Assigning New IPSec Policy to terminal server

May 23, 2008

When I right click and apply a new IPSec policy in group policy the policy is

assigned. Then "to make sure that clients respond to the TS requests for

security" I right click the Client (Respon Only) and assign it. But this

changes the IPSec policy to NO for "Policy Assigned" it seems like I cannot

have them both assigned. Can someone please explain this to me. I am

following KB 816521

Thanks.

May 26, 2008

RE: Assigning New IPSec Policy to terminal server

Hi,

Thanks for posting here.

I also built environment to test the behavior according to KB 816521. As KB

mentioned, the " Create an IPSec filter list to match the Terminal Services

packets" and "Create an IPSec policy to enforce IPSec protection, and then

enable the policy" steps should be completed on Terminal server side. The "

Enable the Client (respond-only) policy on the Terminal Services clients"

action should apply on terminal server clients.

We can create a new OU and put the clients that you want to secure

communication with Terminal server in this OU, then we can define "Enable

the Client (respond-only)" policy and link to this OU. To do so, when

clients connecting Terminal server, they will negotiate encryption method

and apply the security configuration we define on terminal server.

Hope this helps. Have a good day!

Sincerely

Morgan Che

Microsoft Online Support

Microsoft Global Technical Support Center

Get Secure! - http://www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

--->Thread-Topic: Assigning New IPSec Policy to terminal server

--->thread-index: Aci84yku5/bXvlRJT/aIIs7blq3ikg==

--->X-WBNR-Posting-Host: 207.46.19.168

--->From: =?Utf-8?B?U0pNUA==?= <sjmp@newsgroup.nospam>

--->Subject: Assigning New IPSec Policy to terminal server

--->Date: Fri, 23 May 2008 07:42:01 -0700

--->Lines: 8

--->Message-ID: <5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@microsoft.com>

--->MIME-Version: 1.0

--->Content-Type: text/plain;

---> charset="Utf-8"

--->Content-Transfer-Encoding: 7bit

--->X-Newsreader: Microsoft CDO for Windows 2000

--->Content-Class: urn:content-classes:message

--->Importance: normal

--->Priority: normal

--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992

--->Newsgroups: microsoft.public.windows.terminal_services

--->Path: TK2MSFTNGHUB02.phx.gbl

--->Xref: TK2MSFTNGHUB02.phx.gbl

microsoft.public.windows.terminal_services:17902

--->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

--->X-Tomcat-NG: microsoft.public.windows.terminal_services

--->

--->When I right click and apply a new IPSec policy in group policy the

policy is

--->assigned. Then "to make sure that clients respond to the TS requests

for

--->security" I right click the Client (Respon Only) and assign it. But

this

--->changes the IPSec policy to NO for "Policy Assigned" it seems like I

cannot

--->have them both assigned. Can someone please explain this to me. I am

--->following KB 816521

--->

--->Thanks.

--->

May 27, 2008

RE: Assigning New IPSec Policy to terminal server

Morgan,

Not sure I follow you. This TS server is going to be assigned to a specific

OU created just for TS. Can you elaborate on "link to this OU." This OU is

not linked and was not going to be linked. I was going to assign the TS

computer object to this OU and give Remote Desktop Users group permissions,

while assigning AD users to this group.

"Morgan che(MSFT)" wrote:

> Hi,

>

> Thanks for posting here.

>

> I also built environment to test the behavior according to KB 816521. As KB

> mentioned, the " Create an IPSec filter list to match the Terminal Services

> packets" and "Create an IPSec policy to enforce IPSec protection, and then

> enable the policy" steps should be completed on Terminal server side. The "

> Enable the Client (respond-only) policy on the Terminal Services clients"

> action should apply on terminal server clients.

>

> We can create a new OU and put the clients that you want to secure

> communication with Terminal server in this OU, then we can define "Enable

> the Client (respond-only)" policy and link to this OU. To do so, when

> clients connecting Terminal server, they will negotiate encryption method

> and apply the security configuration we define on terminal server.

>

> Hope this helps. Have a good day!

>

> Sincerely

> Morgan Che

> Microsoft Online Support

> Microsoft Global Technical Support Center

>

> Get Secure! - http://www.microsoft.com/security

> =====================================================

> When responding to posts, please "Reply to Group" via your newsreader so

> that others may learn and benefit from your issue.

> =====================================================

> This posting is provided "AS IS" with no warranties, and confers no rights.

