario still not supported in a Windows Server 2003 based AD
> domain?
>
> Many thanks.
>
>




Similar ThreadsPosted
AzMan & W2k3 SP1 problem... June 30, 2005, 7:42 am
Kerberos/ASP/Delegation/W2K3 July 19, 2005, 2:24 pm
NTLM issue with W2K3 April 28, 2006, 10:47 am
Backing up roaming profiles on W2K3 January 11, 2006, 1:37 pm
W2K3 & VPN blocking access to server May 17, 2006, 9:10 pm
Looking for a software firewall for W2K3 that does IP filtering July 13, 2006, 8:40 am
W2k3 License key and ownership question October 24, 2006, 9:22 am
2 accounts point to 1 profile in W2K3 April 30, 2007, 9:51 am
Disallowing console login on w2k3 May 20, 2007, 9:41 pm
at job versus windows service on a w2k3 server February 22, 2006, 3:31 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap