Deploy IPsec Policy to Client Computers

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

Tip

This topic applies to DNSSEC in Windows Server 2008 R2. DNSSEC support is greatly enhanced in Windows Server 2012. For more information, see DNSSEC in Windows Server 2012.

Use the following procedures to configure IP Security (IPsec) rules for DNS clients in your organization. IPsec policy settings are configured using connection security rules to request authentication of the responses to DNS queries.

Important

Connection security rules can be applied to client computers running Windows Vista® and Windows® 7. However, only client computers running Windows 7 can perform DNSSEC validation of DNS responses using Name Resolution Policy Table (NRPT) settings. For more information about the NRPT, see Introduction to the NRPT and Deploy Name Resolution Policy to Client Computers.

You can deploy IPsec rules through one of the following mechanisms:

  • DNS Client OU or security group: Consider creating a separate OU or a security group that contains the computer accounts of DNS clients that will perform validation of queries for resource records contained in DNSSEC protected zones.

  • Local firewall configuration: Use this option if you have DNS clients that are not domain members or if you have a small number of DNS clients that you want to configure locally.

Membership in the Domain Admins group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Configuring IPsec policy

  • Using the Windows interface

  • Using a command line

In the following procedure, IPsec rules are deployed to client computers that are members of a security group. To deploy this policy on computers that are not domain members, use Local Group Policy to perform the following procedures.

Note

Complete the following procedure twice. First create a rule for UDP connections, and then create a rule for TCP connections.

To configure IPsec policy using the Windows interface

  1. On a domain controller or a computer with the Group Policy Management feature installed, click Start, click Run, type gpme.msc, and then press ENTER.

  2. In the Browse for a Group Policy Object dialog box, click Create New Group Policy Object and type a name for the new GPO, for example DNSSEC Client Policy, and then click OK. The Group Policy Management Editor will open.

  3. In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP.

  4. Right-click Connection Security Rules, and then click New Rule. The New Connection Security Rule Wizard will open.

  5. On the Rule Type page, choose Custom, and then click Next.

  6. On the Endpoints page, choose Any IP address for endpoint 1.

  7. Under Which computers are in Endpoint 2, choose These IP addresses, and then click Add.

  8. In the IP Address dialog box, choose Predefined set of computers, select DNS servers from the drop-down menu, click OK, and then click Next.

  9. On the Requirements page, choose Request authentication for inbound and outbound connections, and then click Next.

  10. On the Authentication Method page, choose Advanced, and then click Customize.

  11. In the Customize Advanced Authentication Methods dialog box, under First authentication, click Add.

  12. In the Edit First Authentication Method dialog box, choose Computer certificate from this certification authority (CA). Verify that Signing algorithm is RSA and Certificate store type corresponds to the type of CA you are using, either Root CA or Intermediate CA. Click Browse, select the name of the CA that you are using to issue DNS Server authentication certificates, and then click OK.

Important

To ensure that the correct server certificate is chosen for IPsec authentication, use a different CA to issue DNS server certificates use the system health authentication application policy. For more information, see Certificate Selection.

  1. Click OK to close the Edit First Authentication Method dialog box, click OK in Customize Advanced Authentication Methods, and then click Next.

  2. On the Protocol and Ports page, next to Protocol type, choose UDP. Next to Endpoint 1 port, choose All Ports. Next to Endpoint 2 port choose Specific Ports, type 53, and then click Next.

  3. On the Profile page, verify that the Domain, Private and Public check boxes are selected, and then click Next.

  4. Type a name and description for the rule. Use a name that will be easy to recognize, for example, DNSSEC UDP.

  5. Click Finish to create the rule.

Next, create an identical rule for DNS TCP connections by repeating this procedure and using TCP as the protocol type. After you have completed configuration of the UDP and TCP rules, use the following procedure to apply the GPO to members of a security group.

Apply the DNSSEC GPO to Client Computers

  1. On a domain controller or a computer with the Group Policy Management feature installed, click Start, click Run, type gpmc.msc, and then press ENTER.

  2. In the Group Policy Management console tree, open Forest\Domains\<domain>\Group Policy Objects, and then click the name of the GPO that you created in the previous procedure. For example: DNSSEC Client Policy.

  3. On the Scope tab, under Security Filtering click Add.

  4. Type the name of the security group that contains client computers that will receive DNSSEC policy settings, and then click OK. For example: DNSSEC Clients. Verify that the security group is listed under Security Filtering.

  5. Under Security Filtering, click Authenticated Users, click Remove, and then click OK.

  6. Close the Group Policy Management console.

To configure IPsec policy using the command line

  1. Open an elevated command prompt on the client computer.

  2. Enter the following command twice:

    netsh advfirewall consec add rule name="DNSSEC UDP" endpoint1=any endpoint2=DNS action=requestinrequestout port1=any port2=53 protocol=<protocol> auth1=computercert auth1ca=<CaName>
    

    The first time you enter this command, replace <protocol> with UDP, and replace <CaName> with the name of the CA being used. The second time you enter the command, use a different rule name such as ”DNSSEC TCP”, replace <protocol> with TCP and replace <CaName> with the name of the CA being used.

  3. Use the following command to verify that rules were created successfully:

    netsh advfirewall consec show rule name=all type=dynamic
    

Important

When you use a command line on a client computer to create connection security rules, the rules are applied to the current computer using local Group Policy.

See the following examples.

Example UDP rule

netsh advfirewall consec add rule name="DNSSEC UDP" endpoint1=any endpoint2=DNS action=requestinrequestout port1=any port2=53 protocol=UDP auth1=computercert auth1ca=”DC=com, DC=woodgrovebank, CN=woodgrovebank-DC1-CA”

Example TCP rule

netsh advfirewall consec add rule name="DNSSEC TCP" endpoint1=any endpoint2=DNS action=requestinrequestout port1=any port2=53 protocol=TCP auth1=computercert auth1ca=” DC=com, DC=woodgrovebank, CN=woodgrovebank-DC1-CA”

Certificate Selection

The following options are available to ensure that the correct certificate on a DNS server is selected for IPsec authentication. For information about deploying this certificate, see Deploy Certificates for DNS Server Authentication.

  • Use a different CA to issue DNS server certificates than the one used to issue other certificates. To accomplish this, install Active Directory Certificate Services (AD CS) on a domain controller or member server and use this CA only for issuing DNS Server authentication certificates.

  • If you have deployed Network Access Protection (NAP) on your network, you can add the Domain Name System (DNS) Server Trust, IP security IKE intermediate, and Server Authentication application policies to NAP exemption certificates that are provisioned on DNS servers. To use a NAP exemption certificate with DNS Server authentication, choose the Computer health certificate from this certification authority (CA) option instead of the Computer certificate from this certification authority (CA).

  • If you have not deployed NAP, you can still add the System Health Authentication application policy to the certificate that you use for DNS Server authentication and then configure IPsec policy to require a computer health certificate. You should only use this method if you must use the same CA to issue multiple certificates to your DNS servers.

See Also

Concepts

Checklist: Deploying DNSSEC and IPsec on the DNS client
Deploy Name Resolution Policy to Client Computers