>

> --------------------

> --->Thread-Topic: Assigning New IPSec Policy to terminal server

> --->thread-index: Aci84yku5/bXvlRJT/aIIs7blq3ikg==

> --->X-WBNR-Posting-Host: 207.46.19.168

> --->From: =?Utf-8?B?U0pNUA==?= <sjmp@newsgroup.nospam>

> --->Subject: Assigning New IPSec Policy to terminal server

> --->Date: Fri, 23 May 2008 07:42:01 -0700

> --->Lines: 8

> --->Message-ID: <5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@microsoft.com>

> --->MIME-Version: 1.0

> --->Content-Type: text/plain;

> ---> charset="Utf-8"

> --->Content-Transfer-Encoding: 7bit

> --->X-Newsreader: Microsoft CDO for Windows 2000

> --->Content-Class: urn:content-classes:message

> --->Importance: normal

> --->Priority: normal

> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992

> --->Newsgroups: microsoft.public.windows.terminal_services

> --->Path: TK2MSFTNGHUB02.phx.gbl

> --->Xref: TK2MSFTNGHUB02.phx.gbl

> microsoft.public.windows.terminal_services:17902

> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

> --->X-Tomcat-NG: microsoft.public.windows.terminal_services

> --->

> --->When I right click and apply a new IPSec policy in group policy the

> policy is

> --->assigned. Then "to make sure that clients respond to the TS requests

> for

> --->security" I right click the Client (Respon Only) and assign it. But

> this

> --->changes the IPSec policy to NO for "Policy Assigned" it seems like I

> cannot

> --->have them both assigned. Can someone please explain this to me. I am

> --->following KB 816521

> --->

> --->Thanks.

> --->

>

May 28, 2008

RE: Assigning New IPSec Policy to terminal server

Hi,

Thanks for the reply.

When I said 'link to this OU', I exactly mean 'apply Group Policy to this

OU'. I will explain this process in detail.

For TS server, we can define a OU named TS and put the TS server account

into this OU. Then, we can define a group policy according to the steps

"Create an IPSec filter list to match the Terminal Services packets" and

"Create an IPSec policy to enforce IPSec protection, and then enable the

policy" of KB 816521 and apply this GP for TS OU. Accordingly, we add some

AD uses into Remote Desktop Users group to grant them remote access

permission.

However, in order to secure the communication between clients and Terminal

server, we have to apply "Enable the Client (respond-only)" policy for

these users as KB816521 said. Due to the fact we couldn't directly apply a

Group Policy to the user accounts, we can simply apply the "Enable the

Client (respond-only)" policy to the whole domain or an OU which contains

clients computer objects that need to access the terminal server.

After completing the above methods, when users logon TS, the traffic

between clients and TS will be secured.

Hope this helps. if anything is unclear, please post back.

Sincerely

Morgan Che

Microsoft Online Support

Microsoft Global Technical Support Center

Get Secure! - http://www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

--->Thread-Topic: Assigning New IPSec Policy to terminal server

--->thread-index: Aci/9aqUHoqiHhaSSRq8lymwfjH6Ng==

--->X-WBNR-Posting-Host: 207.46.19.197

--->From: =?Utf-8?B?U0pNUA==?= <sjmp@newsgroup.nospam>

--->References: <5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@microsoft.com>

<wja$7cxvIHA.1788@TK2MSFTNGHUB02.phx.gbl>

--->Subject: RE: Assigning New IPSec Policy to terminal server

--->Date: Tue, 27 May 2008 05:32:02 -0700

--->Lines: 85

--->Message-ID: <E3F5C2ED-0451-4CFA-A87E-BA8C45226B7E@microsoft.com>

--->MIME-Version: 1.0

--->Content-Type: text/plain;

---> charset="Utf-8"

--->Content-Transfer-Encoding: 7bit

--->X-Newsreader: Microsoft CDO for Windows 2000

--->Content-Class: urn:content-classes:message

--->Importance: normal

--->Priority: normal

--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992

--->Newsgroups: microsoft.public.windows.terminal_services

--->Path: TK2MSFTNGHUB02.phx.gbl

--->Xref: TK2MSFTNGHUB02.phx.gbl

microsoft.public.windows.terminal_services:17956

--->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

--->X-Tomcat-NG: microsoft.public.windows.terminal_services

--->

--->Morgan,

--->

--->Not sure I follow you. This TS server is going to be assigned to a

specific

--->OU created just for TS. Can you elaborate on "link to this OU." This OU

is

--->not linked and was not going to be linked. I was going to assign the TS

--->computer object to this OU and give Remote Desktop Users group

permissions,

--->while assigning AD users to this group.

--->

--->"Morgan che(MSFT)" wrote:

--->

--->> Hi,

--->>

--->> Thanks for posting here.

--->>

--->> I also built environment to test the behavior according to KB 816521.

As KB

--->> mentioned, the " Create an IPSec filter list to match the Terminal

Services

--->> packets" and "Create an IPSec policy to enforce IPSec protection, and

then

--->> enable the policy" steps should be completed on Terminal server side.

The "

--->> Enable the Client (respond-only) policy on the Terminal Services

clients"

--->> action should apply on terminal server clients.

--->>

--->> We can create a new OU and put the clients that you want to secure

--->> communication with Terminal server in this OU, then we can define

"Enable

--->> the Client (respond-only)" policy and link to this OU. To do so, when

--->> clients connecting Terminal server, they will negotiate encryption

method

--->> and apply the security configuration we define on terminal server.

