{"id":137,"date":"2011-06-07T12:46:08","date_gmt":"2011-06-07T16:46:08","guid":{"rendered":"http:\/\/digitallibraryworld.com\/?p=137"},"modified":"2011-11-03T11:17:43","modified_gmt":"2011-11-03T15:17:43","slug":"securing-traffic-between-2-or-more-servers-domain-isolation-using-ipsec-without-using-domain-group-policy","status":"publish","type":"post","link":"https:\/\/heisbudi.com\/?p=137","title":{"rendered":"Securing Traffic between 2 or more servers (Domain Isolation) using IPSec without domain group policy"},"content":{"rendered":"<p>I was researching for a colleague of mine whether there is any documentation out there to secure 2 or more computers using IPSec(IP Security). Surprisingly, there isn&#8217;t any easy one. Those that are out there requires you to configure group policy at the domain level, and domain controller(from what I found). What if you are neither a Domain Admin or GP Admin?? Some forum even suggested that IPSec without group policy isn&#8217;t possible. This is true, but you can always configure the policy locally on each computer, without having to go through domain policy. If you are implementing IPSec on a large scale, of course, domain group policy would be the way to do it.<\/p>\n<p>If you are not familiar with IPSec, <a title=\"The IPSec process\" href=\"http:\/\/technet.microsoft.com\/en-us\/library\/cc776080(WS.10).aspx\" target=\"_blank\">this article<\/a> from technet is probably the best one I can find.<\/p>\n<p>So, just like the title of my blog, I&#8217;ll try to post things I can&#8217;t find Googling. Not only will I spell out the solution, I will explain what each of the step does so that you are not just clicking through dialog boxes. <strong>Bold <\/strong>fonts in a sentence indicate action you need to perform. <em>Italic <\/em>fonts indicate label.<\/p>\n<p><strong>Goal:<\/strong><\/p>\n<p><strong> <\/strong><\/p>\n<figure id=\"attachment_158\" aria-describedby=\"caption-attachment-158\" style=\"width: 297px\" class=\"wp-caption alignright\"><a href=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/06\/IPSec-without-Group-Policy1.png\"><img loading=\"lazy\" class=\"size-medium wp-image-158 \" title=\"IPSec without Domain Group Policy\" src=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/06\/IPSec-without-Group-Policy1-297x300.png\" alt=\"IPSec without Group Policy\" width=\"297\" height=\"300\" srcset=\"https:\/\/heisbudi.com\/wp-content\/uploads\/2011\/06\/IPSec-without-Group-Policy1-297x300.png 297w, https:\/\/heisbudi.com\/wp-content\/uploads\/2011\/06\/IPSec-without-Group-Policy1.png 583w\" sizes=\"(max-width: 297px) 100vw, 297px\" \/><\/a><figcaption id=\"caption-attachment-158\" class=\"wp-caption-text\">IPSec without Domain Group Policy<\/figcaption><\/figure>\n<p>You have a central server(web server, file server, database, etc) in your company, and you have a small number of workstation accessing the server(as pictured on the right). Let&#8217;s say you have 3 workstations, and you&#8217;d like to accomplish the following:<\/p>\n<ul>\n<li>The traffic between the server and 3 stations needs to be secured.<\/li>\n<li>ONLY those 3 stations \u00a0are able to access the server, all other stations are not permitted<\/li>\n<li>In addition to limiting access only from specific stations, you&#8217;d also like to limit access to ONLY specific users<\/li>\n<li>If domain user 1 uses computer W to access the protected server, the\u00a0traffic will be denied\u00a0because computer W is not on the &#8216;allowed computers list&#8217;<\/li>\n<li>If domain user 4 uses computer X, Y or Z to access the protected server, the\u00a0traffic will be denied\u00a0because\u00a0domain user 4 is not on the &#8216;allowed users list&#8217;<\/li>\n<li>Domain user 2 can use computer X, Y, or Z to access the protected server.<\/li>\n<li>Computer X, Y and Z can still be used to communicate with other servers as usual(can still be used for browsing and normal business tasks). This is optional. You will find this on step IV.17 below<\/li>\n<\/ul>\n<p>If you are planning to deploy this solutions to hundreds of computers, of course Group Policy will make your life easier.<\/p>\n<p><strong>Short Solution and its shortcoming:<!--more--><br \/>\n<\/strong><\/p>\n<p>If it&#8217;s a web server, slap an SSL certificate on it and restrict the web port to allow only certain IP. That will secure traffic between all the workstations and the server. Shortcomings:<\/p>\n<ul>\n<li>Need to buy SSL<\/li>\n<li>Need static IPs on all workstations. Complicate to keep track when you need to buy new hardware<\/li>\n<li>Can&#8217;t really restrict based on users<\/li>\n<\/ul>\n<p><strong>Long, complicated Solution, and its benefit<\/strong><\/p>\n<p>It&#8217;s long and complicated, but I&#8217;ll try to spell it out here with screen shot and explanation. Basically, you need to implement IPSec in Windows Firewall. Benefits are:<\/p>\n<ul>\n<li>Don&#8217;t need to buy SSL certificate. IPSec is encrypted at the lower level of the OSI layer model.<\/li>\n<li>Don&#8217;t need to maintain static IP of workstations<\/li>\n<li>Can restrict based on users<\/li>\n<li>Seamless to users. As long as users log in to their computers using their domain username and password, they will not be prompted for username and password. They won&#8217;t even know that the traffic is secured(it&#8217;s your job to tell them that it is secured with IPSec).