I'm not sure if anyone will have already done anything like this but if so can you give me some feedback.
Basically we have a secure server that is currently setup in the following way.
Disks are encypted with Bitlocker
File share on D: called share1
IPSec GPO assigned to require authentication and encryption for all comms. Authentication using computer kerberos.
Windows Firewall Rule based on computer group membership (authenticated using the above) for SMB and ICMP
Client has IPSec GPO assigned to mirror the above.
Now everything is working fine, so for all intensive purposes if you don't have the policy you cant see the server let alone connect to it.
If you have the client ipsec policy and the machine is in the correct computer group the machine is allowed to make a connection to the server (trusted laptops)
The user is then required to be in the correct security groups etc for NTFS / share permissions. Lastly this is mapped via a logon script and the server has auditing turned on collected by ACS via SCOM.
As above this works fine and these users with their trusted laptops can roam from across all our internal IP network and connect fine. The difficulty I'm having is when a machine needs to connect in over a vpn solution. Basically the user logs on with cached credentials opens up the VPN connection / once the connection is open the login script runs but the IPSec communication does not work straight away and hence the access is not allowed. I can see that the machine is using a cached copy of the domain based IPSec policy but takes either ages to start working (not acceptable) or will kick into life if the IPsec Policy Agent service is restarted, the access is then restored.
Anyone have any thoughts as to what's causing the issue? I thought it might be an issue with Kerberos authentication for the machine whilst away from the network at boot time, but even using a pre-shared key the IPsec negotiation doesn't seem to work in an effective way. I know the solution is fairly complex but I'm hoping someone might have done something similar.
Cheers,
Basically we have a secure server that is currently setup in the following way.
Disks are encypted with Bitlocker
File share on D: called share1
IPSec GPO assigned to require authentication and encryption for all comms. Authentication using computer kerberos.
Windows Firewall Rule based on computer group membership (authenticated using the above) for SMB and ICMP
Client has IPSec GPO assigned to mirror the above.
Now everything is working fine, so for all intensive purposes if you don't have the policy you cant see the server let alone connect to it.
If you have the client ipsec policy and the machine is in the correct computer group the machine is allowed to make a connection to the server (trusted laptops)
The user is then required to be in the correct security groups etc for NTFS / share permissions. Lastly this is mapped via a logon script and the server has auditing turned on collected by ACS via SCOM.
As above this works fine and these users with their trusted laptops can roam from across all our internal IP network and connect fine. The difficulty I'm having is when a machine needs to connect in over a vpn solution. Basically the user logs on with cached credentials opens up the VPN connection / once the connection is open the login script runs but the IPSec communication does not work straight away and hence the access is not allowed. I can see that the machine is using a cached copy of the domain based IPSec policy but takes either ages to start working (not acceptable) or will kick into life if the IPsec Policy Agent service is restarted, the access is then restored.
Anyone have any thoughts as to what's causing the issue? I thought it might be an issue with Kerberos authentication for the machine whilst away from the network at boot time, but even using a pre-shared key the IPsec negotiation doesn't seem to work in an effective way. I know the solution is fairly complex but I'm hoping someone might have done something similar.
Cheers,