--->>

--->> Hope this helps. Have a good day!

--->>

--->> Sincerely

--->> Morgan Che

--->> Microsoft Online Support

--->> Microsoft Global Technical Support Center

--->>

--->> Get Secure! - http://www.microsoft.com/security

--->> =====================================================

--->> When responding to posts, please "Reply to Group" via your newsreader

so

--->> that others may learn and benefit from your issue.

--->> =====================================================

--->> This posting is provided "AS IS" with no warranties, and confers no

rights.

--->>

--->> --------------------

--->> --->Thread-Topic: Assigning New IPSec Policy to terminal server

--->> --->thread-index: Aci84yku5/bXvlRJT/aIIs7blq3ikg==

--->> --->X-WBNR-Posting-Host: 207.46.19.168

--->> --->From: =?Utf-8?B?U0pNUA==?= <sjmp@newsgroup.nospam>

--->> --->Subject: Assigning New IPSec Policy to terminal server

--->> --->Date: Fri, 23 May 2008 07:42:01 -0700

--->> --->Lines: 8

--->> --->Message-ID: <5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@microsoft.com>

--->> --->MIME-Version: 1.0

--->> --->Content-Type: text/plain;

--->> ---> charset="Utf-8"

--->> --->Content-Transfer-Encoding: 7bit

--->> --->X-Newsreader: Microsoft CDO for Windows 2000

--->> --->Content-Class: urn:content-classes:message

--->> --->Importance: normal

--->> --->Priority: normal

--->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992

--->> --->Newsgroups: microsoft.public.windows.terminal_services

--->> --->Path: TK2MSFTNGHUB02.phx.gbl

--->> --->Xref: TK2MSFTNGHUB02.phx.gbl

--->> microsoft.public.windows.terminal_services:17902

--->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

--->> --->X-Tomcat-NG: microsoft.public.windows.terminal_services

--->> --->

--->> --->When I right click and apply a new IPSec policy in group policy

the

--->> policy is

--->> --->assigned. Then "to make sure that clients respond to the TS

requests

--->> for

--->> --->security" I right click the Client (Respon Only) and assign it.

But

--->> this

--->> --->changes the IPSec policy to NO for "Policy Assigned" it seems

like I

--->> cannot

--->> --->have them both assigned. Can someone please explain this to me. I

am

--->> --->following KB 816521

--->> --->

--->> --->Thanks.

--->> --->

--->>

--->

May 28, 2008

RE: Assigning New IPSec Policy to terminal server

Thanks Morgan,

So regarding the original question: " "to make sure that clients respond to

the TS requests for security" I right click the Client (Respon Only) and

assign it. But this

changes the IPSec policy to NO for "Policy Assigned" it seems like I cannot

have them both assigned"

By enabling Client (respond only) to "yes" this is normal operation for

IPSec Policy to change from yes to no?

"Morgan che(MSFT)" wrote:

> Hi,

>

> Thanks for the reply.

>

> When I said 'link to this OU', I exactly mean 'apply Group Policy to this

> OU'. I will explain this process in detail.

>

> For TS server, we can define a OU named TS and put the TS server account

> into this OU. Then, we can define a group policy according to the steps

> "Create an IPSec filter list to match the Terminal Services packets" and

> "Create an IPSec policy to enforce IPSec protection, and then enable the

> policy" of KB 816521 and apply this GP for TS OU. Accordingly, we add some

> AD uses into Remote Desktop Users group to grant them remote access

> permission.

>

> However, in order to secure the communication between clients and Terminal

> server, we have to apply "Enable the Client (respond-only)" policy for

> these users as KB816521 said. Due to the fact we couldn't directly apply a

> Group Policy to the user accounts, we can simply apply the "Enable the

> Client (respond-only)" policy to the whole domain or an OU which contains

> clients computer objects that need to access the terminal server.

>

> After completing the above methods, when users logon TS, the traffic

> between clients and TS will be secured.

>

> Hope this helps. if anything is unclear, please post back.

>

> Sincerely

> Morgan Che

> Microsoft Online Support

> Microsoft Global Technical Support Center

>

> Get Secure! - http://www.microsoft.com/security

> =====================================================

> When responding to posts, please "Reply to Group" via your newsreader so

> that others may learn and benefit from your issue.

> =====================================================

> This posting is provided "AS IS" with no warranties, and confers no rights.

