IPSec on Domain Controllers and Trusted Domains

Posted by OneLogicalMyth on Server Fault See other posts from Server Fault or by OneLogicalMyth
Published on 2014-03-14T16:19:45Z Indexed on 2014/08/23 22:24 UTC
Read the original article Hit count: 262

Filed under:

ipsec

|

windows-server-2012-r2

I am looking at configuring IPSec as follows:

Isolation
Request authentication for inbound and outbound connections
Computer and user (Kerberos V5)

I am looking to do a blanket deployment across all servers and domain controllers. Workstations I will leave as not set.

What impact in terms of the domain controllers with the 2-way forest trust do think I would see?

Should I exclude the IP addresses of the trusted domain controllers?

I don't want to stop communication between the current and trusted forest, however I do want IPsec to be used within the current forest on all servers.

The trusted forest is running 2008 R2 and the current forest is 2012 R2.

© Server Fault or respective owner

Related posts about ipsec

Ipsec reload fails to load ipsec.conf Strongswan 5.0

as seen on Server Fault - Search for 'Server Fault'
I am having trouble configuring a connection to an Android device using a fedora 17 linux machine and strongSwanv5.0.1dr2. I have made some progress but when I try adding the configuration to support xauth authentication I receive an error when I try to reload the configuration file. I get a similar… >>> More
Specify IPSEC port range using ipsec-tools

as seen on Server Fault - Search for 'Server Fault'
Is it possible to require IPSEC on a port range ? I want to require IPSEC for all incoming connections except a few public ports like 80 and 443, but don't want to restrict outgoing connections. My SPD rules would look like: spdadd 0.0.0.0/0 0.0.0.0/0[80] tcp -P in none; spdadd 0.0.0.0/0 0.0.0.0/0[443]… >>> More
Connecting debian and windows via IPsec VPN with Racoon and ipsec-tools

as seen on Server Fault - Search for 'Server Fault'
I've some trouble with the IPsec configuration on my debian server (6 squeeze). This server should connect via IPsec VPN to an windows server, which is protected by an firewall. I've used racoon and ipsec-tools and this tutorial http://wiki.debian.org/IPsec. However, I am not quite sure, if this… >>> More
ASA hairpining: I basicaly want to allow 2 spokes to be able to communicate with each other.

as seen on Server Fault - Search for 'Server Fault'
ASA Spoke to Spoke Communication I have been looking at spke to spoke comms or "hairpining" for months and have posted on numerouse forums but to no avail. I have a Hub and spoke network where the HUB is an ASA Firewall version 8.2 * I basicaly want to allow 2 spokes to be able to communicate with… >>> More
Can't get the L2TP IPSEC up and running

as seen on Server Fault - Search for 'Server Fault'
i have an Ubuntu 11.10 (oneiric) server running on a ReadyNAS. Im planning to use this to accept ipsec+l2tp connections through a router. However, the connection is failing somewhere half through. Using Openswan IPsec U2.6.28/K3.0.0-12-generic and trying to connect with an iOS 5 iPhone 4S. This is… >>> More

Related posts about windows-server-2012-r2

Windows Azure: Announcing Support for Windows Server 2012 R2 + Some Nice Price Cuts

as seen on ASP.net Weblogs - Search for 'ASP.net Weblogs'
Today we released some great updates to Windows Azure: Virtual Machines: Support for Windows Server 2012 R2 Cloud Services: Support for Windows Server 2012 R2 and .NET 4.5.1 Windows Azure Pack: Use Windows Azure features on-premises using Windows Server 2012 R2 Price Cuts: Up to 22%… >>> More
Windows Server 2012 R2 application installation slowness

as seen on Server Fault - Search for 'Server Fault'
Good afternoon, Windows Server 2012 R2 as host fully up to date Windows Server 2012 R2 as guest fully up to date Whether I am running it as a host or guest, whenever I am installing an application that should take a couple minutes it always ends up 3x-5x longer than it should. If I take the same… >>> More
Enabling AES 256 GCM on Windows Server 2012 R2

as seen on Server Fault - Search for 'Server Fault'
I'd like to enable the use of the AES 256 GCM encryption instead of the AES 256 CBC. We already have ECC certificates based on ECDSA so that pre-requisite has been fullfilled. The certificate has a SHA-256 signature and uses a 256-bit ECC keyset. The ciphersuite I'd like to use: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 This… >>> More
Can't upgrade Windows Server 2012 Essentials to Windows Server 2012 R2 Essentials

as seen on Server Fault - Search for 'Server Fault'
So today was RTM of Windows Server 2012 R2 Essentials released. I immediately tried to do an in-place upgrade of an existing RTM 2012 Essentials to RTM 2012 R2 Essentials, but get: Windows Server 2012 Essentials cannot be upgraded to Windows Server 2012 R2 Essentials. You can choose to install… >>> More
Setting up Group Managed Service Account on Windows Server 2012 R2

as seen on Server Fault - Search for 'Server Fault'
I have a Windows 2012 R2 domain controller called cox.win.testlab. I have set up a group of hosts where I would like to use a gMSA (Group Managed Service Account). This group is called SQLManagedHosts. I created the account by following these steps in Powershell on the domain controller: PS C:\Windows\system32>… >>> More