locked
Restrict external clients to internet only RRS feed

  • Question

  • Hi again

     

    first of all, im using the IPsec enforcement method.

     

    i just got one more question. how can i restrict an external client, which isnt in an AD domain, to only get internet access but isnt able to connect to the remediation servers nor to the secure network? which policies do i need to configure? i think its not that transparent, which settings to use?!

     

    thank you in advance.

     

    g.diddy

     

    Friday, March 7, 2008 10:46 AM

Answers


  • Hi,
    the link which I had send is simple provide the way to create IPsec policy on Windows machine (i.e 2000, 2003, 2008,xp and vista).In the nap schenario you dont need to create any other Ipsec policy on your server (windows 2003 machine).

        I do not know why do you want to create an Ipsec policy on your windows-2003 DC machine?
    you are correct that if you will create an Ipsec policy on windows 2003-DC machine "No one can access it" the reason is that the machine which try to access it need to have same ipsec policy as on windows 2003.

    You can handle it by setting the Ipsec policy using GPO...
    refer the link..
    http://www.petri.co.il/configuring_ipsec_policies_through_gpo.htm

     Do you want  "domain and Server isolation" using ipsec
         refer the link 
    http://www.microsoft.com/downloads/details.aspx?FamilyID=5ACF1C8F-7D7A-4955-A3F6-318FEE28D825&displaylang=en

    Regards
    Brijesh Shukla




    Tuesday, March 11, 2008 1:52 AM

All replies


  • Do you mean that a client which is not a member of AD domain can access secure servers and remidiation server using NAP-ipsec enforcement. And you would like to prohibit it.
       I am sorry if i misunderstood your question.

    Brijesh Shukla
    Friday, March 7, 2008 11:23 AM
  • No problem.

     

    No i would like to configure a policy, which restricts external Computers (those who arent members of the ad domain) to internet access only and i dont know how to configure it Sad

     

    thats my problem. hope it helps!

    Friday, March 7, 2008 11:32 AM

  • Ok, I think if your external client know the proxy address, and able to get the the ip address from your DHCP server then it maight be able to access internet. and external client can not access your secure network (where the ipsec setting are appliaed) you do not need to put make any specific policy in NAP server. However I am assuming that you have not puuten your proxy in "Secure Network" as per step by step guide.

    Regards
    Brijesh Shukla
    Saturday, March 8, 2008 1:52 AM
  • ahh yes... i see now.. thank you very much. and theres another question do you or someone know, how i have to setup the legacy ipsec policies to place windows 2003 servers in the secure and boundary network? i need this because the "Windows Firewall with Advanced Security" wont apply to servers older than windows 2008. or is there a patch for windows 2003 server which enables the Firewall with Advanced Security?

    thank you again and in advance.

    -g.diddy
    Sunday, March 9, 2008 8:00 PM

  • To make legacy IPsec policy please follow this step by step guide.
    I attaching the url

    http://technet.microsoft.com/en-us/library/bb742429.aspx

    Regards
    Brijesh Shukla
    Monday, March 10, 2008 1:37 AM
  • thank for the link, i red the document, but i dont know how to apply this to my NAP-environment.

    i tried the "Server (requires Security)" policy and added my Root CA (the one i created by following the step-by-step guide) instead of the kerberos authentication. then i assigned the Ipsec policy and now, no one can access the file shares on this windows 2003 server. did i forget something? the client is Windows vista and the "Windows Firewall with Advanced Security"-Policy is configured as described in the step-by-step guide.

    regards.

    g.diddy

    Monday, March 10, 2008 9:17 PM

  • Hi,
    the link which I had send is simple provide the way to create IPsec policy on Windows machine (i.e 2000, 2003, 2008,xp and vista).In the nap schenario you dont need to create any other Ipsec policy on your server (windows 2003 machine).

        I do not know why do you want to create an Ipsec policy on your windows-2003 DC machine?
    you are correct that if you will create an Ipsec policy on windows 2003-DC machine "No one can access it" the reason is that the machine which try to access it need to have same ipsec policy as on windows 2003.

    You can handle it by setting the Ipsec policy using GPO...
    refer the link..
    http://www.petri.co.il/configuring_ipsec_policies_through_gpo.htm

     Do you want  "domain and Server isolation" using ipsec
         refer the link 
    http://www.microsoft.com/downloads/details.aspx?FamilyID=5ACF1C8F-7D7A-4955-A3F6-318FEE28D825&displaylang=en

    Regards
    Brijesh Shukla




    Tuesday, March 11, 2008 1:52 AM