sexta-feira, 6 de junho de 2008 21:55Basically the question is should I be able to (or perhaps even, should I at all) apply the pre-defined "Server (Request Security)" IP Security option (via Group Policy) on a server providing AD, DHCP, and DNS services and still provide these services if the clients are unable to perform IPsec functions (at least barring any other problems)?
As far as I have read, as long as I allow fall-back to unsecure communications DHCP requests from workstations that do not yet have an IPsec certificate or are just incapable of IP sec should still work successfully. Is this correct?
Now the background to the question:
I have been working towards getting my network prepared for NAP, so one of the things I did yesterday was enable Auto-Enrollment of computer identity and IPsec certificates via Group Policies.
Today, I applied the "Server (Request Security)" option on all our servers for IP Security Policy. It seemed to work very well at first, and I even restricted some of the management services via the firewall policies to require Encrypted communications, which tested successfully when using the remote administration tools.
However, later in the day, I started receiving reports of users not being able to obtain IP addresses. Immediately after un-applying the "Server (Request Security)" IP Security Policy they were able to obtain IP addresses again. This leaves me with two thoughts: either I can not even request secure communication on these servers; or perhaps I've run into some sort of transitioning problem with the workstations thinking they can do IPsec but do not have the necessary certificates yet and all I have to do is wait it out for a week or two before trying again.
The one that groks it all...
Todas as Respostas
domingo, 17 de maio de 2009 19:31Hi Jason,I havent tried it myself but I think the problem with the DHCP Clients is basiclly because they try to communicate with the DHCP Server and the Communication Fails before the DHCP Server accomplishes a Fallback to Clear with IPSec.I would Suggest you to Create a Custom Policy that Excludes the DHCP Ports (UDP 67,68)So You need to crerate a Rule with Two Filters :Source <-> Destination, Protocol, Source Port, Destiantion PortAny <-> My , UDP , 68 , 0My <-> Any , UDP , 0 , 67How About you DCs ?You didntany problems with user login ? or Group Policy not being applied ?
Assaf Miron http://Assaf.Miron.googlepages.com