>

> --------------------

> --->Thread-Topic: Assigning New IPSec Policy to terminal server

> --->thread-index: Aci/9aqUHoqiHhaSSRq8lymwfjH6Ng==

> --->X-WBNR-Posting-Host: 207.46.19.197

> --->From: =?Utf-8?B?U0pNUA==?= <sjmp@newsgroup.nospam>

> --->References: <5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@microsoft.com>

> <wja$7cxvIHA.1788@TK2MSFTNGHUB02.phx.gbl>

> --->Subject: RE: Assigning New IPSec Policy to terminal server

> --->Date: Tue, 27 May 2008 05:32:02 -0700

> --->Lines: 85

> --->Message-ID: <E3F5C2ED-0451-4CFA-A87E-BA8C45226B7E@microsoft.com>

> --->MIME-Version: 1.0

> --->Content-Type: text/plain;

> ---> charset="Utf-8"

> --->Content-Transfer-Encoding: 7bit

> --->X-Newsreader: Microsoft CDO for Windows 2000

> --->Content-Class: urn:content-classes:message

> --->Importance: normal

> --->Priority: normal

> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992

> --->Newsgroups: microsoft.public.windows.terminal_services

> --->Path: TK2MSFTNGHUB02.phx.gbl

> --->Xref: TK2MSFTNGHUB02.phx.gbl

> microsoft.public.windows.terminal_services:17956

> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

> --->X-Tomcat-NG: microsoft.public.windows.terminal_services

> --->

> --->Morgan,

> --->

> --->Not sure I follow you. This TS server is going to be assigned to a

> specific

> --->OU created just for TS. Can you elaborate on "link to this OU." This OU

> is

> --->not linked and was not going to be linked. I was going to assign the TS

> --->computer object to this OU and give Remote Desktop Users group

> permissions,

> --->while assigning AD users to this group.

> --->

> --->"Morgan che(MSFT)" wrote:

> --->

> --->> Hi,

> --->>

> --->> Thanks for posting here.

> --->>

> --->> I also built environment to test the behavior according to KB 816521.

> As KB

> --->> mentioned, the " Create an IPSec filter list to match the Terminal

> Services

> --->> packets" and "Create an IPSec policy to enforce IPSec protection, and

> then

> --->> enable the policy" steps should be completed on Terminal server side.

> The "

> --->> Enable the Client (respond-only) policy on the Terminal Services

> clients"

> --->> action should apply on terminal server clients.

> --->>

> --->> We can create a new OU and put the clients that you want to secure

> --->> communication with Terminal server in this OU, then we can define

> "Enable

> --->> the Client (respond-only)" policy and link to this OU. To do so, when

> --->> clients connecting Terminal server, they will negotiate encryption

> method

> --->> and apply the security configuration we define on terminal server.

> --->>

> --->> Hope this helps. Have a good day!

> --->>

> --->> Sincerely

> --->> Morgan Che

> --->> Microsoft Online Support

> --->> Microsoft Global Technical Support Center

> --->>

> --->> Get Secure! - http://www.microsoft.com/security

> --->> =====================================================

> --->> When responding to posts, please "Reply to Group" via your newsreader

> so

> --->> that others may learn and benefit from your issue.

> --->> =====================================================

> --->> This posting is provided "AS IS" with no warranties, and confers no

> rights.

> --->>

> --->> --------------------

> --->> --->Thread-Topic: Assigning New IPSec Policy to terminal server

> --->> --->thread-index: Aci84yku5/bXvlRJT/aIIs7blq3ikg==

> --->> --->X-WBNR-Posting-Host: 207.46.19.168

> --->> --->From: =?Utf-8?B?U0pNUA==?= <sjmp@newsgroup.nospam>

> --->> --->Subject: Assigning New IPSec Policy to terminal server

> --->> --->Date: Fri, 23 May 2008 07:42:01 -0700

> --->> --->Lines: 8

> --->> --->Message-ID: <5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@microsoft.com>

> --->> --->MIME-Version: 1.0

> --->> --->Content-Type: text/plain;

> --->> ---> charset="Utf-8"

> --->> --->Content-Transfer-Encoding: 7bit

> --->> --->X-Newsreader: Microsoft CDO for Windows 2000

> --->> --->Content-Class: urn:content-classes:message

> --->> --->Importance: normal

> --->> --->Priority: normal

> --->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992

> --->> --->Newsgroups: microsoft.public.windows.terminal_services

> --->> --->Path: TK2MSFTNGHUB02.phx.gbl

> --->> --->Xref: TK2MSFTNGHUB02.phx.gbl

> --->> microsoft.public.windows.terminal_services:17902

> --->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

> --->> --->X-Tomcat-NG: microsoft.public.windows.terminal_services

> --->> --->

> --->> --->When I right click and apply a new IPSec policy in group policy

> the

> --->> policy is

> --->> --->assigned. Then "to make sure that clients respond to the TS

> requests

> --->> for

> --->> --->security" I right click the Client (Respon Only) and assign it.

> But

> --->> this

> --->> --->changes the IPSec policy to NO for "Policy Assigned" it seems

> like I

> --->> cannot

> --->> --->have them both assigned. Can someone please explain this to me. I

> am

> --->> --->following KB 816521

> --->> --->

> --->> --->Thanks.

> --->> --->

> --->>

> --->

>

May 29, 2008

RE: Assigning New IPSec Policy to terminal server

Hi,

Yes, you couldn't have them both assigned.

Because "Client (respond only)" should be applied to TS client, while the

others should be applied for TS server.

