Predefined Configurations

Windows 2000 provides a set of predefined IPSec configurations. By default, all predefined policies are designed for computers that are members of a Windows 2000 domain. The predefined policies, filter lists, and filter actions provided are not intended for immediate use. Rather, they are intended to indicate, for deployment testing purposes, the different behaviors that are possible with different policy settings.

Following are descriptions of Windows 2000 predefined policies.

Client (Respond Only)

This policy is for computers that (for the majority of the time) do not secure communications. For example, intranet clients may not require IPSec except when requested by another computer. This policy enables the computer on which it is active to appropriately respond to requests for secured communications. It contains a Default Response rule, which enables negotiation with computers requesting IPSec. Only the requested protocol and port traffic for the communication is secured.

Server (Request Security)

This policy is for computers that (for the majority of the time) secure communications, such as servers that transmit sensitive data. This policy enables the computer to accept unsecured traffic, but always attempt to secure additional communications by requesting security from the original sender. This policy allows the entire communication to be unsecured if the other computer is not IPSec-enabled.

Secure Server (Require Security)

This policy is for computers that always require secure communications, such as a server that transmits highly sensitive data. This policy allows unsecured, incoming communications, but always secures outgoing traffic.

Predefined Rules

Like the predefined policies, the Default Response rule is provided for activation without further action, modification, or as a template for defining custom rules. It is added to each new policy you create, but not automatically activated. It is for any computer that does not require security, but must be able to appropriately respond when another computer requests secured communications.

Predefined Filter Actions

Like the predefined rules, these are provided for activation without further action, modification, or as a template for defining custom Filter Actions. They are available for activation in any new or existing rule:

• Require Security

  High security. Unsecured communication is not allowed.

• Request Security (Optional)

  Medium to low security. Unsecured communication is allowed, to enable communication with computers that do not or cannot negotiate IPSec.

© 1985-2000 Microsoft Corporation. All rights reserved.