<\/li>\n<\/ul>\n<p><strong>Requirements\/assumptions<\/strong><\/p>\n<p>There are a lot of variables in this setup. I definitely can not list and explain every possible OS scenario. So, I&#8217;m going to pick the simplest one. This is what you need:<\/p>\n<ul>\n<li>Computers\/workstations and a server obviously(duuuh!)<\/li>\n<li>You are in a domain environment that you or your users can log in to.You <span style=\"text-decoration: underline;\">don&#8217;t <\/span>need to be Group Policy admin or Domain admin.<\/li>\n<li>Workstations running Windows 7<\/li>\n<li>Server running Windows 2008 R2 with static IP<\/li>\n<li>Both workstations and server are joined to the domain<\/li>\n<li>Users log in to their stations using domain account. This is required only if you are restricting access to BOTH computers and users<\/li>\n<li>Windows Firewall are enabled on workstations and server<\/li>\n<\/ul>\n<p>Enough explanation. Let&#8217;s get down to it.<\/p>\n<h1><strong>I. \u00a0Configure your Server Security Policy<\/strong><\/h1>\n<p>1. launch Local Security Policy MMC by <strong>typing secpol.msc<\/strong> from start menu. Make sure your server is joined to your company&#8217;s domain. A security policy contains packet filter(s) that specify one or more network traffic going in or out of the server.<\/p>\n<p>2. <strong>Right Click on <em>IP Security Policies on Local Computer<\/em><\/strong><strong>, <\/strong>and <strong>click <em>Create IP Security Policy<\/em><\/strong>, and click <strong>next <\/strong>on the initial wizard screen<\/p>\n<p>3. <strong>Name and describe<\/strong> your Policy. I usually name mine based on what project I&#8217;m securing. Let&#8217;s say the super secret I&#8217;m protecting is called: <em>Salary History Data Policy. <\/em>Description: <em>To secure salary data only to person 1, person 2 and person 3, using computer 1, computer 2 and computer 3. <\/em><strong>Next. <\/strong><span style=\"text-decoration: underline;\">Please Note that I&#8217;m not actually storing anyone&#8217;s salary. This is merely an example. <\/span><\/p>\n<p>4. On <em>Request for secure communication <\/em>window, I will leave the checkbox(<em>Activate the default response rule)<\/em> <strong>unchecked. Next<\/strong><\/p>\n<p>5. Leave <em>Edit properties <\/em><strong>checked. Finish<\/strong><\/p>\n<p>6. You&#8217;ll be prompted with a property window of a policy you just created. Click <strong>Add <\/strong>to add a new security Rule and click <strong>Next <\/strong> on the welcome screen<\/p>\n<figure id=\"attachment_140\" aria-describedby=\"caption-attachment-140\" style=\"width: 300px\" class=\"wp-caption aligncenter\"><a href=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/05\/ipsec11.png\"><img loading=\"lazy\" class=\"size-medium wp-image-140 \" title=\"New IPSec Rule\" src=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/05\/ipsec11-300x193.png\" alt=\"New IPSec Rule\" width=\"300\" height=\"193\" srcset=\"https:\/\/heisbudi.com\/wp-content\/uploads\/2011\/05\/ipsec11-300x193.png 300w, https:\/\/heisbudi.com\/wp-content\/uploads\/2011\/05\/ipsec11.png 401w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><figcaption id=\"caption-attachment-140\" class=\"wp-caption-text\">New IPSec Rule<\/figcaption><\/figure>\n<p>7. We won&#8217;t be using a Tunnel Endpoint because the sever and workstations are in the same network. Choose <em><strong>This rule does not specify a tunnel<\/strong><\/em><strong>.\u00a0Next<\/strong><\/p>\n<p>8. On <em>Network Type <\/em>Window, you can choose to apply this policy to several network type. In this scenario, <em>All network connections<\/em> and <em>Local area network(LAN)<\/em> will yield the same result. I&#8217;ll go ahead and pick <em><strong>All Network Connections<\/strong>. <\/em><strong>Next<\/strong><\/p>\n<p>9. You are now on\u00a0<em>IP Filter List<\/em> window. \u00a0This specify the source and destination IPs you&#8217;d like to be included in your protected environment(List of IPs that this rule will be enforced on). Click <strong>Add<\/strong> to add a new filter list. Give it a name. I&#8217;ll name mine <em>Super Secret Employees Salary IP Filter List. <\/em>Click <strong>Add<\/strong> again<\/p>\n<figure id=\"attachment_141\" aria-describedby=\"caption-attachment-141\" style=\"width: 300px\" class=\"wp-caption alignnone\"><a href=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/05\/Adding-IP-Filter-List.png\"><img loading=\"lazy\" class=\"size-medium wp-image-141 \" title=\"Adding IP Filter List\" src=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/05\/Adding-IP-Filter-List-300x191.png\" alt=\"Adding IP Filter List\" width=\"300\" height=\"191\" srcset=\"https:\/\/heisbudi.com\/wp-content\/uploads\/2011\/05\/Adding-IP-Filter-List-300x191.png 300w, https:\/\/heisbudi.com\/wp-content\/uploads\/2011\/05\/Adding-IP-Filter-List.png 476w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><figcaption id=\"caption-attachment-141\" class=\"wp-caption-text\">Adding IP Filter List<\/figcaption><\/figure>\n<p>10. Getting tired of all those dialog box?? Don&#8217;t worry, we still have a long way to go(well, in that case, DO worry then).