I’m trying to setup IPSec policy for TCP port 389 that only allow limited group of IP address to connect. (
The target machine was a domain controller.)So I added two filters,
- one to deny all access to that port
- one that allows the specific LAN address to access that port.
Now I activate that policy, then I found the
Group Policy Managementnot responding, after a while it asks me if I want to switch to another domain or retry etc.(P.S stopping IPSec agent service will fix that, so it’s definitely IPSec’s problem)
What did I missed?
Answer
I have spent a great deal of time getting internal firewall and hosed in place. I highly reccomend not requiring ipsec when interacting with domain controllers, certificate servers dhcp or DNS servers. While it is possible to enable ipsec for certain communication to these kind of servers it is extremely easy to lock yourself out. You also need yo consider the bootstrapping process for new machines. How can you join the domain if you don’t have a certificate or Kerberos ticket already?
Attribution
Source : Link , Question Author : daisy , Answer Author : Tim Brigham
