locked
NAP and IPSec with XP clients RRS feed

  • Question

  • Hello everyone,

    I set up a lab test with IPSec and NAP by following the document "NAPIPsec_StepByStep.doc" excepted I used XP clients instead of Vista clients.

    My problem is now to properly set IPSec on the clients to only permit communication between the compliant and healthy clients that receive a valid certificate from the NPS server.

    How is it possible to do that?

     

    Thanks.

     

    Monday, June 25, 2007 6:48 AM

Answers

  • Hi,

     

    The step by step guide doesn't discuss XP clients. I believe there is a registry key that is required to enable the demo to work with XP. However, I haven't had an opportunity yet to test this. Please let me know if this helps, and I will follow up and test it myself during the next few days.

     

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley\IKEFlags REG_DWORD  set to 1c

     

    -Greg

    Wednesday, June 27, 2007 10:42 PM

All replies

  • I'm not sure of the differences between XP and Vista vis a vis IPSec, but the E2E guide should have a section at the end that explains how to demonstrate IPSec enforcement.  I believe the steps have you test whether or not the machines that get health certs can "net use" to a share on a Secure Zone machine.  See section "Demonstrate IPsec NAP enforcement" on page 52 of the doc at:http://www.microsoft.com/downloads/details.aspx?FamilyID=298ff956-1e6c-4d97-a3ed-7e7ffc4bed32&displaylang=en

     

    Tuesday, June 26, 2007 1:00 AM
  • Asuming you followed teh guide you have at least one DC on which you should have created a couple of OU that will have different IPSec policies; one called Secure and the other calles Boundary. Both of them will enforce Certificate authentication.

    Please let me know if you have created such OUs and added IPsec GP policies to this groups.

    If you don't have a DC there is another path we can go to get you set up in a workgroup environment.

     

    Wednesday, June 27, 2007 9:18 PM
  • Hi,

     

    The step by step guide doesn't discuss XP clients. I believe there is a registry key that is required to enable the demo to work with XP. However, I haven't had an opportunity yet to test this. Please let me know if this helps, and I will follow up and test it myself during the next few days.

     

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley\IKEFlags REG_DWORD  set to 1c

     

    -Greg

    Wednesday, June 27, 2007 10:42 PM
  • What does this key do ?

     

    The IPSec policy on XP only allow Kerberos or computer certificate (and preshared key) to be exchanged.

     

    The health certificate is only with Vista as writted here : http://technet2.microsoft.com/windowsserver2008/en/library/ff06e8d5-b029-4c4a-8e13-2f27d721087b1033.mspx?mfr=true

     

    Support for Authenticated IP (AuthIP)

    In earlier versions of Windows, IPsec supported only the Internet Key Exchange (IKE) protocol for negotiating IPsec security associations (SAs). Windows Vista and Windows Server 2008 support an extension to IKE known as Authenticated IP (AuthIP). AuthIP provides additional authentication capabilities such as:

    Support for new credential types that are not available in IKE alone. These include the following: health certificates provided by a Health Registration Authority server that is part of a Network Access Protection (NAP) deployment; user-based certificates; Kerberos user credentials; and NTLM version 2 user or computer credentials. These are in addition to credential types that IKE supports, such as computer-based certificates, Kerberos credentials for the computer account, or simple pre-shared keys.

    Support for authentication by using multiple credentials. For example, IPsec can be configured to require that both computer and user credentials are successfully processed before traffic is allowed. This increases the security of the network by reducing the chance of a trusted computer being used by an untrusted user.

     

     

    So is it posible to use IPSec NAP with XP machines ?

    Thursday, October 18, 2007 1:30 PM
  • Hi Jean-Benoit,

     

    I posted some details about the registry key at the end of this thread: http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=2183359&SiteID=17.

     

    AuthIP is only used by Vista and Server 2008 computers. XP with Service Pack 3 will include the NAP Agent, but to restrict access of noncompliant clients to the compliant XP SP3 machine, you still need to set up the IKE-based IPsec rules to require a certificate, and set the IKEFlags registry key to 1c. When this is done, the behavior is to prefer health certificates.

     

    -Greg

    Thursday, October 18, 2007 10:55 PM
  • Thank you.

    I don't know why I didn't check that thread since I had a look to a lot of ipsec related thread

     

    I really appreciate your support on the forum.

     

    In my mind, IPSec isolation is a good thing, but the integration with NAP is not as good as it should be.

    With vista, when you are doing a IPSec isolation with kerberos to auth machines and users you can deifne firewall rules that can apply to specific users or computers but with NAP integration since you use certificate that can't be possible (perhaps computer but I didn't tested it).

     

    XP IKE-based rules are too complex :/

    Friday, October 19, 2007 7:54 AM
  • Hi Jean-Benoit,

     

    The firewall rules work well with NAP. The health certificate affects the connection security rule if you enable the "only accept health certificates" check box. You can also specify other firewall rules for computers in the OU, or users in the group. I'm not sure what types of rules you are interested in using.

     

    You're right though that it won't matter what user is logged on if the computer itself is noncompliant and doesn't have a certificate. You do have the option, however, of setting up network policies that specify compliance settings that are different for different users.

     

    -Greg

    Friday, October 19, 2007 2:15 PM
  • If you are doing IPsec communications you can transport user and/or computer name so that you can specify rules with these parameters.

     

    For exemple : You put on a server some applications : a web server, a mom agent, some other services.

     

    You make a Connection security rule to do ipsec isolation wich provide auth for computer and users via kerberos.

     

    Then you make a firewall rule, for the web server in which you only specify that port 80 tcp is open.

    Then you make an other one, your network is isolated with ipsec so if you say in the rule to "accept if it's secure", you can choose computer or user which can access to the ressource.

    So for the mom agent rule you say accept if it's secure and you put the mom machine.

     

    You can do this for user.

    I know this can be done at application layer by application (ACL for file share, IIS security auth and ....)

     

     

    If you do the ipsec auth with health certificate you will only have the computer (and I'm not sure if it will work, don't know if certificate account mapping is possiblek, but I think yes).

     

    If you clear only accept health certificate, in case your client computer autoenroll certificate (computer certificate for example) it will be used even if it is unhealthy.

    Friday, October 19, 2007 2:48 PM