locked
Change to IPSec connection security rules in Windows 7 RRS feed

  • Question

  • Hey all,

    I'm setting up NAP using IPSec on our domain. I'm following the instructions here:

    http://technet.microsoft.com/en-us/library/dd314176%28WS.10%29.aspx

    In the section titled "Configure the Vista IPSec Secure GPO", in step 12, it specifies to select Computer Certificate and check the box labelled "Only accept health certificates". However, when I attempt to configure this setting from a computer running Windows 7, the "Computer Certificate" option is not available.

    Sure enough, the help file specifies that "This option is available only when you specify a Server-to-server or Tunnel rule type." (See http://technet.microsoft.com/en-us/library/dd421719%28WS.10%29.aspx )

    Why has this changed? Will I need to create a separate GPO to deploy NAP with IPSec to my Windows 7 clients? And if so, how do I configure it?

    Friday, April 30, 2010 8:58 PM

Answers

  • Hi Ryan,

    I assume you are configuring the GPO on Windows Server 2008 or 2008 R2. Why did you say you are trying to configure this from a computer running Windows 7? Are you editing local Group Policy? Even so, this settig is available. The topic at http://technet.microsoft.com/en-us/library/dd421719%28WS.10%29.aspx  is sort of correct, but should probably mention that it is also available using "Advanced" settings.

    Checking the steps on Vista and Windows 7 (in local Group Policy), I see there is a change when you get to the Authentication Method page. It looks like you will need to use the Advanced setting now. I haven't checked to see if the setting changed from Server 2008 to Server 2008 R2, but it probably did. Sorry that the steps are now off - thank you for pointing this out. I will notify the writer to get this updated.

    Below is a comparison between Windows 7 and Vista. In Windows 7 (and probably Server 2008 R2) click Advanced, Customize, and under the First authentication method click Add, choose Computer certificate from this certification authority (CA), browse to your CA, and click Accept only health certificates. Click OK, OK, and next. This creates the same rule as before.

    -Greg

    Windows 7:

    Vista:

    Saturday, May 1, 2010 6:22 PM

All replies

  • Hi Ryan,

    I assume you are configuring the GPO on Windows Server 2008 or 2008 R2. Why did you say you are trying to configure this from a computer running Windows 7? Are you editing local Group Policy? Even so, this settig is available. The topic at http://technet.microsoft.com/en-us/library/dd421719%28WS.10%29.aspx  is sort of correct, but should probably mention that it is also available using "Advanced" settings.

    Checking the steps on Vista and Windows 7 (in local Group Policy), I see there is a change when you get to the Authentication Method page. It looks like you will need to use the Advanced setting now. I haven't checked to see if the setting changed from Server 2008 to Server 2008 R2, but it probably did. Sorry that the steps are now off - thank you for pointing this out. I will notify the writer to get this updated.

    Below is a comparison between Windows 7 and Vista. In Windows 7 (and probably Server 2008 R2) click Advanced, Customize, and under the First authentication method click Add, choose Computer certificate from this certification authority (CA), browse to your CA, and click Accept only health certificates. Click OK, OK, and next. This creates the same rule as before.

    -Greg

    Windows 7:

    Vista:

    Saturday, May 1, 2010 6:22 PM
  • Hi Greg, thanks for your reply -- that answers my question. In response to your question about why I'm editing the policy from a Windows 7 computer: I'm using the Remote Server Administration Tools .
    Monday, May 3, 2010 7:21 PM