RE: Assigning New IPSec Policy to terminal server
- From: v-morche@xxxxxxxxxxxxxxxxxxxx (Morgan che(MSFT))
- Date: Thu, 05 Jun 2008 09:26:03 GMT
Hi,
How are you?
I am writing to see if you have any update about this post. If my
suggestion is helpful or you have solved this ssue, please feel free to let
me know.
Sincerely
Morgan Che
Microsoft Online Support
Microsoft Global Technical Support Center
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
--->Thread-Topic: Assigning New IPSec Policy to terminal server
--->thread-index: AcjAwVePyIIqK2KjSuuhizk9rSQmKw==
--->X-WBNR-Posting-Host: 207.46.193.207
--->From: =?Utf-8?B?U0pNUA==?= <sjmp@xxxxxxxxxxxxxxxx>
--->References: <5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@xxxxxxxxxxxxx>
<wja$7cxvIHA.1788@xxxxxxxxxxxxxxxxxxxxxx>
<E3F5C2ED-0451-4CFA-A87E-BA8C45226B7E@xxxxxxxxxxxxx>
<FCWFX4JwIHA.3644@xxxxxxxxxxxxxxxxxxxxxx>
--->Subject: RE: Assigning New IPSec Policy to terminal server
--->Date: Wed, 28 May 2008 05:50:01 -0700
--->Lines: 185
--->Message-ID: <41DA272A-ED0F-469D-B24D-F0D3506A4AF9@xxxxxxxxxxxxx>
--->MIME-Version: 1.0
--->Content-Type: text/plain;
---> charset="Utf-8"
--->Content-Transfer-Encoding: 7bit
--->X-Newsreader: Microsoft CDO for Windows 2000
--->Content-Class: urn:content-classes:message
--->Importance: normal
--->Priority: normal
--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
--->Newsgroups: microsoft.public.windows.terminal_services
--->Path: TK2MSFTNGHUB02.phx.gbl
--->Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.terminal_services:17993
--->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
--->X-Tomcat-NG: microsoft.public.windows.terminal_services
--->
--->Thanks Morgan,
--->
--->So regarding the original question: " "to make sure that clients
respond to
--->the TS requests for security" I right click the Client (Respon Only)
and
--->assign it. But this
--->changes the IPSec policy to NO for "Policy Assigned" it seems like I
cannot
--->have them both assigned"
--->
--->By enabling Client (respond only) to "yes" this is normal operation for
--->IPSec Policy to change from yes to no?
--->
--->"Morgan che(MSFT)" wrote:
--->
--->> Hi,
--->>
--->> Thanks for the reply.
--->>
--->> When I said 'link to this OU', I exactly mean 'apply Group Policy to
this
--->> OU'. I will explain this process in detail.
--->>
--->> For TS server, we can define a OU named TS and put the TS server
account
--->> into this OU. Then, we can define a group policy according to the
steps
--->> "Create an IPSec filter list to match the Terminal Services packets"
and
--->> "Create an IPSec policy to enforce IPSec protection, and then enable
the
--->> policy" of KB 816521 and apply this GP for TS OU. Accordingly, we add
some
--->> AD uses into Remote Desktop Users group to grant them remote access
--->> permission.
--->>
--->> However, in order to secure the communication between clients and
Terminal
--->> server, we have to apply "Enable the Client (respond-only)" policy
for
--->> these users as KB816521 said. Due to the fact we couldn't directly
apply a
--->> Group Policy to the user accounts, we can simply apply the "Enable
the
--->> Client (respond-only)" policy to the whole domain or an OU which
contains
--->> clients computer objects that need to access the terminal server.
--->>
--->> After completing the above methods, when users logon TS, the traffic
--->> between clients and TS will be secured.
--->>
--->> Hope this helps. if anything is unclear, please post back.
--->>
--->> Sincerely
--->> Morgan Che
--->> Microsoft Online Support
--->> Microsoft Global Technical Support Center
--->>
--->> Get Secure! - www.microsoft.com/security
--->> =====================================================
--->> When responding to posts, please "Reply to Group" via your newsreader
so
--->> that others may learn and benefit from your issue.
--->> =====================================================
--->> This posting is provided "AS IS" with no warranties, and confers no
rights.
--->>
--->>
--->> --------------------
--->> --->Thread-Topic: Assigning New IPSec Policy to terminal server
--->> --->thread-index: Aci/9aqUHoqiHhaSSRq8lymwfjH6Ng==
--->> --->X-WBNR-Posting-Host: 207.46.19.197
--->> --->From: =?Utf-8?B?U0pNUA==?= <sjmp@xxxxxxxxxxxxxxxx>
--->> --->References: <5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@xxxxxxxxxxxxx>
--->> <wja$7cxvIHA.1788@xxxxxxxxxxxxxxxxxxxxxx>
--->> --->Subject: RE: Assigning New IPSec Policy to terminal server
--->> --->Date: Tue, 27 May 2008 05:32:02 -0700
--->> --->Lines: 85
--->> --->Message-ID: <E3F5C2ED-0451-4CFA-A87E-BA8C45226B7E@xxxxxxxxxxxxx>
--->> --->MIME-Version: 1.0
--->> --->Content-Type: text/plain;
--->> ---> charset="Utf-8"
--->> --->Content-Transfer-Encoding: 7bit
--->> --->X-Newsreader: Microsoft CDO for Windows 2000
--->> --->Content-Class: urn:content-classes:message
--->> --->Importance: normal
--->> --->Priority: normal
--->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
--->> --->Newsgroups: microsoft.public.windows.terminal_services
--->> --->Path: TK2MSFTNGHUB02.phx.gbl
--->> --->Xref: TK2MSFTNGHUB02.phx.gbl
--->> microsoft.public.windows.terminal_services:17956
--->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
--->> --->X-Tomcat-NG: microsoft.public.windows.terminal_services
--->> --->
--->> --->Morgan,
--->> --->
--->> --->Not sure I follow you. This TS server is going to be assigned to
a
--->> specific
--->> --->OU created just for TS. Can you elaborate on "link to this OU."