<\/p>\n<p>11. Click <strong>Next. <\/strong>You&#8217;ll be prompted for the description. You can skip this. Be kind to your brain, and provide some description. I&#8217;m sure you are not going to remember any of this a year from now :). Leave the <em>Mirrored <\/em>option\u00a0<strong>Checked. <\/strong><\/p>\n<p>12. Leave the <em>Source Address <\/em>to <em>Any IP Address <\/em> and click <strong>Next<\/strong><em>. <\/em>You might ask &#8220;Are you crazy?? I thought we are restricting access to only specific sets of workstations to be able to access this server??&#8221; We&#8217;ll cover that part later using Kerberos authentication. \u00a0I promise. You won&#8217;t have to worry about workstations IPs.<\/p>\n<p>13. Change the destination address to <strong>My IP Address<\/strong><em>. <\/em>Click <strong>Next.<\/strong><\/p>\n<p>14. On <em>protocol type<\/em>, select the protocol you&#8217;d like this rule to be enforced on. If you are protecting a web, file or database server, they are mostly using <strong>TCP <\/strong>protocol. Click <strong>Next.<\/strong><\/p>\n<p>15. In this example, I will be protecting a web server. So, I will choose to enforce this rule for TCP traffic coming<strong> from ANY\u00a0port<\/strong>, going <strong>to port<\/strong> <strong>80<\/strong> on this server. Click <strong>Next, <\/strong>and\u00a0<strong>Finish<\/strong><\/p>\n<figure id=\"attachment_143\" aria-describedby=\"caption-attachment-143\" style=\"width: 300px\" class=\"wp-caption alignnone\"><a href=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/05\/IPSec-Ports.png\"><img loading=\"lazy\" class=\"size-medium wp-image-143 \" title=\"IPSec Ports\" src=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/05\/IPSec-Ports-300x191.png\" alt=\"IPSec Ports\" width=\"300\" height=\"191\" srcset=\"https:\/\/heisbudi.com\/wp-content\/uploads\/2011\/05\/IPSec-Ports-300x191.png 300w, https:\/\/heisbudi.com\/wp-content\/uploads\/2011\/05\/IPSec-Ports.png 476w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><figcaption id=\"caption-attachment-143\" class=\"wp-caption-text\">IPSec Ports<\/figcaption><\/figure>\n<p>16. You are back to IP Filter list window on step 9 above. Click <strong>OK.<\/strong><\/p>\n<p>17. <strong>Select <\/strong>the filter list you just created and click <strong>Next<\/strong><\/p>\n<p><strong> <\/strong><\/p>\n<figure id=\"attachment_145\" aria-describedby=\"caption-attachment-145\" style=\"width: 300px\" class=\"wp-caption alignnone\"><strong><a href=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/05\/IPSec-Filter-List.png\"><img loading=\"lazy\" class=\"size-medium wp-image-145 \" title=\"IPSec Filter List\" src=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/05\/IPSec-Filter-List-300x174.png\" alt=\"IPSec Filter List\" width=\"300\" height=\"174\" srcset=\"https:\/\/heisbudi.com\/wp-content\/uploads\/2011\/05\/IPSec-Filter-List-300x174.png 300w, https:\/\/heisbudi.com\/wp-content\/uploads\/2011\/05\/IPSec-Filter-List.png 476w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/strong><figcaption id=\"caption-attachment-145\" class=\"wp-caption-text\">IPSec Filter List<\/figcaption><\/figure>\n<p>18. Now that you have specified a filter(IP, protocol and port), what are you going to do with it when a traffic that match the filter criteria arrive on your server(permit, deny, or negotiate with it)? This is where <em>Filter Action <\/em>comes along. You can also think of this as &#8220;In order for other computers to access this server, their IP traffic has to be&#8230;.(requirements you will specify later)&#8221;. On <em>Filter Action <\/em> window, click on <strong>Add. <\/strong>Make sure the <em>Use Add Wizard<\/em> is <strong>selected<\/strong>. Click <strong>Next <\/strong>on the <em>Filter Action Wizard <\/em>welcome screen.<\/p>\n<p>19. I&#8217;ll name my action <strong>Super Secret Employee Salary Filter <\/strong><strong>Action<\/strong><em>. <\/em>I&#8217;m getting tired of typing description. I&#8217;m leaving it blank. Click <strong>Next.<\/strong><\/p>\n<p>20. On <em>Filter Action General Options <\/em>window, pick <strong>Negotiate security<\/strong>. <strong>Next.<\/strong><\/p>\n<p>21. Click <strong>Do not allow unsecured communication. Next<\/strong><\/p>\n<p>22. Click <strong>Integrity, and encryption <\/strong>to support encryption and authentication. <strong>Next, Finish<\/strong><\/p>\n<p>23. Select the filter action you just created and click <strong>Next<\/strong><\/p>\n<figure id=\"attachment_146\" aria-describedby=\"caption-attachment-146\" style=\"width: 300px\" class=\"wp-caption alignnone\"><strong><a href=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/05\/FilterAction.png\"><img loading=\"lazy\" class=\"size-medium wp-image-146 \" title=\"Filter Action\" src=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/05\/FilterAction-300x191.png\" alt=\"Filter Action\" width=\"300\" height=\"191\" srcset=\"https:\/\/heisbudi.com\/wp-content\/uploads\/2011\/05\/FilterAction-300x191.png 300w, https:\/\/heisbudi.com\/wp-content\/uploads\/2011\/05\/FilterAction.png 476w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/strong><figcaption id=\"caption-attachment-146\" class=\"wp-caption-text\">Filter Action<\/figcaption><\/figure>\n<p>24. Pick <strong>Active Directory default(Kerveros V5 protocol). <\/strong>In order for this to work, your server needs to be joined to the domain. You can use certificate or shared key(not recommended) too, but I will cover only using AD for authentication. You don&#8217;t need to be domain admin. <strong>Next, Finish<\/strong><\/p>\n<p>25. Click\u00a0<strong>Ok <\/strong>to close the dialog box. At this point you have created a security policy, BUT you haven&#8217;t enabled it yet.