This is a discussion on New Capabilities in Windows Server 2008 within the Operating systems forums, part of the Tutorials category; New Capabilities in Windows Server 2008 The improvements described in the following sections were made to IPsec in Windows Server ...
New Capabilities in Windows Server 2008
The improvements described in the following sections were made to IPsec in Windows Server 2008.
Integrated Firewall and IPsec Configuration
In Windows XP and Windows Server 2003, rules for Windows Firewall and IPsec are configured separately. Because both can block or allow inbound traffic, accidentally creating redundant or even contradictory rules is possible. These types of configuration errors can be difficult to troubleshoot. The new graphical and command-line management tools combine the configuration of both the firewall and IPsec, which both simplifies management and reduces the risk of misconfiguration. In the past the firewall and IPsec supported different characteristics for elements in rules. For example you could create a firewall exception based on an application name but IPsec did not support rules based on application names.
Simplified IPsec Policy Configuration
Prior to Windows Vista and Windows Server 2008, you needed to configure one set of rules to protect traffic and another set of rules to create protected traffic exemptions that were required for infrastructure servers such as DHCP, DNS, and domain controllers. During start-up, the client computer could not access these services if the server required IPsec. The new version of IPsec is able to overcome this challenge by simultaneously initiating both IPsec-protected and in-the-clear connections. If the other host does not respond to the IPsec request, the initiating host will continue to communicate in the clear. If it receives a response to the IPsec request it will continue to communicate in the clear until the negotiation is complete. When that happens all additional traffic is protected. Obviously, this only happens if IPsec is requested, not if it is required. While this behavior is optional, it is recommended because it greatly simplifies the IPsec policies for an enterprise. This new behavior also allows for quicker network connections because Windows XP and Windows Server 2003 hosts that are configured to request IPsec but allow to clear communications, it will wait for up to 3 seconds for IPsec to fail before switching to unprotected communications.
Improved IPsec Authentication
In addition to authenticating with Kerberos, digital certificates, and preshared keys, Windows Server 2008 systems can authenticate with health certificates. Health certificates are given to clients by a Health Registration Authority (HRA) after the client has proven that its health state complies with the current policy.
Available authentication methods for IPsec include:
■ A computer health certificate
■ A user certificate
■ NTLMv2 credentials of the computer
■ NTLMv2 credentials of the logged on user
■ Kerberos credentials of the logged on user
This means that you could require Kerberos credentials for the initial computer authentication and subsequently require a health certificate. The second authentication can be also be used without the first one.
Improved Load Balancing and Clustering Server Support
Earlier versions of IPsec typically took 3 to 6 seconds to recover from an administration change and up to 2 minutes when a cluster node failed, but in Windows Server 2008 and Windows Vista the time-out is much shorter, typically it is fast enough to allow the application to continue functioning. Rather than waiting for idle time-outs to detect a failed cluster node, IPsec actively monitors TCP connections for established Security Associations (SAs). If the SA begins retransmitting packets, IPsec will renegotiate SAs to try to restore the connection to another node in the cluster.
Client-to-DC IPsec Protection
Windows Server 2008 supports IPsec between domain controllers and member computers in two modes. First, you can configure policy to request but not require IPsec to domain controllers will protect most traffic with domain members but allow to clear communications for domain joins and other types of traffic. Second, you can configure policy to require IPsec and allow NTLMv2 authentication, in which case all communication with domain controllers will be protected. This more restrictive configuration will work because NTLMv2 user credentials can be used for authentication. When a computer running Windows Server 2008 or Windows Vista attempts to join the domain, the user will be prompted for a user name and password for an account in the domain that is allowed to add computer accounts. This new behavior is only available with client computers running Windows Vista or Windows Server 2008 and domain controllers running Windows Server 2008.
Integrated IPv4 and IPv6 Support
Support for IPsec with IPv6 is identical to support for IPsec with IPv4, which was not the case prior to Windows Vista and Windows Server 2008. IPsec policy rules for both IPv6 and IPv4 are configured in the same way using the same tools, such as the Windows Firewall with Advanced Security console.
Integration with Network Access Protection
You can use NAP (Network Access Protection) to require hosts to perform a second authentication with a health certificate, ensuring that each host meets your organizationís system health requirements.