locked
Have set up NAP using IPSec enforcement, get sertificate, but sends information uncrypted RRS feed

  • Question

  • I have set up NAP using IPSec enforcement, I have followed the book "Windows server 2008 networking and network access protection(NAP)" and everything seems to work fine. The clients gets the certificate from the NAP CA, and if I set enforcement mode and the clients are not compatible get the message that they are not, and get theyr sertificate revoked.
    However when I test the communication to see if it is encrypted, everything is sent in plain text. Is there an setting I have forgot to set in group policy?

    The setup is one server running root CA, and another one runs the rest (AD, DNS, DHCP, NAP CA (issuing CA), NPS and HRA )
    the servers is running 2008 and there are two vista clients and one XP

    Hope there are someone hwo can help
    Monday, March 9, 2009 3:56 PM

Answers

  • Hi,

    Exemptions are accomplished by issuing an exemption certificate. I'm not sure what this has to do with encyrption, however. I think you want to right-click Windows Firewall with Advanced Security, click IPsec settings, click Customize, and set advanced settings for Data Protection. I'm not an IPsec expert, however, so I can't guarantee this is the best method for this setting. I believe this sets the Default behavior.

    -Greg

    Saturday, March 14, 2009 5:01 PM

All replies

  • Hi,

    Can you tell me what pages in the book you are using to configure IPsec policies?

    Note that if you use connection security rules, this will not affect a client computer running Windows XP. You must use legacy IPsec policies for this.

    See Health Enforcement and Remediation in the NAP Design Guide, and also Checklist: Deploy IPsec Policies for NAP for more information.

    -Greg
    Tuesday, March 10, 2009 5:28 AM
  • I'm following chapter 16. Have mainly focused on the vista clients, try to get them to work before getting into the xp client. I have checked the troubleshooting ipsec policy, at the end of the chapter, everything seems to be working accordingly. Exept when I set the firewall on the client machines not to accept anything exept ipsec packages.
    The communication between NAP clients and the HRA is based on HTTP not HTTPS when I din't get the HTTPS to work
    Tuesday, March 10, 2009 9:55 AM
  • you need to make exemption list for the HRA-servers. Regarding the IPsec firewall rule on the vista client
    • Marked as answer by Leif Erik Wednesday, March 11, 2009 1:35 PM
    • Unmarked as answer by Leif Erik Friday, March 13, 2009 11:41 AM
    Wednesday, March 11, 2009 10:59 AM
  • I need to set exemption for the HRA server on the firewall on the clients?
    Wednesday, March 11, 2009 11:03 AM
  • YES
    Wednesday, March 11, 2009 1:34 PM
  • I search the net to find out how to make an exemption list for the HRA-server, but did not find anny helpfull answers. So can anyone tell me how it's done?
    I have noticed that the "windows firewall with advanced security -> monitoring -> security associations -> main mode" i empty, I beleve there is supposed to be authentication rule ore something there.
    Friday, March 13, 2009 11:43 AM
  • Hi,

    Exemptions are accomplished by issuing an exemption certificate. I'm not sure what this has to do with encyrption, however. I think you want to right-click Windows Firewall with Advanced Security, click IPsec settings, click Customize, and set advanced settings for Data Protection. I'm not an IPsec expert, however, so I can't guarantee this is the best method for this setting. I believe this sets the Default behavior.

    -Greg

    Saturday, March 14, 2009 5:01 PM