RE: Assigning New IPSec Policy to terminal server
- From: SJMP <sjmp@xxxxxxxxxxxxxxxx>
- Date: Wed, 28 May 2008 05:50:01 -0700
Thanks Morgan,
So regarding the original question: " "to make sure that clients respond to
the TS requests for security" I right click the Client (Respon Only) and
assign it. But this
changes the IPSec policy to NO for "Policy Assigned" it seems like I cannot
have them both assigned"
By enabling Client (respond only) to "yes" this is normal operation for
IPSec Policy to change from yes to no?
"Morgan che(MSFT)" wrote:
Hi,.
Thanks for the reply.
When I said 'link to this OU', I exactly mean 'apply Group Policy to this
OU'. I will explain this process in detail.
For TS server, we can define a OU named TS and put the TS server account
into this OU. Then, we can define a group policy according to the steps
"Create an IPSec filter list to match the Terminal Services packets" and
"Create an IPSec policy to enforce IPSec protection, and then enable the
policy" of KB 816521 and apply this GP for TS OU. Accordingly, we add some
AD uses into Remote Desktop Users group to grant them remote access
permission.
However, in order to secure the communication between clients and Terminal
server, we have to apply "Enable the Client (respond-only)" policy for
these users as KB816521 said. Due to the fact we couldn't directly apply a
Group Policy to the user accounts, we can simply apply the "Enable the
Client (respond-only)" policy to the whole domain or an OU which contains
clients computer objects that need to access the terminal server.
After completing the above methods, when users logon TS, the traffic
between clients and TS will be secured.
Hope this helps. if anything is unclear, please post back.
Sincerely
Morgan Che
Microsoft Online Support
Microsoft Global Technical Support Center
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
--->Thread-Topic: Assigning New IPSec Policy to terminal server
--->thread-index: Aci/9aqUHoqiHhaSSRq8lymwfjH6Ng==
--->X-WBNR-Posting-Host: 207.46.19.197
--->From: =?Utf-8?B?U0pNUA==?= <sjmp@xxxxxxxxxxxxxxxx>
--->References: <5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@xxxxxxxxxxxxx>
<wja$7cxvIHA.1788@xxxxxxxxxxxxxxxxxxxxxx>
--->Subject: RE: Assigning New IPSec Policy to terminal server
--->Date: Tue, 27 May 2008 05:32:02 -0700
--->Lines: 85
--->Message-ID: <E3F5C2ED-0451-4CFA-A87E-BA8C45226B7E@xxxxxxxxxxxxx>
--->MIME-Version: 1.0
--->Content-Type: text/plain;
---> charset="Utf-8"
--->Content-Transfer-Encoding: 7bit
--->X-Newsreader: Microsoft CDO for Windows 2000
--->Content-Class: urn:content-classes:message
--->Importance: normal
--->Priority: normal
--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
--->Newsgroups: microsoft.public.windows.terminal_services
--->Path: TK2MSFTNGHUB02.phx.gbl
--->Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.terminal_services:17956
--->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
--->X-Tomcat-NG: microsoft.public.windows.terminal_services
--->
--->Morgan,
--->
--->Not sure I follow you. This TS server is going to be assigned to a
specific
--->OU created just for TS. Can you elaborate on "link to this OU." This OU
is
--->not linked and was not going to be linked. I was going to assign the TS
--->computer object to this OU and give Remote Desktop Users group
permissions,
--->while assigning AD users to this group.
--->
--->
--->"Morgan che(MSFT)" wrote:
--->
--->> Hi,
--->>
--->> Thanks for posting here.
--->>
--->> I also built environment to test the behavior according to KB 816521.
As KB
--->> mentioned, the " Create an IPSec filter list to match the Terminal
Services
--->> packets" and "Create an IPSec policy to enforce IPSec protection, and
then
--->> enable the policy" steps should be completed on Terminal server side.
The "
--->> Enable the Client (respond-only) policy on the Terminal Services
clients"
--->> action should apply on terminal server clients.
--->>
--->> We can create a new OU and put the clients that you want to secure
--->> communication with Terminal server in this OU, then we can define
"Enable
--->> the Client (respond-only)" policy and link to this OU. To do so, when
--->> clients connecting Terminal server, they will negotiate encryption
method
--->> and apply the security configuration we define on terminal server.
--->>
--->> Hope this helps. Have a good day!
--->>
--->>
--->>
--->> Sincerely
--->> Morgan Che
--->> Microsoft Online Support
--->> Microsoft Global Technical Support Center
--->>
--->> Get Secure! - www.microsoft.com/security
--->> =====================================================
--->> When responding to posts, please "Reply to Group" via your newsreader
so
--->> that others may learn and benefit from your issue.
--->> =====================================================
--->> This posting is provided "AS IS" with no warranties, and confers no
rights.
--->>
--->>
--->> --------------------
--->> --->Thread-Topic: Assigning New IPSec Policy to terminal server
--->> --->thread-index: Aci84yku5/bXvlRJT/aIIs7blq3ikg==
--->> --->X-WBNR-Posting-Host: 207.46.19.168
--->> --->From: =?Utf-8?B?U0pNUA==?= <sjmp@xxxxxxxxxxxxxxxx>
--->> --->Subject: Assigning New IPSec Policy to terminal server
--->> --->Date: Fri, 23 May 2008 07:42:01 -0700
--->> --->Lines: 8
--->> --->Message-ID: <5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@xxxxxxxxxxxxx>
--->> --->MIME-Version: 1.0
--->> --->Content-Type: text/plain;
--->> ---> charset="Utf-8"
--->> --->Content-Transfer-Encoding: 7bit
--->> --->X-Newsreader: Microsoft CDO for Windows 2000
--->> --->Content-Class: urn:content-classes:message
--->> --->Importance: normal
--->> --->Priority: normal
--->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
--->> --->Newsgroups: microsoft.public.windows.terminal_services
--->> --->Path: TK2MSFTNGHUB02.phx.gbl
--->> --->Xref: TK2MSFTNGHUB02.phx.gbl
--->> microsoft.public.windows.terminal_services:17902
--->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
--->> --->X-Tomcat-NG: microsoft.public.windows.terminal_services
--->> --->
--->> --->When I right click and apply a new IPSec policy in group policy
the
--->> policy is
--->> --->assigned. Then "to make sure that clients respond to the TS
requests
--->> for
--->> --->security" I right click the Client (Respon Only) and assign it.
But
--->> this
--->> --->changes the IPSec policy to NO for "Policy Assigned" it seems
like I
--->> cannot
--->> --->have them both assigned. Can someone please explain this to me. I
am
--->> --->following KB 816521
--->> --->
--->> --->Thanks.
--->> --->
--->>
--->>
--->
- Follow-Ups:
- RE: Assigning New IPSec Policy to terminal server
- From: Morgan che(MSFT)
- RE: Assigning New IPSec Policy to terminal server
- References:
- RE: Assigning New IPSec Policy to terminal server
- From: Morgan che(MSFT)
- RE: Assigning New IPSec Policy to terminal server
- From: SJMP
- RE: Assigning New IPSec Policy to terminal server
- From: Morgan che(MSFT)
- RE: Assigning New IPSec Policy to terminal server
- Prev by Date: RE: Not Best Practice
- Next by Date: Re: Published Applications w/o Citrix?
- Previous by thread: RE: Assigning New IPSec Policy to terminal server
- Next by thread: RE: Assigning New IPSec Policy to terminal server
- Index(es):
Relevant Pages
|
Loading