Hope this helps.

Sincerely

Morgan Che

Microsoft Online Support

Microsoft Global Technical Support Center

Get Secure! - http://www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

--->Thread-Topic: Assigning New IPSec Policy to terminal server

--->thread-index: AcjAwVePyIIqK2KjSuuhizk9rSQmKw==

--->X-WBNR-Posting-Host: 207.46.193.207

--->From: =?Utf-8?B?U0pNUA==?= <sjmp@newsgroup.nospam>

--->References: <5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@microsoft.com>

<wja$7cxvIHA.1788@TK2MSFTNGHUB02.phx.gbl>

<E3F5C2ED-0451-4CFA-A87E-BA8C45226B7E@microsoft.com>

<FCWFX4JwIHA.3644@TK2MSFTNGHUB02.phx.gbl>

--->Subject: RE: Assigning New IPSec Policy to terminal server

--->Date: Wed, 28 May 2008 05:50:01 -0700

--->Lines: 185

--->Message-ID: <41DA272A-ED0F-469D-B24D-F0D3506A4AF9@microsoft.com>

--->MIME-Version: 1.0

--->Content-Type: text/plain;

---> charset="Utf-8"

--->Content-Transfer-Encoding: 7bit

--->X-Newsreader: Microsoft CDO for Windows 2000

--->Content-Class: urn:content-classes:message

--->Importance: normal

--->Priority: normal

--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992

--->Newsgroups: microsoft.public.windows.terminal_services

--->Path: TK2MSFTNGHUB02.phx.gbl

--->Xref: TK2MSFTNGHUB02.phx.gbl

microsoft.public.windows.terminal_services:17993

--->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

--->X-Tomcat-NG: microsoft.public.windows.terminal_services

--->

--->Thanks Morgan,

--->

--->So regarding the original question: " "to make sure that clients

respond to

--->the TS requests for security" I right click the Client (Respon Only)

and

--->assign it. But this

--->changes the IPSec policy to NO for "Policy Assigned" it seems like I

cannot

--->have them both assigned"

--->

--->By enabling Client (respond only) to "yes" this is normal operation for

--->IPSec Policy to change from yes to no?

--->

--->"Morgan che(MSFT)" wrote:

--->

--->> Hi,

--->>

--->> Thanks for the reply.

--->>

--->> When I said 'link to this OU', I exactly mean 'apply Group Policy to

this

--->> OU'. I will explain this process in detail.

--->>

--->> For TS server, we can define a OU named TS and put the TS server

account

--->> into this OU. Then, we can define a group policy according to the

steps

--->> "Create an IPSec filter list to match the Terminal Services packets"

and

--->> "Create an IPSec policy to enforce IPSec protection, and then enable

the

--->> policy" of KB 816521 and apply this GP for TS OU. Accordingly, we add

some

--->> AD uses into Remote Desktop Users group to grant them remote access

--->> permission.

--->>

--->> However, in order to secure the communication between clients and

Terminal

--->> server, we have to apply "Enable the Client (respond-only)" policy

for

--->> these users as KB816521 said. Due to the fact we couldn't directly

apply a

--->> Group Policy to the user accounts, we can simply apply the "Enable

the

--->> Client (respond-only)" policy to the whole domain or an OU which

contains

--->> clients computer objects that need to access the terminal server.

--->>

--->> After completing the above methods, when users logon TS, the traffic

--->> between clients and TS will be secured.

--->>

--->> Hope this helps. if anything is unclear, please post back.

--->>

--->> Sincerely

--->> Morgan Che

--->> Microsoft Online Support

--->> Microsoft Global Technical Support Center

--->>

--->> Get Secure! - http://www.microsoft.com/security

--->> =====================================================

--->> When responding to posts, please "Reply to Group" via your newsreader

so

--->> that others may learn and benefit from your issue.

--->> =====================================================

--->> This posting is provided "AS IS" with no warranties, and confers no

rights.

--->>

--->> --------------------

--->> --->Thread-Topic: Assigning New IPSec Policy to terminal server

--->> --->thread-index: Aci/9aqUHoqiHhaSSRq8lymwfjH6Ng==

--->> --->X-WBNR-Posting-Host: 207.46.19.197

--->> --->From: =?Utf-8?B?U0pNUA==?= <sjmp@newsgroup.nospam>

--->> --->References: <5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@microsoft.com>

--->> <wja$7cxvIHA.1788@TK2MSFTNGHUB02.phx.gbl>

--->> --->Subject: RE: Assigning New IPSec Policy to terminal server

--->> --->Date: Tue, 27 May 2008 05:32:02 -0700

--->> --->Lines: 85

--->> --->Message-ID: <E3F5C2ED-0451-4CFA-A87E-BA8C45226B7E@microsoft.com>

--->> --->MIME-Version: 1.0

--->> --->Content-Type: text/plain;

--->> ---> charset="Utf-8"