<\/p>\n<p>26. To enable\/use this policy, you need to\u00a0<strong>Assign<\/strong> it. Right Click on the policy and click <strong>Assign<\/strong><\/p>\n<figure id=\"attachment_147\" aria-describedby=\"caption-attachment-147\" style=\"width: 300px\" class=\"wp-caption alignnone\"><strong><a href=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/05\/Assign-IPSec-Policy.png\"><img loading=\"lazy\" class=\"size-medium wp-image-147 \" title=\"Assign IPSec Policy\" src=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/05\/Assign-IPSec-Policy-300x71.png\" alt=\"Assign IPSec Policy\" width=\"300\" height=\"71\" srcset=\"https:\/\/heisbudi.com\/wp-content\/uploads\/2011\/05\/Assign-IPSec-Policy-300x71.png 300w, https:\/\/heisbudi.com\/wp-content\/uploads\/2011\/05\/Assign-IPSec-Policy.png 603w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/strong><figcaption id=\"caption-attachment-147\" class=\"wp-caption-text\">Assign IPSec Policy<\/figcaption><\/figure>\n<p>At this point you have created and enabled this policy. It&#8217;s time to do some testing!!<\/p>\n<p>I&#8217;m enforcing this policy on a web traffic(TCP port 80). Assuming that my server is called <em>protectedserver, <\/em>with an IP of <em>192.168.1.200<\/em> and my company domain is called <em>mycompany.com, <\/em>with this policy applied, I should NOT be able to access my server using <em>http:\/\/protectedserver.mycompany.com<\/em> or <em>http:\/\/192.168.1.200<\/em> from other location. However, I can still launch an internal browser on <em>protectedserver<\/em> and navigate to <em>http:\/\/protectedserver.mycompany.com<\/em> or\u00a0<em>http:\/\/192.168.1.200. <\/em> This is okay. Traffic within <em>protectedserver <\/em>is not included in the filter.\u00a0\u00a0If you <em>Un-assign <\/em>the policy by right clicking and click on <em>Un-assign, <\/em>now the http traffic should work again.<\/p>\n<p>This means you have successfully restrict connection to the server. You need to test it accordingly of course. If you are restricting file share, then test if file shares work correctly after you assign the policy.<\/p>\n<p>You are half way there. IPSec works together with Windows Firewall. So, the next step is to configure Windows Firewall.<\/p>\n<h1><strong>II. Configure your Server Advance Firewall Rules<\/strong><\/h1>\n<p>You need to create a connection security rule in your firewall. &#8220;What does it do? clean my car? It&#8217;s been too many steps&#8221;, one might ask(or complain). This is where you can request IPSec authentication based on criterias such as: users, computers or both. This governs when to request authentication and how it&#8217;s done(it&#8217;ll be clearer below). It doesn&#8217;t restrict users. You would need to configure that separately, which I will also explain.<\/p>\n<p>1. Launch <strong>Windows Firewall with Advanced Security<\/strong><\/p>\n<p>2. Right click on <strong>Connection Security Rules<\/strong> and click <strong>New Rule<\/strong><\/p>\n<figure id=\"attachment_148\" aria-describedby=\"caption-attachment-148\" style=\"width: 270px\" class=\"wp-caption alignnone\"><strong><a href=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/05\/Firewall-Security-Rule.png\"><img loading=\"lazy\" class=\"size-full wp-image-148 \" title=\"Firewall Security Rule\" src=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/05\/Firewall-Security-Rule.png\" alt=\"Firewall Security Rule\" width=\"270\" height=\"130\" \/><\/a><\/strong><figcaption id=\"caption-attachment-148\" class=\"wp-caption-text\">Firewall Security Rule<\/figcaption><\/figure>\n<p>3. Select <strong>Custom, Next<\/strong><\/p>\n<p>4. <strong>Add <\/strong>the IP address of the server you are protecting to\u00a0<em>Enpoint 2<\/em>. In my case, I&#8217;m adding <em>192.168.1.200 <\/em>to <em>Endpoint 2. <\/em><strong>Next<\/strong><\/p>\n<p><em>5. <\/em><strong>Pick<\/strong> <strong>Require authentication for inbound and outbound connections. <\/strong>This is the WHEN part I explained above. The verb\u00a0<em>Request <\/em>means it&#8217;s not required. It will be requested, but not required. Click <strong>Next<\/strong>.<\/p>\n<p>6. This is the HOW part I explained above. You can choose to authenticate based on <em>Computers<\/em>(any user can access my web server as long as they use computers I specified in my policy), <em>Users<\/em>(only a specific users can access my server regardless of which computers they use. It&#8217;s not displayed on this screen. I will explain more below),<em> Computer and User<\/em>(only specific sets of computers used by users I specify are allowed to access my server). I&#8217;ll go ahead and <strong>Pick <\/strong><strong>Computer and user (kerberos v5).