Windows provides a very simple way to establish a secure communication (IPSEC) between two machines on the machine level: Connection Security Rules.
Connection Securiy Rules allow the configuration of a encrypted communication even a user is not logged on. The IPSEC rule can use a preshared key (for testing, single server or you do not have a PKI) or digital certificates for authentication in an enterprise environment Using certificates is the best way for authentication and my recommendation.
The computer and the users have still to authenticate before they can use any service on a IPSEC protected host, so see IPSEC as an pre-authentication.
Use scenarios:
- You want allow only access from corporate laptop computers to Exchange Outlook Anywhere or other internal services directly, or over TMG or UAG
- You have a server externally hosted and you want have a more secure way to RDP in
- You want allow access to a file share for remote workers in a way they do not have to VPN-in all the time
- You want make sure that computers for remote worker can use the corporate WSUS server for patching even the machines are not connected back via VPN to corporate network
- ...
Requirement:
- Windows Firewall service must be running
- Windows Firewall profiles must be active the network profile(s)
- Firewall rules must allow IPSEC traffic ESP and UDP500(ISAKMP). UDP4500(IPSEC NAT-T) is required if the server is behind a NAT firewall (as it is in this example)
Note: You can require IPSEC also only for certain TCP ports, e.g. you have an externally hosted web server. Require IPSEC only for 3389(RDP) for web server administration but port 80 is open because you clients want surf your companies public web site.And make all other ports not available from outside of that server at all.
Client Configuration Steps
1.
Open Group Policy Management
2.
Navigate to Computer
Configuration/Policies/Windows Settings/Security Settings/Windows Firewall with
Advanced Security/ Windows Firewall with Advanced Security/Connection Security
Rules
Note: as alternative and
for testing you can also start the Windows Firewall management console by starting
wf.msc from the Run dialog.
3.
Make a right mouse click on Connection Security
Rules and click on New Rule…
4. Select Server-to-server as rule type and click Next.
5. Add the public IP address of the edge server to
the list of IP addresses under “Which computers are in Endpoint 2?” Then select
Next to continue.
6.
Select and then click Next.
7. Click
Browse and select the appropriate CA name. Then click Next.
8. Select all firewall profiles and click Next.
9. Enter
name and description of the rule. Then click Finish to end the configuration wizard.
Server Side Configuration Steps
The server must have a second network card for external
facing connections. The configuration of the IPSEC rules should be for this
interface, otherwise you might lose the network connection to the server.
1. Start the Windows Firewall Advanced
Configuration management console from the Run menu by running wf.msc.
2. Click
on Connection Security Rules and then New
Rule …
3. Select
Server-to-server and click Next.
4. Add
the server IP address to the list of IP address under “Which computers are in
Endpoint 2?” and click Next to
continue.
5. Select
Require authentication for inbound and outbound connections and then click on Next.
6. Click
Browse and select the appropriate CA name. Then click Next.
7. Select all firewall profiles and click Next.
