IPSec Policy Agent Service

The purpose of the policy agent is to retrieve IPSec policy information and pass it to the other IPSec mechanisms that require that information to perform security services, as shown in Figure 8.5.

Enlarge figure

Figure 8.5 IPSec Policy Agent

The policy agent is an IPSec service residing on each Windows 2000 computer, appearing in the list of system services. The policy agent performs the following tasks:

• Retrieves the appropriate IPSec policy (if one has been assigned) from Active Directory if the computer is a domain member or from the local registry if the computer is not joined to a domain.
• Sends the active IPSec policy information to the IPSec driver.

Retrieval of the policy occurs both at system start time, at the interval specified in the IPSec policy (if the computer is joined to a domain), and at the default Winlogon polling interval (if a joined to a domain):

• If IPSec policy information is centrally configured for computers which are domain members, the IPSec policy information is stored in Active Directory and cached in local registry of the computer to which it applies.
• If the computer is temporarily not connected to the domain and is cached policy, when the computer reconnects to the domain any new policy information for that computer overrides the old, cached policy information.
• If a computer is a stand-alone computer, or is a member of a domain that is not using Active Directory for policy storage, IPSec policy is stored in the local registry.

The policy agent starts automatically at system start time. If there are no IPSec policies in the directory service or registry, or if the policy agent cannot connect to the directory service, the policy agent waits for policy to be assigned or activated.

© 1985-2000 Microsoft Corporation. All rights reserved.