Windows 2003 IPSEC problem

  • Thread starter Thread starter DA
  • Start date Start date
D

DA

Hi everyone

I run some standalone Windows 2000 servers which use IPSEC to encrypt
Terminal Server traffic. I have tried to duplicate this on a new SBS 2003
machine, and I have got it hopelessly wrong. Now I can't connect to this
2003 server with TS at all, and I believe it is something to do with what I
have done to the "IP Security Policies on Active Directory" in the Default
Domain Security Settings snap-in. Is there a way to restore these to a
default setting? Could I export IP Security Policies on Active Directory
from another server in a different domain and import them onto my SBS
machine?

Sorry if I've posted to the wrong group, I couldn't find any obvious
alternative.

I'd really appreciate some help!
 
You should be able to logon to the 2003 computer at the console and
"unassign" the policy that you assigned which should disable it. You can
import and export ipsec policies, just be sure that the filter rules are
compatible. Sine these computers are not all in the same domain you need to
use preshared key or certificate authentication for the ipsec policy and not
the default kerberos. Domain controllers must be exempt from ipsec polices
that involve domain computers by adding their IP addresses to a filter rule
with a permit filter action for all traffic. --- Steve

http://support.microsoft.com/?kbid=254949
 
Steve, thanks - is it possible to restore these settings from a backup,
where are they stored?
 
If you have previously exported your ipsec policy you can then import it
back into the appropriate security policy. My experience is that you can not
restore old ipsec policy settings from a backup by reapplying the System
State. The backup would have to be a total backup such as a Ghost
mage. --- Steve
 
Update - I deleted the default IPSEC policies (which were showing as
"unassigned") and Terminal Services now works again. Phew!!
 
Back
Top