Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, March 10, 2017 5:01 PM
Hi,
We're looking at deploying IPSEC for an internal solution (MIM 2016), the requirement is that all of the MIM servers must have their communication traffic encrypted. From what I've seen it looks like this is possible with PowerShell and certificates as shown here
https://technet.microsoft.com/en-us/library/hh831807(v=ws.11).aspx
Presumably it's possible to encrypt traffic to only certain endpoints by modifying the rules? I want the traffic between the application servers to be encrypted, but not traffic to/from DCs. Is this possible?
Thanks
All replies (5)
Monday, March 13, 2017 7:07 AM
Hi,
You could use Windows Firewall with Advanced Security (WFAS) Connection Security Rules,and create a server-to-server rule.
And create an OU for your application servers,then link the GPO to this OU.
You could check this link for your reference,although it is applied to DC-to-DC,but you could follow the parts of create server-to-server rules,create custome exception rules and link GPO to OU.
Securing DC to DC communication with IPsec using Windows Firewall with Advanced Security (WFAS) Connection Security Rules
Best Regards
Cartman
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Monday, March 13, 2017 3:09 PM
Thanks Cartman
I've just ran through the above process, unfortunately network monitor shows the traffic as being unencrypted (like the bottom poster), GPOs are definitely applying (confirmed with gpresult), still troubleshooting...
Tuesday, March 14, 2017 9:15 AM
Hi,
Please check the troubleshooting part of this link:
http://blog.davidvassallo.me/2011/04/19/configuring-windows-pcs-to-use-ipsec/
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Hope it helps.
Best Regards
Cartman
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Tuesday, March 14, 2017 12:36 PM
Hi Cartman,
OK, I've got further :-). I've managed to encrypt the traffic if I use ANY of the following:
- PSK (not recommended)
- Kerberos V5
- NTLM V2
The certificate option just doesn't work, the firewall rule wizard simply searches through a list of the certs on my DC and then allows me to pick a certificate. I've chosen my default root CA cert but that didn't work, then I've tried a GoDaddy root cert with client and server authentication on the enhanced key usage - still no luck. I haven't found a good explanation of the certificate requirements.
Having said that I'm inclined to go down the Kerberos v5 route for requiring encryption as it means that I don't need to worry about renewing certificates.
What are people's thoughts on encrypting internal traffic using ipsec? Worthwhile or overkill (we have a large network with perimeter firewalls, but the internal network is a bit open)
Thanks
Friday, March 17, 2017 7:05 AM
Hi,
>>I've chosen my default root CA cert but that didn't work, then I've tried a GoDaddy root cert with client and server authentication on the enhanced key usage - still no luck. I haven't found a good explanation of the certificate requirements.
Please check the computer certificate part for certificate requirements:
Connection Security Rule Wizard: Authentication Method Page
https://technet.microsoft.com/en-us/library/cc811545%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396
Best Regards
Cartman
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]