--->> --->Content-Transfer-Encoding: 7bit

--->> --->X-Newsreader: Microsoft CDO for Windows 2000

--->> --->Content-Class: urn:content-classes:message

--->> --->Importance: normal

--->> --->Priority: normal

--->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992

--->> --->Newsgroups: microsoft.public.windows.terminal_services

--->> --->Path: TK2MSFTNGHUB02.phx.gbl

--->> --->Xref: TK2MSFTNGHUB02.phx.gbl

--->> microsoft.public.windows.terminal_services:17956

--->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

--->> --->X-Tomcat-NG: microsoft.public.windows.terminal_services

--->> --->

--->> --->Morgan,

--->> --->

--->> --->Not sure I follow you. This TS server is going to be assigned to

a

--->> specific

--->> --->OU created just for TS. Can you elaborate on "link to this OU."

This OU

--->> is

--->> --->not linked and was not going to be linked. I was going to assign

the TS

--->> --->computer object to this OU and give Remote Desktop Users group

--->> permissions,

--->> --->while assigning AD users to this group.

--->> --->

--->> --->"Morgan che(MSFT)" wrote:

--->> --->

--->> --->> Hi,

--->> --->>

--->> --->> Thanks for posting here.

--->> --->>

--->> --->> I also built environment to test the behavior according to KB

816521.

--->> As KB

--->> --->> mentioned, the " Create an IPSec filter list to match the

Terminal

--->> Services

--->> --->> packets" and "Create an IPSec policy to enforce IPSec

protection, and

--->> then

--->> --->> enable the policy" steps should be completed on Terminal server

side.

--->> The "

--->> --->> Enable the Client (respond-only) policy on the Terminal

Services

--->> clients"

--->> --->> action should apply on terminal server clients.

--->> --->>

--->> --->> We can create a new OU and put the clients that you want to

secure

--->> --->> communication with Terminal server in this OU, then we can

define

--->> "Enable

--->> --->> the Client (respond-only)" policy and link to this OU. To do

so, when

--->> --->> clients connecting Terminal server, they will negotiate

encryption

--->> method

--->> --->> and apply the security configuration we define on terminal

server.

--->> --->>

--->> --->> Hope this helps. Have a good day!

--->> --->>

--->> --->> Sincerely

--->> --->> Morgan Che

--->> --->> Microsoft Online Support

--->> --->> Microsoft Global Technical Support Center

--->> --->>

--->> --->> Get Secure! - http://www.microsoft.com/security

--->> --->> =====================================================

--->> --->> When responding to posts, please "Reply to Group" via your

newsreader

--->> so

--->> --->> that others may learn and benefit from your issue.

--->> --->> =====================================================

--->> --->> This posting is provided "AS IS" with no warranties, and

confers no

--->> rights.

--->> --->>

--->> --->> --------------------

--->> --->> --->Thread-Topic: Assigning New IPSec Policy to terminal server

--->> --->> --->thread-index: Aci84yku5/bXvlRJT/aIIs7blq3ikg==

--->> --->> --->X-WBNR-Posting-Host: 207.46.19.168

--->> --->> --->From: =?Utf-8?B?U0pNUA==?= <sjmp@newsgroup.nospam>

--->> --->> --->Subject: Assigning New IPSec Policy to terminal server

--->> --->> --->Date: Fri, 23 May 2008 07:42:01 -0700

--->> --->> --->Lines: 8

--->> --->> --->Message-ID:

<5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@microsoft.com>

--->> --->> --->MIME-Version: 1.0

--->> --->> --->Content-Type: text/plain;

--->> --->> ---> charset="Utf-8"

--->> --->> --->Content-Transfer-Encoding: 7bit

--->> --->> --->X-Newsreader: Microsoft CDO for Windows 2000

--->> --->> --->Content-Class: urn:content-classes:message

--->> --->> --->Importance: normal

--->> --->> --->Priority: normal

--->> --->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992

--->> --->> --->Newsgroups: microsoft.public.windows.terminal_services

--->> --->> --->Path: TK2MSFTNGHUB02.phx.gbl

--->> --->> --->Xref: TK2MSFTNGHUB02.phx.gbl

--->> --->> microsoft.public.windows.terminal_services:17902

--->> --->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

--->> --->> --->X-Tomcat-NG: microsoft.public.windows.terminal_services

--->> --->> --->

--->> --->> --->When I right click and apply a new IPSec policy in group

policy

--->> the

--->> --->> policy is

--->> --->> --->assigned. Then "to make sure that clients respond to the TS

--->> requests

--->> --->> for

--->> --->> --->security" I right click the Client (Respon Only) and assign

it.

--->> But

--->> --->> this

--->> --->> --->changes the IPSec policy to NO for "Policy Assigned" it

seems

--->> like I

--->> --->> cannot

--->> --->> --->have them both assigned. Can someone please explain this to

me. I

--->> am

--->> --->> --->following KB 816521

--->> --->> --->

--->> --->> --->Thanks.