<span style=\"text-decoration: underline;\"> <\/span><\/strong><span style=\"text-decoration: underline;\">Any users you specify can use any computer you specify to access your servers<\/span>. Click <strong>Next<\/strong><\/p>\n<p>7. <strong>Specify <\/strong>a protocol type and port. In my case, I&#8217;m using <strong>TCP <\/strong>protocol because I&#8217;m using http over port 80. Select <strong>All ports <\/strong>for <em>Endpoint 1<\/em>, and <strong>Port 80 <\/strong>for <em>Endpoint 2. <\/em>Click <strong>Next<\/strong><\/p>\n<p>8. You&#8217;ll have the option to apply it only to a specific network Profile. Obviously we need to enable this rule on at least one the Domain profile. You can apply them to all profiles(<strong>domain, private and public<\/strong>). Click <strong>Next<\/strong><\/p>\n<p>9. Name it again. I name mine <strong>Super Secret Employees Salary Firewall Connection Rule<\/strong>. Click <strong>Finish<\/strong><\/p>\n<p>You are almost done. Remember how I told you that you can choose to only allow certain users only, regardless of what computer they use?? You can do this by changing the properties of this <em>Connection Security Rule. <\/em>Now, your screen should look like the screenshot below. Make sure the <em>Enabled <\/em>column says <em>Yes<\/em>. :<\/p>\n<figure id=\"attachment_151\" aria-describedby=\"caption-attachment-151\" style=\"width: 300px\" class=\"wp-caption alignnone\"><a href=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/05\/Connection-Security-Rule.png\"><img loading=\"lazy\" class=\"size-medium wp-image-151  \" title=\"Connection Security Rule\" src=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/05\/Connection-Security-Rule-300x30.png\" alt=\"Connection Security Rule\" width=\"300\" height=\"30\" srcset=\"https:\/\/heisbudi.com\/wp-content\/uploads\/2011\/05\/Connection-Security-Rule-300x30.png 300w, https:\/\/heisbudi.com\/wp-content\/uploads\/2011\/05\/Connection-Security-Rule.png 815w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><figcaption id=\"caption-attachment-151\" class=\"wp-caption-text\">Connection Security Rule<\/figcaption><\/figure>\n<p>The red-dotted column indicates that you are authenticating your users using BOTH their username and Computer. If you want to change this, <strong>right click <\/strong>on the connection rule you just created, click <strong>Properties, <\/strong>and click on the <strong>Authentication <\/strong>tab. You can change the authentication method to authenticate by <strong>User<\/strong> only. The <strong>User<\/strong> option is not available on the Wizard screen in step II.6 above. For the rest of this article, I&#8217;ll be using <strong>Computer and User<\/strong> authentication method.<\/p>\n<p>At this point you did all the HOW and WHEN parts of authentication. Now you need to configure WHO or WHAT are you allowing to access this server. You will be using <em>Windows Firewall with Advanced Security<\/em><strong>. <\/strong>It&#8217;s so much easier now that IPSec is integrated with Firewall.<\/p>\n<h1><strong>III. Restricting server access using Windows Firewall <\/strong><\/h1>\n<p>1. Launch <strong>Windows Firewall with Advanced Security <\/strong>on the server you are protecting<\/p>\n<p>2. Click <strong>Inbound Rules<\/strong><\/p>\n<p>3. If the port you are securing is not listed under <em>Local Port <\/em>column, do the following. If it is, skip this step, and continue to step 4.<\/p>\n<p style=\"padding-left: 30px;\">3.1 Click <strong>New Rule<\/strong><\/p>\n<figure id=\"attachment_152\" aria-describedby=\"caption-attachment-152\" style=\"width: 293px\" class=\"wp-caption alignnone\"><a href=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/05\/New-Firewall-Rule.png\"><img loading=\"lazy\" class=\"size-full wp-image-152 \" title=\"New Firewall Rule\" src=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/05\/New-Firewall-Rule.png\" alt=\"New Firewall Rule\" width=\"293\" height=\"93\" \/><\/a><figcaption id=\"caption-attachment-152\" class=\"wp-caption-text\">New Firewall Rule<\/figcaption><\/figure>\n<p style=\"padding-left: 30px;\">3.2 Select <strong>Port, Next<\/strong><\/p>\n<p style=\"padding-left: 30px;\">3.3<strong> <\/strong>Pick a Protocol(i.e <strong>TCP<\/strong>), and specify the incoming\u00a0<strong>port number<\/strong> you are trying to secure. In this article I&#8217;m securing port <strong>80<\/strong>. <strong>Next<\/strong><\/p>\n<p style=\"padding-left: 30px;\">3.4 Click <strong>Allow the connection if it is secure, <\/strong>and click <strong>customize. <\/strong><\/p>\n<p style=\"padding-left: 30px;\">3.5<strong> <\/strong>If all you need is to make sure that network packets are authenticated and not modified between 2 points(NO encryption), pick\u00a0<strong>Allow the connection if it is authenticated and integrity-protected<\/strong>. \u00a0If you need to add encryption on top of authentication and integrity protection between the 2 points, pick\u00a0<strong>Require the connections to be encrypted. <\/strong>Click <strong>Ok <\/strong>and <strong>Next.<\/strong><\/p>\n<p style=\"padding-left: 30px;\">3.6 If you are using <strong>Computer and User<\/strong> or just <strong>User <\/strong>authentication method, <strong>check Only allow connections from these users<\/strong>, and click <strong>Add<\/strong>. Add <span style=\"text-decoration: underline;\">DOMAIN <\/span>users you want to allow to access this server. You can NOT use local users. It HAS TO BE domain users. Specify any exception if necessary. If you are authenticating using <em>Computer <\/em>only, you can skip this part, and click <strong>Next<\/strong><\/p>\n<p style=\"padding-left: 30px;\">3.7 If you are using\u00a0<strong>Computer and User<\/strong> or just\u00a0<strong>Computer <\/strong>authentication method,\u00a0<strong>check Only allow connections from these computers<\/strong>, and click<strong> Add<\/strong>. Add\u00a0<span style=\"text-decoration: