How to configure remote IPsec management and remote IPsec monitoring from Windows-based computers

Article translations Article translations
Article ID: 925631 - View products that this article applies to.
Expand all | Collapse all

INTRODUCTION

This article describes how to configure Windows-based computers to manage Internet Protocol security (IPsec) policies and to monitor IPsec activity for remote computers.

On Windows-based computers, you can use the IP Security Policy Management Microsoft Management Console (MMC) snap-in to remotely manage IPsec policies. Additionally, you can use the IP Security Monitor MMC snap-in to remotely monitor IPsec activity.

On Windows Server 2003-based computers and later Windows-based computers, you can also use the Netsh command-line utility to remotely manage IPsec policies and to remotely monitor IPsec activity.

Note Windows XP does not have an IPsec context for the Netsh command. Therefore, the Netsh command cannot be used to configure IPsec on Windows XP-based computers.

MORE INFORMATION

To manage an IPsec policy for a remote computer on a Windows-based remote computer, both of the following conditions must be true:
  • You must be an administrator on the remote computer.
  • Remote management must be enabled on the remote computer.

Add yourself as an administrator on the remote computer

  1. On the remote computer that you want to remotely manage or monitor, click Start, click Run, type compmgmt.msc, and then click OK.
  2. In the Computer Management Microsoft Management Console (MMC) snap-in, expand Local Users and Groups, and then click Groups.
  3. Double-click Administrators.
  4. In the Properties dialog box, click Add.
  5. In the Enter the object names to select area, type the name of the user account that you want to add as an administrator for this computer.
  6. Click Check Names, and then click OK two times.

Enable remote management for legacy IPsec on the remote computer

Note These steps apply only to Windows Vista and Windows 7.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
  1. On the computer that you want to remotely manage or monitor, click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type EnableRemoteMgmt, and then press ENTER.
  5. Right-click the EnableRemoteMgmt entry, and then click Modify.
  6. In the Value data box, type 1, and then click OK.
  7. Exit Registry Editor.
  8. Start the RemoteRegistry service. To do this, type net start remoteregistry at a command prompt, and then press ENTER.
  9. Start the PolicyAgent service. To do this, type net start policyagent at a command prompt, and then press ENTER.
  10. Make sure that the user who will manage or monitor the computer has Administrator permissions on the computer.
  11. In the Advanced Security section of Windows Firewall, enable Remote Service Management rules.

Enable remote management on the remote computer

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
  1. On the computer that you want to remotely manage or monitor, click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type EnableRemoteMgmt, and then press ENTER.
  5. Right-click the EnableRemoteMgmt entry, and then click Modify.
  6. In the Value data box, type 1, and then click OK.
  7. Exit Registry Editor.
  8. Open a command prompt as an administrator, type the following command, and then press ENTER:
    sc config policyagent start= auto
  9. Restart the computer.

Configure the IP Security Policy Management MMC snap-in to manage IPsec policies for remote computers

  1. On the computer that you are using to manage IPsec policies for remote computers, click Start, click Run, type mmc, and then click OK.
  2. On the File menu, click Add/Remove Snap-in.
  3. In the Add/Remove Snap-in dialog box, click Add.
  4. In the Available Standalone Snap-ins dialog box, click IP Security Policy Management, and then click Add.
  5. In the Select which computer or domain this snap-in will manage dialog box, click Another computer, type the name or the IP address of the remote computer that you want to manage, and then click Finish.
  6. Click Close, and then click OK.

Configure the IP Security Monitor MMC snap-in to monitor IPsec activity for remote computers

  1. On the computer that you are using to monitor IPsec activity for remote computers, click Start, click Run, type mmc, and then click OK.
  2. On the File menu, click Add/Remove Snap-in.
  3. In the Add/Remove Snap-in dialog box, click Add.
  4. In the Available Standalone Snap-ins dialog box, click IP Security Monitor, and then click Add.
  5. Click Close, and then click OK.
  6. In MMC, right-click IP Security Monitor, and then click Add Computer.
  7. In the Add Computer dialog box, click The following computer, type the name or the IP address of the remote computer that you want to manage, and then click OK.

Use the Netsh command-line utility to remotely manage IPsec policies and to remotely monitor IPsec activity

On a Windows Server 2003-based computer, you can use the Netsh command-line utility to remotely manage IPsec policies and to remotely monitor IPsec activity. To do this, follow these steps:
  1. On the computer that you are using to remotely manage IPsec policies and to remotely monitor IPsec activity, click Start, click Run, type cmd, and then click OK.
  2. At the command prompt, type the following command, and then press ENTER:
    Netsh –c ipsec –r remotecomputer[NetShCommand|-f ScriptFile]
For more information about how to use the Netsh command-line utility, visit the following Microsoft Web site:
http://technet2.microsoft.com/WindowsServer/en/library/fd1e2fbe-15a6-413b-b712-28afb312c92f1033.mspx
For more information about how to use the Netsh command-line utility for IPsec, visit the following Microsoft Web site:
http://technet2.microsoft.com/WindowsServer/en/library/c3ae0d03-f18f-40ac-ad33-c0d443d5ed901033.mspx?mfr=true

Properties

Article ID: 925631 - Last Review: August 3, 2009 - Revision: 3.0
APPLIES TO
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows XP Professional
  • Windows Vista Business
  • Windows Vista Enterprise
  • Windows Vista Starter
  • Windows Vista Ultimate
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Windows 7 Enterprise
  • Windows 7 Professional
  • Windows 7 Starter
  • Windows 7 Ultimate
Keywords: 
kbipsec kbnetwork kbinfo kbhowto KB925631

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com