|
Posted by Steven L Umbach on September 18, 2005, 8:23 pm
Please log in for more thread options
You could put your computers into separate Organizational Units with
different ipsec polices. For instance you could use an ipsec policy for a
server that requires ESP and AH and then put the computers into an OU with
the same ipsec policy [ using ESP and AH] that you want to access the
server. Then you could have other OUs with ipsec policies that only use ESP
which would be the default settings. Then computers with an ipsec policy
that does not use AH could not access a server that requires AH regardless
of the computers IP address.. --- Steve
"Ondrej Sevecek" <ondra at my_surname dot com> wrote in message
>I cannot imagine one. I would like the isolation to occure on another bases
>than IP, so I think, the authentication is the only solution.
> Installation of subordinate CA would require strict security on the
> machine, so we probably will install standalone subordinate on a separate
> server that will be used to only this purpose.
>
> O.
>
>
>> <ondra at my_surname dot com> says...
>>> > You could use two certificate templates to accomplish this, but if you
>>> > are applying different IPSec filters, the authentication can only
>>> > indicate *which* root CA the chain is rooted.
>>>
>>> .... and when I would use two templates, how to distinguish them in the
>>> filter rules?
>>>
>>>
>>> O.
>>>
>>>
>>>
>>>
>> This is the issue, the certificate templates would still chain to CAs
>> that chain to the same root.
>> Is there any other criteria that you could use, other than the
>> authentication to isolate?
>> Brian
>
>
| 
XML Sitemap