This OU
--->> is
--->> --->not linked and was not going to be linked. I was going to assign
the TS
--->> --->computer object to this OU and give Remote Desktop Users group
--->> permissions,
--->> --->while assigning AD users to this group.
--->> --->
--->> --->
--->> --->"Morgan che(MSFT)" wrote:
--->> --->
--->> --->> Hi,
--->> --->>
--->> --->> Thanks for posting here.
--->> --->>
--->> --->> I also built environment to test the behavior according to KB
816521.
--->> As KB
--->> --->> mentioned, the " Create an IPSec filter list to match the
Terminal
--->> Services
--->> --->> packets" and "Create an IPSec policy to enforce IPSec
protection, and
--->> then
--->> --->> enable the policy" steps should be completed on Terminal server
side.
--->> The "
--->> --->> Enable the Client (respond-only) policy on the Terminal
Services
--->> clients"
--->> --->> action should apply on terminal server clients.
--->> --->>
--->> --->> We can create a new OU and put the clients that you want to
secure
--->> --->> communication with Terminal server in this OU, then we can
define
--->> "Enable
--->> --->> the Client (respond-only)" policy and link to this OU. To do
so, when
--->> --->> clients connecting Terminal server, they will negotiate
encryption
--->> method
--->> --->> and apply the security configuration we define on terminal
server.
--->> --->>
--->> --->> Hope this helps. Have a good day!
--->> --->>
--->> --->>
--->> --->>
--->> --->> Sincerely
--->> --->> Morgan Che
--->> --->> Microsoft Online Support
--->> --->> Microsoft Global Technical Support Center
--->> --->>
--->> --->> Get Secure! - www.microsoft.com/security
--->> --->> =====================================================
--->> --->> When responding to posts, please "Reply to Group" via your
newsreader
--->> so
--->> --->> that others may learn and benefit from your issue.
--->> --->> =====================================================
--->> --->> This posting is provided "AS IS" with no warranties, and
confers no
--->> rights.
--->> --->>
--->> --->>
--->> --->> --------------------
--->> --->> --->Thread-Topic: Assigning New IPSec Policy to terminal server
--->> --->> --->thread-index: Aci84yku5/bXvlRJT/aIIs7blq3ikg==
--->> --->> --->X-WBNR-Posting-Host: 207.46.19.168
--->> --->> --->From: =?Utf-8?B?U0pNUA==?= <sjmp@xxxxxxxxxxxxxxxx>
--->> --->> --->Subject: Assigning New IPSec Policy to terminal server
--->> --->> --->Date: Fri, 23 May 2008 07:42:01 -0700
--->> --->> --->Lines: 8
--->> --->> --->Message-ID:
<5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@xxxxxxxxxxxxx>
--->> --->> --->MIME-Version: 1.0
--->> --->> --->Content-Type: text/plain;
--->> --->> ---> charset="Utf-8"
--->> --->> --->Content-Transfer-Encoding: 7bit
--->> --->> --->X-Newsreader: Microsoft CDO for Windows 2000
--->> --->> --->Content-Class: urn:content-classes:message
--->> --->> --->Importance: normal
--->> --->> --->Priority: normal
--->> --->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
--->> --->> --->Newsgroups: microsoft.public.windows.terminal_services
--->> --->> --->Path: TK2MSFTNGHUB02.phx.gbl
--->> --->> --->Xref: TK2MSFTNGHUB02.phx.gbl
--->> --->> microsoft.public.windows.terminal_services:17902
--->> --->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
--->> --->> --->X-Tomcat-NG: microsoft.public.windows.terminal_services
--->> --->> --->
--->> --->> --->When I right click and apply a new IPSec policy in group
policy
--->> the
--->> --->> policy is
--->> --->> --->assigned. Then "to make sure that clients respond to the TS
--->> requests
--->> --->> for
--->> --->> --->security" I right click the Client (Respon Only) and assign
it.
--->> But
--->> --->> this
--->> --->> --->changes the IPSec policy to NO for "Policy Assigned" it
seems
--->> like I
--->> --->> cannot
--->> --->> --->have them both assigned. Can someone please explain this to
me. I
--->> am
--->> --->> --->following KB 816521
--->> --->> --->
--->> --->> --->Thanks.
--->> --->> --->
--->> --->>
--->> --->>
--->> --->
--->>
--->>
--->
.
- Follow-Ups:
- Prev by Date: RE: RDP from Localized XP Pro
- Next by Date: RE: Terminal Server and Profiles
- Previous by thread: No Computer Settings for TS group policy
- Next by thread: RE: Assigning New IPSec Policy to terminal server
- Index(es):
Relevant Pages
|