--->> --->> --->

--->> --->>

--->> --->

--->>

--->

June 5, 2008

RE: Assigning New IPSec Policy to terminal server

Hi,

How are you?

I am writing to see if you have any update about this post. If my

suggestion is helpful or you have solved this ssue, please feel free to let

me know.

Sincerely

Morgan Che

Microsoft Online Support

Microsoft Global Technical Support Center

Get Secure! - http://www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

--->Thread-Topic: Assigning New IPSec Policy to terminal server

--->thread-index: AcjAwVePyIIqK2KjSuuhizk9rSQmKw==

--->X-WBNR-Posting-Host: 207.46.193.207

--->From: =?Utf-8?B?U0pNUA==?= <sjmp@newsgroup.nospam>

--->References: <5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@microsoft.com>

<wja$7cxvIHA.1788@TK2MSFTNGHUB02.phx.gbl>

<E3F5C2ED-0451-4CFA-A87E-BA8C45226B7E@microsoft.com>

<FCWFX4JwIHA.3644@TK2MSFTNGHUB02.phx.gbl>

--->Subject: RE: Assigning New IPSec Policy to terminal server

--->Date: Wed, 28 May 2008 05:50:01 -0700

--->Lines: 185

--->Message-ID: <41DA272A-ED0F-469D-B24D-F0D3506A4AF9@microsoft.com>

--->MIME-Version: 1.0

--->Content-Type: text/plain;

---> charset="Utf-8"

--->Content-Transfer-Encoding: 7bit

--->X-Newsreader: Microsoft CDO for Windows 2000

--->Content-Class: urn:content-classes:message

--->Importance: normal

--->Priority: normal

--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992

--->Newsgroups: microsoft.public.windows.terminal_services

--->Path: TK2MSFTNGHUB02.phx.gbl

--->Xref: TK2MSFTNGHUB02.phx.gbl

microsoft.public.windows.terminal_services:17993

--->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

--->X-Tomcat-NG: microsoft.public.windows.terminal_services

--->

--->Thanks Morgan,

--->

--->So regarding the original question: " "to make sure that clients

respond to

--->the TS requests for security" I right click the Client (Respon Only)

and

--->assign it. But this

--->changes the IPSec policy to NO for "Policy Assigned" it seems like I

cannot

--->have them both assigned"

--->

--->By enabling Client (respond only) to "yes" this is normal operation for

--->IPSec Policy to change from yes to no?

--->

--->"Morgan che(MSFT)" wrote:

--->

--->> Hi,

--->>

--->> Thanks for the reply.

--->>

--->> When I said 'link to this OU', I exactly mean 'apply Group Policy to

this

--->> OU'. I will explain this process in detail.

--->>

--->> For TS server, we can define a OU named TS and put the TS server

account

--->> into this OU. Then, we can define a group policy according to the

steps

--->> "Create an IPSec filter list to match the Terminal Services packets"

and

--->> "Create an IPSec policy to enforce IPSec protection, and then enable

the

--->> policy" of KB 816521 and apply this GP for TS OU. Accordingly, we add

some

--->> AD uses into Remote Desktop Users group to grant them remote access

--->> permission.

--->>

--->> However, in order to secure the communication between clients and

Terminal

--->> server, we have to apply "Enable the Client (respond-only)" policy

for

--->> these users as KB816521 said. Due to the fact we couldn't directly

apply a

--->> Group Policy to the user accounts, we can simply apply the "Enable

the

--->> Client (respond-only)" policy to the whole domain or an OU which

contains

--->> clients computer objects that need to access the terminal server.

--->>

--->> After completing the above methods, when users logon TS, the traffic

--->> between clients and TS will be secured.

--->>

--->> Hope this helps. if anything is unclear, please post back.

--->>

--->> Sincerely

--->> Morgan Che

--->> Microsoft Online Support

--->> Microsoft Global Technical Support Center

--->>

--->> Get Secure! - http://www.microsoft.com/security

--->> =====================================================

--->> When responding to posts, please "Reply to Group" via your newsreader

so

--->> that others may learn and benefit from your issue.

--->> =====================================================

--->> This posting is provided "AS IS" with no warranties, and confers no

rights.

--->>

--->> --------------------

--->> --->Thread-Topic: Assigning New IPSec Policy to terminal server

--->> --->thread-index: Aci/9aqUHoqiHhaSSRq8lymwfjH6Ng==

--->> --->X-WBNR-Posting-Host: 207.46.19.197

--->> --->From: =?Utf-8?B?U0pNUA==?= <sjmp@newsgroup.nospam>

--->> --->References: <5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@microsoft.com>

--->> <wja$7cxvIHA.1788@TK2MSFTNGHUB02.phx.gbl>

--->> --->Subject: RE: Assigning New IPSec Policy to terminal server

--->> --->Date: Tue, 27 May 2008 05:32:02 -0700

--->> --->Lines: 85

--->> --->Message-ID: <E3F5C2ED-0451-4CFA-A87E-BA8C45226B7E@microsoft.com>

--->> --->MIME-Version: 1.0

--->> --->Content-Type: text/plain;