underline;\">DOMAIN<\/span> computers\u00a0you want to allow to access this server. The computers need to be previously joined to the domain prior to doing this. You do not need a DNS entry for these computers. if you joined all the computers to the domain, you should be able to just type the computer names here, separated by semi colon. Specify any exception if necessary. If you are authenticating using <em>User <\/em>only, you can skip this part, and click\u00a0<strong>Next<\/strong><\/p>\n<p style=\"padding-left: 30px;\">3.8 Apply this rule to at least the <strong>Domain <\/strong>profile. I usually apply this to <strong>all Profiles<\/strong>. Click <strong>Next<\/strong><\/p>\n<p style=\"padding-left: 30px;\">3.9<strong> <\/strong>Name your Inbound Rule. I named mine <strong>Super Secret Employee Salary Incoming Traffic<\/strong>. Click <strong>Finish<\/strong>. Make sure the incoming rule you created appears on the <em>Inbound Rules <\/em>List, and make sure it is <em>Enabled. <\/em>Do NOT continue to step 4. You are done configuring your server<\/p>\n<p>4. Locate the entries where the local port matches the port you are trying to secure. In my case my existing entry is called <em>World Wide Web Services (HTTP Traffic-In)<\/em><\/p>\n<p>4.1\u00a0<strong>Right Click <\/strong>the entry and click <strong>properties<\/strong>.<\/p>\n<p>4.2<strong> <\/strong>Under the <em>General <\/em>tab, <strong>select Allow the connection if it is secure<\/strong>, and click <strong>Customize<\/strong><\/p>\n<p>4.3<strong> <\/strong>If all you need is to make sure that network packets are authenticated and not modified between 2 points(NO encryption), pick <strong>Allow the connection if it is authenticated and integrity-protected. <\/strong>If you need to add encryption on top of authentication and integrity protection between the 2 points, pick <strong>Require the connections to be encrypted.<\/strong><strong> <\/strong>Click\u00a0<strong>Ok.<\/strong><\/p>\n<p>4.4 If you are using <em>Computer and User <\/em>authentication method, go to both the <strong>Computers <\/strong>and <strong>Users <\/strong>tab and <strong>add <\/strong>computers and users you&#8217;d like to allow to access this server. Users need to be domain users. It can <span style=\"text-decoration: underline;\">NOT <\/span>be local users. <span style=\"text-decoration: underline;\">Computers need to be joined to the domain prior to being added to the <em>computers <\/em>tab<\/span>. You do <span style=\"text-decoration: underline;\">NOT <\/span>need to add a DNS entry manually for these computer.\u00a0\u00a0You can add exception accordingly to both tab. If you are authenticating users only, you can leave the<em> Authorized Computer<\/em> within the <em>Computers <\/em>tab blank. The same thing apply to <em>Authorized Users <\/em>within the\u00a0<em>Users <\/em>tab. Click <strong>Ok <\/strong>after you are done configuring.<\/p>\n<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;<\/p>\n<p>Your Inbound rule should now be enabled, and look like this(note the lock-indicating it is secured):<\/p>\n<figure id=\"attachment_153\" aria-describedby=\"caption-attachment-153\" style=\"width: 300px\" class=\"wp-caption alignnone\"><a href=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/05\/Configured-Inbound-Firewall-Rule.png\"><img loading=\"lazy\" class=\"size-medium wp-image-153 \" title=\"Configured Inbound Firewall Rule\" src=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/05\/Configured-Inbound-Firewall-Rule-300x41.png\" alt=\"Configured Inbound Firewall Rule\" width=\"300\" height=\"41\" srcset=\"https:\/\/heisbudi.com\/wp-content\/uploads\/2011\/05\/Configured-Inbound-Firewall-Rule-300x41.png 300w, https:\/\/heisbudi.com\/wp-content\/uploads\/2011\/05\/Configured-Inbound-Firewall-Rule.png 613w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><figcaption id=\"caption-attachment-153\" class=\"wp-caption-text\">Configured Inbound Firewall Rule<\/figcaption><\/figure>\n<p>You are now done configuring the hard part, your server. Now, you need to configure your client(workstations\/computers that needs to access your server) so that it can securely talks with your server using IPSec.<\/p>\n<h1>IV. Configuring workstation\/desktop computers<\/h1>\n<p>Go ahead and try accessing the protected server now. In my case, I&#8217;m going to launch my web browser and browse to http:\/\/http:\/\/192.168.1.200. You should NOT be able to access your server. Because you have protected it and it&#8217;s not recognizing your computer as one of the authorized users\/computers. If you are still able to access the server you are missing one or more step. Make sure you did everything above correctly.<\/p>\n<p>You now need to re-do step I.1- I.26 on all workstations you&#8217;d like to allow to access the protected server&#8230;&#8230;. WAIT!! don&#8217;t shoot yourself just yet. This can be easily done. You need to do this on ALL workstations you&#8217;d like to allow access to your protected server.<\/p>\n<p>1. Login to your protected server and launch <em>Local Security Policy<\/em> MMC by typing <strong>secpol.msc<\/strong> from start menu<\/p>\n<p>2. <strong>Right Click IP Security Policies on Local Computer, <\/strong> <strong>All tasks, Export Policies,<\/strong> band\u00a0<strong>save it<\/strong> to a location of your choice. Copy this exported file to a workstation that needs to access your secure server.