IPsec isolation for XP Clients RRS feed

  • Question

  • Hi,

    I'm making a model for nap ipsec enforcement, when working with windows 7 clients everything work fine, but for XP clients IPsec isolation do not works as it should, non-compliants clients can not access the compliant clients until these last access the non-compliant. 

    PS: i have made the XP modifications in the registry and in the secpol.msc console

    Best regards

    Friday, October 8, 2010 10:24 AM

All replies

  • Hi,

    Thanks for the post.

    Would you please tell me what you mean by "non-compliants clients can not access the compliant clients until these last access the non-compliant"?

    Please also check if the following steps could help you on this issue.

    To configure the XP IPsec secure GPO

    1. On a domain controller, or member server with the Group Policy Management feature installed, click Start, click Run, type gpme.msc, and then press ENTER.

    2. In the Browse for a Group Policy Object dialog box, double-click the XP IPsec Secure OU, for example XP IPsec Secure.woodgrovebank.local.

    3. Click the Create New Group Policy Object icon to the right of XP IPsec Secure.woodgrovebank.local, type XP Secure Policy, and then click OK.

    4. The Group Policy Management Editor window will open. Open XP Secure Policy\Computer Configuration\Policies\Windows Settings\Security Settings\IP Security Policy on Active Directory.

    5. Right-click IP Security Policy on Active Directory, and then click Create IP Security Policy. The IP Security Policy Wizard will open.

    6. On the Welcome to the IP Security Policy Wizard page, click Next.

    7. On the IP Security Policy Name page, type XP Secure Rule, click Next twice, and then click Finish. The XP Secure Rule Properties dialog box opens.

    8. Click Add. The Security Rule Wizard opens. Click Next.

    9. On the Tunnel Endpoint page, choose This rule does not specify a tunnel, and then click Next.

    10. On the Network Type page, choose All network connections, and then click Next.

    11. On the IP Filter List page, under IP filter lists, select All IP Traffic and then click Next.

    12. On the Filter Action page, clear the Use Add Wizard check box and then click Add. The New Filter Action Properties dialog box opens.

    13. On the Security Methods tab, choose Negotiate security and select the Allow fallback to unsecured communication if a secure connection can not be established check box. If you receive a message warning you about enabling unsecured communication, click Yes.

    14. Next to Security method preference order click Add, choose Integrity only, and then click OK.

    15. Click the General tab, under Name type Require in / Request out, and then click OK.

    16. Select the new filter action you just created, and then click Next.

    17. On the Authentication Method page, choose Use a certificate from this certification authority (CA) and then click Browse. If you receive a warning that Active Directory does not contain a shared certificate store, click Yes.

    18. Click the name of the Root CA in your NAP CA hierarchy, click OK, click Next, and then click Finish.

    19. Verify that All IP Traffic is selected under IP Filter List, that Filter Action is Require in / Request out and Authentication Method is Certificate, and then click OK.

    20. In the Group Policy Mangement Editor, right-click XP Secure Rule and then click Assign.

    21. Close the Group Policy Management Editor window.

    Does it work?




    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, October 11, 2010 3:01 AM
  • Hello Miles,

    I've done all this, but the problem is that XP non-compliants clients and non-NAP capable clients can't access the compliant clients which is normal UNTIL the compliant clients access those clients, once accessed (non-compliants & non nap capable) they can access the compliant clients which is a breach.

    Best regards

    Monday, October 11, 2010 9:01 AM