RE: Assigning New IPSec Policy to terminal server

Hi,

Thanks for the reply.

When I said 'link to this OU', I exactly mean 'apply Group Policy to this
OU'. I will explain this process in detail.

For TS server, we can define a OU named TS and put the TS server account
into this OU. Then, we can define a group policy according to the steps
"Create an IPSec filter list to match the Terminal Services packets" and
"Create an IPSec policy to enforce IPSec protection, and then enable the
policy" of KB 816521 and apply this GP for TS OU. Accordingly, we add some
AD uses into Remote Desktop Users group to grant them remote access
permission.

However, in order to secure the communication between clients and Terminal
server, we have to apply "Enable the Client (respond-only)" policy for
these users as KB816521 said. Due to the fact we couldn't directly apply a
Group Policy to the user accounts, we can simply apply the "Enable the
Client (respond-only)" policy to the whole domain or an OU which contains
clients computer objects that need to access the terminal server.

After completing the above methods, when users logon TS, the traffic
between clients and TS will be secured.

Hope this helps. if anything is unclear, please post back.

Sincerely
Morgan Che
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
--->Thread-Topic: Assigning New IPSec Policy to terminal server
--->thread-index: Aci/9aqUHoqiHhaSSRq8lymwfjH6Ng==
--->X-WBNR-Posting-Host: 207.46.19.197
--->From: =?Utf-8?B?U0pNUA==?= <sjmp@xxxxxxxxxxxxxxxx>
--->References: <5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@xxxxxxxxxxxxx>
<wja$7cxvIHA.1788@xxxxxxxxxxxxxxxxxxxxxx>
--->Subject: RE: Assigning New IPSec Policy to terminal server
--->Date: Tue, 27 May 2008 05:32:02 -0700
--->Lines: 85
--->Message-ID: <E3F5C2ED-0451-4CFA-A87E-BA8C45226B7E@xxxxxxxxxxxxx>
--->MIME-Version: 1.0
--->Content-Type: text/plain;
---> charset="Utf-8"
--->Content-Transfer-Encoding: 7bit
--->X-Newsreader: Microsoft CDO for Windows 2000
--->Content-Class: urn:content-classes:message
--->Importance: normal
--->Priority: normal
--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
--->Newsgroups: microsoft.public.windows.terminal_services
--->Path: TK2MSFTNGHUB02.phx.gbl
--->Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.terminal_services:17956
--->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
--->X-Tomcat-NG: microsoft.public.windows.terminal_services
--->
--->Morgan,
--->
--->Not sure I follow you. This TS server is going to be assigned to a
specific
--->OU created just for TS. Can you elaborate on "link to this OU." This OU
is
--->not linked and was not going to be linked. I was going to assign the TS
--->computer object to this OU and give Remote Desktop Users group
permissions,
--->while assigning AD users to this group.
--->
--->
--->"Morgan che(MSFT)" wrote:
--->
--->> Hi,
--->>
--->> Thanks for posting here.
--->>
--->> I also built environment to test the behavior according to KB 816521.
As KB
--->> mentioned, the " Create an IPSec filter list to match the Terminal
Services
--->> packets" and "Create an IPSec policy to enforce IPSec protection, and
then
--->> enable the policy" steps should be completed on Terminal server side.
The "
--->> Enable the Client (respond-only) policy on the Terminal Services
clients"
--->> action should apply on terminal server clients.
--->>
--->> We can create a new OU and put the clients that you want to secure
--->> communication with Terminal server in this OU, then we can define
"Enable
--->> the Client (respond-only)" policy and link to this OU. To do so, when
--->> clients connecting Terminal server, they will negotiate encryption
method
--->> and apply the security configuration we define on terminal server.
--->>
--->> Hope this helps. Have a good day!
--->>
--->>
--->>
--->> Sincerely
--->> Morgan Che
--->> Microsoft Online Support
--->> Microsoft Global Technical Support Center
--->>
--->> Get Secure! - www.microsoft.com/security
--->> =====================================================
--->> When responding to posts, please "Reply to Group" via your newsreader
so
--->> that others may learn and benefit from your issue.
--->> =====================================================
--->> This posting is provided "AS IS" with no warranties, and confers no
rights.
--->>
--->>
--->> --------------------
--->> --->Thread-Topic: Assigning New IPSec Policy to terminal server
--->> --->thread-index: Aci84yku5/bXvlRJT/aIIs7blq3ikg==
--->> --->X-WBNR-Posting-Host: 207.46.19.168
--->> --->From: =?Utf-8?B?U0pNUA==?= <sjmp@xxxxxxxxxxxxxxxx>
--->> --->Subject: Assigning New IPSec Policy to terminal server
--->> --->Date: Fri, 23 May 2008 07:42:01 -0700
--->> --->Lines: 8
--->> --->Message-ID: <5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@xxxxxxxxxxxxx>
--->> --->MIME-Version: 1.0
--->> --->Content-Type: text/plain;
--->> ---> charset="Utf-8"
--->> --->Content-Transfer-Encoding: 7bit
--->> --->X-Newsreader: Microsoft CDO for Windows 2000
--->> --->Content-Class: urn:content-classes:message
--->> --->Importance: normal
--->> --->Priority: normal
--->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
--->> --->Newsgroups: microsoft.public.windows.terminal_services
--->> --->Path: TK2MSFTNGHUB02.phx.gbl
--->> --->Xref: TK2MSFTNGHUB02.phx.gbl
--->> microsoft.public.windows.terminal_services:17902
--->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
--->> --->X-Tomcat-NG: microsoft.public.windows.terminal_services
--->> --->
--->> --->When I right click and apply a new IPSec policy in group policy
the
--->> policy is
--->> --->assigned. Then "to make sure that clients respond to the TS
requests
--->> for
--->> --->security" I right click the Client (Respon Only) and assign it.
But
--->> this
--->> --->changes the IPSec policy to NO for "Policy Assigned" it seems
like I
--->> cannot
--->> --->have them both assigned. Can someone please explain this to me. I
am
--->> --->following KB 816521
--->> --->
--->> --->Thanks.
--->> --->
--->>
--->>
--->

.

Relevant Pages

  • Re: Intermittant GPO failure to apply
    ... If you have backup your group policy before, you can restore it from the ... 244474 How to force Kerberos to use TCP instead of UDP in Windows Server ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • RE: Group Policy, Firewall and RDP - Terminal Services
    ... I tried to tel net and ping the Clients by name and IP and received nothing. ... Re Ran CEICW on SBS server and VPN connector and still nothing. ... I went into the Group Policy and enable Remote Connection, ... I did mention that I CAN Remote into the Server right? ...
    (microsoft.public.windows.server.sbs)
  • Re: Prevented from adding users
    ... but disabling will allow the clients to make a ... connection without the (there is a policy in affect...) message. ... setting I should configure my print server name? ... This policy setting restricts the servers that a client can ...
    (microsoft.public.windowsxp.print_fax)
  • RE: Loopback Policy Not Taking Effect
    ... I setup a fax server that is running WinXP. ... Group Policy was applied from: ... Filtering: Not Applied ...
    (microsoft.public.windows.terminal_services)
  • RE: Companyweb and guests - advice?
    ... You can find the Default Domain policy under the following node: ... Open server management console, locate Advanced Management -> Group Policy ...
    (microsoft.public.windows.server.sbs)