<\/p>\n<p><a href=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/05\/Exporting-IPSec-Policy.png\"><img loading=\"lazy\" class=\"size-medium wp-image-154 alignnone\" title=\"Exporting IPSec Policy\" src=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/05\/Exporting-IPSec-Policy-300x145.png\" alt=\"Exporting IPSec Policy\" width=\"300\" height=\"145\" srcset=\"https:\/\/heisbudi.com\/wp-content\/uploads\/2011\/05\/Exporting-IPSec-Policy-300x145.png 300w, https:\/\/heisbudi.com\/wp-content\/uploads\/2011\/05\/Exporting-IPSec-Policy.png 637w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>3. On the workstation, launch <em>Local Security Policy<\/em> MMC by typing\u00a0<strong>secpol.msc<\/strong> from start menu<\/p>\n<p>4. Import the policy you just exported by repeating step 2 above, but choose <strong>Import<\/strong> instead.<\/p>\n<p>5. Enable this policy by <strong>right clicking<\/strong> it, and click <strong>Assign<\/strong><\/p>\n<p>6. Configure <em>Connection Security Rules<\/em> in <em>Windows Firewall with Advanced Security<\/em> so that traffic going to your protected server will use IPSec. <strong>Repeat step II.1 to II.9<\/strong> above on all the workstations you&#8217;d like to allow to access the protected server.<\/p>\n<p><strong>7. <\/strong>If you are only setting up for authentication and integrity protection(step\u00a0<strong>III.3.5 <\/strong>or<strong> <\/strong>step<strong> III4.3 <\/strong>above) WITHOUT encryption, you are done. You can skip step 8 and on. Otherwise, proceed to step 8.<\/p>\n<p>8. Now you need to setup network traffic that originates from this workstation to be encrypted if they have destination IP of the protected server in their network packet. <strong>Launch Windows Firewall with Advanced Security<\/strong> to do this.<\/p>\n<p>9. <strong>Click Outbound Rules <\/strong> and select <strong>New Rule&#8230;<\/strong><\/p>\n<p>10. <strong>Select Port. Next<\/strong><\/p>\n<p>11. <strong>Select Protocol <\/strong>and <strong>Port <\/strong>you are using to connect to your destination server. I&#8217;m using <strong>TCP<\/strong> and port <strong>80. Next<\/strong><\/p>\n<p>12. <strong>Select Allow the connection if it is secure, click Customize. <\/strong><\/p>\n<p>13. <strong>Select Require the connections to be encrypted. Ok. Next<\/strong><\/p>\n<p>14. <strong>Click <\/strong> <strong>Next <\/strong> on <em>Computers <\/em> Window<\/p>\n<p>15. <strong>Apply <\/strong>this rule to at least the<strong> Domain Profile.<\/strong> I apply mine to <strong>ALL Profile. Next<\/strong><\/p>\n<p>16. <strong>Name <\/strong> and <strong>Describe <\/strong>this outbound rule<\/p>\n<p>17. This rule should now appear on your <em>Outbound Rules<\/em> list. <strong>Right click<\/strong> on the rule,\u00a0<strong>click Properties<\/strong>, <strong>click Scope <\/strong>tab. Under <em>Remote IP Address<\/em>, <strong>add the IP of the protected server. <\/strong>This is important. If you skip this part workstation will only be able to communicate with the protected server but <span style=\"text-decoration: underline;\">NOTHING ELSE<\/span>.<\/p>\n<p>18.<strong> <\/strong>That&#8217;s it. Now, Log off from your workstation and log back in. If things aren&#8217;t working, try restarting both the server and workstations. You shouldn&#8217;t need to.<\/p>\n<h1>V. Debugging\/testing the secured connection<\/h1>\n<p>If things goes well, you should be able to connect to the protected server using a combination of user and computers you specified on step III above. If you are encrypting traffic, your quick mode within <em>Windows Firewall with Advanced Security<\/em> should look like:<\/p>\n<figure id=\"attachment_163\" aria-describedby=\"caption-attachment-163\" style=\"width: 300px\" class=\"wp-caption alignnone\"><a href=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/06\/IPSec-Quick-Mode-Encrypted.png\"><img loading=\"lazy\" class=\"size-medium wp-image-163\" title=\"IPSec-Quick-Mode-Encrypted\" src=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/06\/IPSec-Quick-Mode-Encrypted-300x61.png\" alt=\"IPSec-Quick-Mode-Encrypted\" width=\"300\" height=\"61\" srcset=\"https:\/\/heisbudi.com\/wp-content\/uploads\/2011\/06\/IPSec-Quick-Mode-Encrypted-300x61.png 300w, https:\/\/heisbudi.com\/wp-content\/uploads\/2011\/06\/IPSec-Quick-Mode-Encrypted.png 798w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><figcaption id=\"caption-attachment-163\" class=\"wp-caption-text\">IPSec-Quick-Mode-Encrypted<\/figcaption><\/figure>\n<p>If you are just making sure that the connection is authenticated and integrity-protected, but NOT encrypted (step III.3.5 or step III4.3 above), your\u00a0<em>Quick Mode<\/em> should look like<\/p>\n<figure id=\"attachment_162\" aria-describedby=\"caption-attachment-162\" style=\"width: 300px\" class=\"wp-caption alignnone\"><a href=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/06\/IPSec-Quick-Mode-UNEncrypted.png\"><img loading=\"lazy\" class=\"size-medium wp-image-162\" title=\"IPSec-Quick-Mode-UNEncrypted\" src=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/06\/IPSec-Quick-Mode-UNEncrypted-300x61.png\" alt=\"IPSec-Quick-Mode-UNEncrypted\" width=\"300\" height=\"61\" srcset=\"https:\/\/heisbudi.com\/wp-content\/uploads\/2011\/06\/IPSec-Quick-Mode-UNEncrypted-300x61.png 300w, https:\/\/heisbudi.com\/wp-content\/uploads\/2011\/06\/IPSec-Quick-Mode-UNEncrypted.png 798w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><figcaption id=\"caption-attachment-162\" class=\"wp-caption-text\">IPSec-Quick-Mode-UNEncrypted<\/figcaption><\/figure>\n<p>If you can&#8217;t get an authorized connection to work. Look at your main mode. If there is an entry in your main mode, that means, IPSec connection is established, but the connection is refused due to security rule you specified(may be you require both computer and user authentication, but the client connection is only using computer authentication, or the user of the computer is not authorized). Make sure you do step I-IV right. This is a very long process. It can be shortened using command line, but that&#8217;s for another post.