Internet Protocol Security

Previous Topic Next Topic

Special IPSec Considerations

The following considerations help simplify administration of IPSec policies:

IP Filter Lists

Some recommendations for IP Filter Lists:

Filter Actions

Some recommendations for Filter Actions:

Remote Access Communications

Some recommendations for remote access communications:

SNMP

If a computer is running an SNMP service, you must add a rule to prevent SNMP messages from being blocked:

Security Gateways

For a security gateway, firewall, proxy server, router or any server that is an access point from the intranet to the outside world, special filtering must be enabled on that computer to ensure that packets secured with IPSec are not rejected. At a minimum, the following input and output filters must be defined for the Internet interface on the computer:

Input Filters

Output Filters

DHCP, DNS, and WINS Services; Domain Controllers

Before enabling IPSec for computers functioning as a DHCP, DNS, WINS server, or domain controller, determine if all the clients are also IPSec-capable. Otherwise, if IPSec policy is not configured to allow fall back to clear or to permit unsecured traffic to accommodate older clients, secure negotiation might erroneously fail, and access to these network services might be blocked.

© 1985-2000 Microsoft Corporation. All rights reserved.