Answered by:
Have set up NAP using IPSec enforcement, get sertificate, but sends information uncrypted

Question
-
I have set up NAP using IPSec enforcement, I have followed the book "Windows server 2008 networking and network access protection(NAP)" and everything seems to work fine. The clients gets the certificate from the NAP CA, and if I set enforcement mode and the clients are not compatible get the message that they are not, and get theyr sertificate revoked.
However when I test the communication to see if it is encrypted, everything is sent in plain text. Is there an setting I have forgot to set in group policy?
The setup is one server running root CA, and another one runs the rest (AD, DNS, DHCP, NAP CA (issuing CA), NPS and HRA )
the servers is running 2008 and there are two vista clients and one XP
Hope there are someone hwo can helpMonday, March 9, 2009 3:56 PM
Answers
-
Hi,
Exemptions are accomplished by issuing an exemption certificate. I'm not sure what this has to do with encyrption, however. I think you want to right-click Windows Firewall with Advanced Security, click IPsec settings, click Customize, and set advanced settings for Data Protection. I'm not an IPsec expert, however, so I can't guarantee this is the best method for this setting. I believe this sets the Default behavior.-Greg
- Proposed as answer by Greg LindsayMicrosoft employee Tuesday, March 17, 2009 9:45 PM
- Marked as answer by Greg LindsayMicrosoft employee Friday, March 27, 2009 7:36 PM
Saturday, March 14, 2009 5:01 PM
All replies
-
Hi,
Can you tell me what pages in the book you are using to configure IPsec policies?
Note that if you use connection security rules, this will not affect a client computer running Windows XP. You must use legacy IPsec policies for this.
See Health Enforcement and Remediation in the NAP Design Guide, and also Checklist: Deploy IPsec Policies for NAP for more information.
-GregTuesday, March 10, 2009 5:28 AM -
I'm following chapter 16. Have mainly focused on the vista clients, try to get them to work before getting into the xp client. I have checked the troubleshooting ipsec policy, at the end of the chapter, everything seems to be working accordingly. Exept when I set the firewall on the client machines not to accept anything exept ipsec packages.
The communication between NAP clients and the HRA is based on HTTP not HTTPS when I din't get the HTTPS to workTuesday, March 10, 2009 9:55 AM -
-
I need to set exemption for the HRA server on the firewall on the clients?
Wednesday, March 11, 2009 11:03 AM -
YESWednesday, March 11, 2009 1:34 PM
-
I search the net to find out how to make an exemption list for the HRA-server, but did not find anny helpfull answers. So can anyone tell me how it's done?
I have noticed that the "windows firewall with advanced security -> monitoring -> security associations -> main mode" i empty, I beleve there is supposed to be authentication rule ore something there.Friday, March 13, 2009 11:43 AM -
Hi,
Exemptions are accomplished by issuing an exemption certificate. I'm not sure what this has to do with encyrption, however. I think you want to right-click Windows Firewall with Advanced Security, click IPsec settings, click Customize, and set advanced settings for Data Protection. I'm not an IPsec expert, however, so I can't guarantee this is the best method for this setting. I believe this sets the Default behavior.-Greg
- Proposed as answer by Greg LindsayMicrosoft employee Tuesday, March 17, 2009 9:45 PM
- Marked as answer by Greg LindsayMicrosoft employee Friday, March 27, 2009 7:36 PM
Saturday, March 14, 2009 5:01 PM