70-240 in 15 minutes a week: Windows 2000 IPSec Page 3

By ServerWatch Staff (Send Email)
Posted Dec 3, 2001

This gets even more complex since you can add multiple filters using this tool. If you click the Add button, you are moved into yet another wizard that will walk you through the process of creating a filter. I am going to create only one (note the descriptive name), that specifies that all of the computers on a given subnet must use IPSec to communicate with the HR Server

After choosing the traffic source (my subnet), I must next choose the traffic destination. This can be any of the options listed below:

I have chose the IP address of my HR server, Next step is choosing the IP protocol type to be included in my filter. I am going to choose ANY, although I could be more specific and choose a given TCP port or protocol ID if required.

The next screen allows you to edit your filter without the wizard. Remember that the policy is not yet complete; we must choose to enable our new rule in the policy by selecting it.

The next step is to actually specify the filter actions. What will happen when a user does something that meets rules of the filter? Remember that we haven't yet said whether AH or ESP should be used, whether these packets should be allowed or denied, and so forth. I know this is a long process, but we're almost there.

The Filter Action screen allows us to control how this will work. I suggest leaving the defaults alone (and unselected) and using the Add button (though you may be sick of Wizards at this point) to select what you want to happen. Without using the wizard, you will be presented with this screen:

Note that this screen allows you to either Block, Permits, or Negotiate security when a filter rule if encountered. I will choose Negotiate Security, and click the Add button, and choose that High security (ESP and AH) should be used, as shown below.

You can also configure custom settings, if you require them. Be sure to give your filter actions a descriptive name (and select it), as I have below.

The next screen simply finishes the process. Remember that the policy is still not assigned - right click the policy and choose Assign to do this, with the results shown below.

Also remember that IPSec configuration is not a one-way street. You will also need to configure the appropriate settings on your servers to ensure that the policies can negotiate security and function correctly.

A couple of additional notes on IPSec:

- in order to test whether IPSec is working properly, using the IPSECMON utility. It will show you any security negotiations and sessions currently in place.
- Note that you can use Services in Computer Management to stop and restart the IPSec Policy Agent if necessary. This is also the equivalent of stopping and reloading the IPSec driver.

Another week completed, and certainly a long one. Next week's article will in fact be the last in the 70-240 series, and will cover Certificate Services in Windows 2000. I'm not sure if another series will directly follow this one as of yet, as many people have emailed me to ask. I am currently considering a number of options, and will let you know as soon as I do. In the meantime, please post all technical questions to my message board, and feel free to contact me with any comments by email. Best of luck with your studies this week.


Page 3 of 3

Thanks for your registration, follow us on our social networks to keep up-to-date