Practice: Deploying IPSec Configurations

In this practice, you will deploy IPSec by using two methods: using an Active Directory GPO and importing a policy from the command line.

Exercise 1: Configuring Certificate Services for IPSec Authentication :
In this exercise, you will configure Certificate Services to enroll IPSec certificates, enroll Computer1 and Computer2, and then deploy an IPSec policy requiring certificates authentication by using an Active Directory–based GPO.First, install Certificate Services if it is not yet installed:

1. Log on to the cohowinery.com domain on Computer1 using the Administrator account.
2. Open Add Or Remove Programs in Control Panel.
3. Click Add/Remove Windows Components.
4. On the Windows Components page of the Windows Components Wizard, select the Certificate Services check box. When prompted, click Yes.
5. Click Next.
6. In the CA Type page, click Enterprise Root CA, and then click Next.
7. In the Common Name For This CA box, type computer1. Click Next.
8. On the Certificate Database Settings page, accept the defaults by clicking Next. If prompted to stop IIS, click Yes.
9. If prompted, click Yes to enable Active Server Pages.
10. After Certificate Services is installed, click Finish. Close all open windows.

Next, issue the built-in IPSec certificate template:
1. Click Start, point to Administrative Tools, and then click Certification Authority.
2. Expand Computer1. Right-click Certificate Templates, click New, and then click Certificate Template To Issue.
The Enable Certificate Templates dialog box appears. Lesson 1: Deploying IPSec 9-13
3. Click IPSec, and then click OK.
Next, enroll Computer1 and Computer2 by using the IPSec security template. Repeat the following process on both Computer1 and Computer2:
1. Open a blank Microsoft Management Console (MMC) console, and then add the Certificates snap-in. When prompted to select the account, select Computer Account, and then select Local Computer.
2. Expand Certificates. Right-click Personal, click All Tasks, and then click Request New Certificate.
The Certificate Request Wizard appears.
3. Click Next. On the Certificate Types page, click IPSec.
4. Click Next twice, and then click Finish.

Next, configure an IPSec policy in the Default Domain Policy GPO that uses certificates for authentication:
1. Open a blank MMC console, and then add the Group Policy Object Editor snapin. When prompted to select the GPO, click Browse and select the Default Domain Policy, click OK, and then click Finish.
2. Expand Default Domain Policy, Computer Configuration, Windows Settings, and Security Settings, and then click IP Security Policies On Active Directory.
3. Right-click IP Security Policies On Active Directory, and then click Create IP Security Policy.
The IP Security Policy Wizard appears.
4. Click Next. On the IP Security Policy Name page, type Certificate Authentication, and then click Next.
5. On the Requests For Secure Communication page, leave Activate The Default Response Rule selected, and then click Next.
6. On the Default Response Rule Authentication Method page, click Use A Certificate From This Certification Authority.
7. Click Browse. If prompted, click Yes. Select Computer1’s certificate, and then click OK.
8. Select Enable Certificate To Account Mapping. Click Next.
9. Click Finish.

The Certification Authentication Properties dialog box appears.
10. Click Add.The Security Rule Wizard appears.
9-14 Chapter 9 Deploying and Troubleshooting IPSec
11. Click Next three times.
12. On the IP Filter List page, click All IP Traffic. Click Next.
13. On the Filter Action page, click Request Security (Optional). Click Next.
14. On the Authentication Method page, click Use A Certificate From This Certification Authority.
15. Click Browse. If prompted, click Yes. Select Computer1’s certificate, and then click OK.
16. Select Enable Certificate To Account Mapping. Click Next. You should select Enable Certificate To Account Mapping here because all of the computers that will be authenticating have valid computer accounts in the same forest.
17. Click Finish.
18. On the Certificate Authentication Properties page, click OK.
19. In the Group Policy Object Editor snap-in, right-click Certificate Authentication, and then click Assign.