Active Directory Replication over Firewalls
This Microsoft Service Providers article describes how to
configure IPSec policies to protect Active Directory replication
traffic when the domain controllers are separated by a firewall.
Active Directory in Networks Segmented by
This white paper describes best practices for deploying Active
Directory domain controllers in segmented networks and includes
detailed procedures for configuring IPSec policies to protect
Active Directory traffic between domain controllers on opposite
sides of a firewall and recommended practices for managing IPSec
policies that are assigned to domain controllers. Source:
Guide to Microsoft L2TP/IPSec VPN Client
The Microsoft L2TP/IPSec VPN Client is a free Web
download that allows computers running Windows 98/ME,
and Windows NT© Workstation 4.0 to use Layer Two
Tunneling Protocol (L2TP) connections with Internet
Protocol Security (IPSec). This article provides an
overview of L2TP/IPSec VPN connections and includes
instructions about how to deploy and troubleshoot
Microsoft L2TP/IPSec VPN Client.
Assigning IPSec Policy
Provides information about
creating and modifying IPSec policy for both local computers and
domains with the IP Security Policies snap-in available in
Microsoft Management Console (MMC). Source:
Client-to-Domain Controller and Domain Controller-to-Domain Controller IPSec Support
Microsoft Knowledge Base Article: 254949 - Using IP Security (IPSec) to protect traffic from a domain member to the domain controller is currently not supported in Windows 2000 because it is not possible for non-domain computers to get the initial IPSec policy from the domain
controller once a domain controller (DC) requires IPSec to communicate, and because domain member computers cannot use Kerberos as the IPSec/IKE authentication method to authenticate IKE with their domain controller and with trusted domain controllers on the domain in all cases.
Configuring IPSec to Handle Trusted and Untrusted Domain Authentication
Microsoft Knowledge Base Article: 248694 - Computers that need to use IP Security Protocol (IPSec) for secure communications must authenticate themselves before establishing an IPSec
session. If the computers are part of a Windows 2000-based
domain, you can use Kerberos authentication, which is the
default authentication protocol.
A four part article by Brien Posey explaining how to
customize the IP Sec protocol. Source: Brienposey.com
Disabling IPSEC Policy Used with L2TP
Microsoft Knowledge Base Article: 258261 - The RemoteAccess and PolicyAgent services create a policy that is used for L2TP traffic because L2TP does not provide encryption. Under some conditions, it may be useful to disable this policy.
Download details: ipsecpol.exe: IPSEC Policy Configuration Tool
This tool is used to configure IP
Security policies in the Directory Service or in a local or
remote registry. It does everything that the IP Security MMC
snap-in does and is even modeled after the snap-in.
HOW TO: Clear Existing IPSec Security Associations in Windows 2000
Microsoft Knowledge Base Article: 313236 - When you troubleshoot Internet Protocol security (IPSec) configuration problems, you may have to clear existing security associations. For example, you may have to clear existing IPSec security associations in any of the following situation
How to Configure Cisco IOS for L2TP/IPSec in Windows 2000
Microsoft Knowledge Base Article: 249067 - This article explains two changes you need to make to Cisco Internetwork Operating System (IOS) (in addition of the standard L2TP/IPSec configuration on the Cisco router) to be able to establish an L2TP session with a Windows 2000 host
How to Configure IPSec Tunneling in Windows 2000
Microsoft Knowledge Base Article: 252735 - You can use IP Security (IPSec) in tunnel mode to encapsulate Internet Protocol (IP) packets and optionally encrypt them. The primary reason for using IPSec tunnel mode (sometimes referred to as "pure IPSec tunnel") in Windows 2000
is for interoperability withy 3rd party routers or Gateways that do not support Layer 2 Tunneling Protocol or
How to Configure a L2TP/IPSec Connection Using Pre-shared Key Authentication
Microsoft Knowledge Base Article: 240262 - Windows 2000 automatically creates an Internet Protocol Security (IPSec) policy to be used with Layer 2 Tunneling Protocol (L2TP)/IPSec connections that requires a certificate for Internet Key Exchange (IKE) authentication.
HOW TO: Disable the Automatic L2TP/IPSec Policy
Microsoft Knowledge Base Article: 310109 - This step-by-step article describes how to disable the automatic Layer Two Tunneling Protocol (L2TP)/Internet Protocol security (IPSec)
How to Enable IPSec Traffic Through a Firewall
Microsoft Knowledge Base Article: 233256 - IP Security (IPSec) is used to securely transmit data between computers. It is implemented at the Networking layer (Layer 3) of the Open Systems Interconnection (OSI) model. This provides protection for all IP and upper-layer
How to Install a Certificate for Use with IP Security
Microsoft Knowledge Base Article: 253498 - When IP Security (IPSec) is configured to use a Certificate Authority (CA) for mutual authentication, you must obtain a local computer
HOW TO: Use Internet Protocol Security to Secure Network Traffic Between Two Hosts
Microsoft Knowledge Base Article: 301284 - This article is a step-by-step instruction guide to enable advanced users to configure Internet Protocol security (IPSec) so that they can secure the communications between two host
HOW TO: Use IPSec Policy to Secure Terminal Services Communications in Windows 2000
Microsoft Knowledge Base Article: 315055 - You can use Windows 2000 Terminal Services to gain access to programs in a multiple-user Terminal server environment. Communications between the Terminal Services client computer and the server that has Terminal Services enabled can
IPSec Is Not Designed for Failover
Microsoft Knowledge Base Article: 306677 - Although you can use Internet Protocol security (IPSec) with a cluster, Windows Load Balancing Service (WLBS), or Network Load Balancing (NLB) and Server Clusters (MSCS), IPSec was not designed for failover
situations. (updated 132002)
Ipsecmon.exe May Display Incorrect Information
Microsoft Knowledge Base Article: 256284 - When you use the IP Security Monitor (Ipsecmon.exe) tool on the Responder side of an IP Security Protocol (IPSec)
connection to view information about a security association
(SA), the Main-mode SA information that is displayed may be
Using the IP Security Monitor Tool to View IPSec Communications
Microsoft Knowledge Base Article: 231587 - Administrators can use the IP Security Monitor tool to confirm whether IP Security (IPSec)
communications are successfully secured. The tool can show how
many packets have been sent over the Authentication Header (AH)
or Encapsulating Security.
Windows 2000 L2TP/IPSec Interoperation with Third-Party Manufacturers
Microsoft Knowledge Base Article: 254442 - Windows 2000 is compliant with Request for Comments (RFC) 2661 ("Layer Two Tunneling Protocol"). RFC 2661 indicates that Layer 2 Tunneling Protocol (L2TP) traffic can be secured with IP Security Protocol (IPSec),
but does not provide detailed
With IPSec Policies
IPSec is slower than a normal IP packet because of the larger
packet size and the overhead required for encryption and
decryption. The larger packet size also means that IPSec can
consume more network bandwidth than traditional IP packets.
Fortunately, using IPSec isn©t an all or nothing situation.
There are ways for telling Windows which communications need to
be performed through IPSec and which communications can be sent
through traditional packets. Such rules can be established
through the use of IPSec policies. This article will introduce
you to the concept of IPSec policies, and explain how to
implement various types of IPSec policies in your organization.