<\/p>\n<p>Make sure you check the main-mode first. Main-mode always comes first before the quick mode.<\/p>\n<p>After you successfully implement this, you might still be paranoid, and are still asking &#8220;How do I know for sure that the connection is really encrypted?? I&#8217;m not going to just trust what is reported. I want PROOF or I&#8217;LL SUE&#8221;(If this is really the case, you need to ask for &#8220;chill-pill&#8221; prescription). In this scenario(protecting http traffic), it&#8217;s simple. Just enable basic authentication, and run a network monitoring tools to monitor a network packet going in to your server from an authenticated station(or the other way around). Without encryption enabled, you will be able to see user&#8217;s user name and password in clear text in your network monitoring tools during the authentication process. You normally protect this with SSL. However, if you have IPSec encryption enabled, you can see that all the http traffic traveling in TCP protocol over port 80 is encapsulated(encrypted) in ESP protocol. Hence, no need for SSL. Here is a screen shot from Microsoft network Monitor:<\/p>\n<figure id=\"attachment_164\" aria-describedby=\"caption-attachment-164\" style=\"width: 300px\" class=\"wp-caption alignnone\"><a href=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/06\/Encrypted-Network-Packet-with-IPSec.gif\"><img loading=\"lazy\" class=\"size-medium wp-image-164\" title=\"Encrypted-Network-Packet-with-IPSec\" src=\"http:\/\/digitallibraryworld.com\/wp-content\/uploads\/2011\/06\/Encrypted-Network-Packet-with-IPSec-300x197.gif\" alt=\"Encrypted-Network-Packet-with-IPSec\" width=\"300\" height=\"197\" srcset=\"https:\/\/heisbudi.com\/wp-content\/uploads\/2011\/06\/Encrypted-Network-Packet-with-IPSec-300x197.gif 300w, https:\/\/heisbudi.com\/wp-content\/uploads\/2011\/06\/Encrypted-Network-Packet-with-IPSec.gif 691w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><figcaption id=\"caption-attachment-164\" class=\"wp-caption-text\">Encrypted-Network-Packet-with-IPSec<\/figcaption><\/figure>\n<p>That&#8217;s it!! As usual, if you see any mistake on this post, feel free to let me know.<\/p>\n<div data-counters='1' data-style='square' data-size='regular' data-url='https:\/\/heisbudi.com\/?p=137' data-title='Securing Traffic between 2 or more servers (Domain Isolation) using IPSec without domain group policy' class='linksalpha_container linksalpha_app_3'><a href='\/\/www.linksalpha.com\/share?network='facebook' class='linksalpha_icon_facebook'><\/a><a href='\/\/www.linksalpha.com\/share?network='twitter' class='linksalpha_icon_twitter'><\/a><a href='\/\/www.linksalpha.com\/share?network='googleplus' class='linksalpha_icon_googleplus'><\/a><a href='\/\/www.linksalpha.com\/share?network='mail' class='linksalpha_icon_mail'><\/a><\/div><div data-position='' data-url='https:\/\/heisbudi.com\/?p=137' data-title='Securing Traffic between 2 or more servers (Domain Isolation) using IPSec without domain group policy' class='linksalpha_container linksalpha_app_7'><a href='\/\/www.linksalpha.com\/share?network='facebook' class='linksalpha_icon_facebook'><\/a><a href='\/\/www.linksalpha.com\/share?network='twitter' class='linksalpha_icon_twitter'><\/a><a href='\/\/www.linksalpha.com\/share?network='googleplus' class='linksalpha_icon_googleplus'><\/a><a href='\/\/www.linksalpha.com\/share?network='mail' class='linksalpha_icon_mail'><\/a><\/div>","protected":false},"excerpt":{"rendered":"<p>Using IPSec with local group policy, without setting up domain group policy<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[19,7],"tags":[],"_links":{"self":[{"href":"https:\/\/heisbudi.com\/index.php?rest_route=\/wp\/v2\/posts\/137"}],"collection":[{"href":"https:\/\/heisbudi.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/heisbudi.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/heisbudi.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/heisbudi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=137"}],"version-history":[{"count":15,"href":"https:\/\/heisbudi.com\/index.php?rest_route=\/wp\/v2\/posts\/137\/revisions"}],"predecessor-version":[{"id":230,"href":"https:\/\/heisbudi.com\/index.php?rest_route=\/wp\/v2\/posts\/137\/revisions\/230"}],"wp:attachment":[{"href":"https:\/\/heisbudi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=137"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/heisbudi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=137"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/heisbudi.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=137"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}