Article ID: 254949 - View products that this article applies to.
This article was previously published under Q254949
This article describes the supported configurations for using Internet Protocol security (IPSec) to encrypt network traffic from a client computer to a domain controller or from a domain controller to another domain controller.
Important The information in this section applies only to those products listed in the "Applies to" section.
We support the use of IPSec to encrypt network traffic in end-to-end client-to-client, client-to-server, and server-to-server implementations when you use either Kerberos computer authentication or when you use certificate-based computer authentication. Currently, we do not support the use of IPSec to encrypt network traffic from a domain client or member server to a domain controller when you apply the IPSec policies by using Group Policy or when you use the Kerberos version 5 protocol authentication method.
Additionally, we support using IPSec to encrypt both the following kinds of network traffic:
(http://support.microsoft.com/kb/322756/ )How to back up and restore the registry in Windows
After you configure this IPSec policy, you may notice that when the computers are started, several packets may be sent over the network unencrypted. This issue occurs because some packets might be sent over the network before the IPSec driver has been initialized and before the IPSec policy has been processed. To resolve this issue, put the IPSec driver IPSec.sys into Block Mode during the computer startup process. When you do this, IPSec blocks outgoing network traffic from the computer until the PolicyAgent component starts and until the PolicyAgent component loads the IPSec policies. After the IPSec PolicyAgent component has started, and after the IPSec policies are loaded, the PolicyAgent changes the IPSec driver's operation mode to permit the passage of IPSec traffic. To put the IPSec driver into Block Mode, set the following registry value:
A value of 1 puts the IPSec driver into Block Mode. A value of 0 (zero) bypasses the IPSec driver's block mode.
Value name: OperationMode
Value type: REG_DWORD
Value data: 1
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
254728We support using IPSec to encrypt domain controller-to-domain controller traffic such as Server Message Block (SMB), Remote Procedure Call (RPC) replication, and other kinds of traffic. You can transport this traffic by using IPSec to let you easily pass these kinds of traffic through a firewall. In this scenario, you only have to permit IPSec traffic and Internet Key Exchange (IKE) traffic through your firewall. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/254728/ )IPSec does not secure Kerberos traffic between domain controllers
233256We recommend that you require certificate-based authentication when you configure domain controller-to-domain controller IPSec policy rules. For detailed information about how to create an IPSec policy, see the Active Directory in Networks Segmented by Firewalls document. To obtain this document, visit the following Microsoft Web site:
(http://support.microsoft.com/kb/233256/ )How to enable IPSec traffic through a firewall
http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&DisplayLang=enThe rule must require certificate authentication if the security requirements do not allow Kerberos traffic through the firewall. By default, IKE certificate revocation checking is off, and may have to be enabled through the firewall. This depends on the PKI infrastructure that is being used.
Build the IPSec rule on the domain controllers by using the following specifications:
(http://support.microsoft.com/kb/253169/ )Traffic that can--and cannot--be secured by IPSec
Article ID: 254949 - Last Review: October 12, 2007 - Revision: 7.7