--->> ---> charset="Utf-8"

--->> --->Content-Transfer-Encoding: 7bit

--->> --->X-Newsreader: Microsoft CDO for Windows 2000

--->> --->Content-Class: urn:content-classes:message

--->> --->Importance: normal

--->> --->Priority: normal

--->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992

--->> --->Newsgroups: microsoft.public.windows.terminal_services

--->> --->Path: TK2MSFTNGHUB02.phx.gbl

--->> --->Xref: TK2MSFTNGHUB02.phx.gbl

--->> microsoft.public.windows.terminal_services:17956

--->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

--->> --->X-Tomcat-NG: microsoft.public.windows.terminal_services

--->> --->

--->> --->Morgan,

--->> --->

--->> --->Not sure I follow you. This TS server is going to be assigned to

a

--->> specific

--->> --->OU created just for TS. Can you elaborate on "link to this OU."

This OU

--->> is

--->> --->not linked and was not going to be linked. I was going to assign

the TS

--->> --->computer object to this OU and give Remote Desktop Users group

--->> permissions,

--->> --->while assigning AD users to this group.

--->> --->

--->> --->"Morgan che(MSFT)" wrote:

--->> --->

--->> --->> Hi,

--->> --->>

--->> --->> Thanks for posting here.

--->> --->>

--->> --->> I also built environment to test the behavior according to KB

816521.

--->> As KB

--->> --->> mentioned, the " Create an IPSec filter list to match the

Terminal

--->> Services

--->> --->> packets" and "Create an IPSec policy to enforce IPSec

protection, and

--->> then

--->> --->> enable the policy" steps should be completed on Terminal server

side.

--->> The "

--->> --->> Enable the Client (respond-only) policy on the Terminal

Services

--->> clients"

--->> --->> action should apply on terminal server clients.

--->> --->>

--->> --->> We can create a new OU and put the clients that you want to

secure

--->> --->> communication with Terminal server in this OU, then we can

define

--->> "Enable

--->> --->> the Client (respond-only)" policy and link to this OU. To do

so, when

--->> --->> clients connecting Terminal server, they will negotiate

encryption

--->> method

--->> --->> and apply the security configuration we define on terminal

server.

--->> --->>

--->> --->> Hope this helps. Have a good day!

--->> --->>

--->> --->> Sincerely

--->> --->> Morgan Che

--->> --->> Microsoft Online Support

--->> --->> Microsoft Global Technical Support Center

--->> --->>

--->> --->> Get Secure! - http://www.microsoft.com/security

--->> --->> =====================================================

--->> --->> When responding to posts, please "Reply to Group" via your

newsreader

--->> so

--->> --->> that others may learn and benefit from your issue.

--->> --->> =====================================================

--->> --->> This posting is provided "AS IS" with no warranties, and

confers no

--->> rights.

--->> --->>

--->> --->> --------------------

--->> --->> --->Thread-Topic: Assigning New IPSec Policy to terminal server

--->> --->> --->thread-index: Aci84yku5/bXvlRJT/aIIs7blq3ikg==

--->> --->> --->X-WBNR-Posting-Host: 207.46.19.168

--->> --->> --->From: =?Utf-8?B?U0pNUA==?= <sjmp@newsgroup.nospam>

--->> --->> --->Subject: Assigning New IPSec Policy to terminal server

--->> --->> --->Date: Fri, 23 May 2008 07:42:01 -0700

--->> --->> --->Lines: 8

--->> --->> --->Message-ID:

<5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@microsoft.com>

--->> --->> --->MIME-Version: 1.0

--->> --->> --->Content-Type: text/plain;

--->> --->> ---> charset="Utf-8"

--->> --->> --->Content-Transfer-Encoding: 7bit

--->> --->> --->X-Newsreader: Microsoft CDO for Windows 2000

--->> --->> --->Content-Class: urn:content-classes:message

--->> --->> --->Importance: normal

--->> --->> --->Priority: normal

--->> --->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992

--->> --->> --->Newsgroups: microsoft.public.windows.terminal_services

--->> --->> --->Path: TK2MSFTNGHUB02.phx.gbl

--->> --->> --->Xref: TK2MSFTNGHUB02.phx.gbl

--->> --->> microsoft.public.windows.terminal_services:17902

--->> --->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

--->> --->> --->X-Tomcat-NG: microsoft.public.windows.terminal_services

--->> --->> --->

--->> --->> --->When I right click and apply a new IPSec policy in group

policy

--->> the

--->> --->> policy is

--->> --->> --->assigned. Then "to make sure that clients respond to the TS

--->> requests

--->> --->> for

--->> --->> --->security" I right click the Client (Respon Only) and assign

it.

--->> But

--->> --->> this

--->> --->> --->changes the IPSec policy to NO for "Policy Assigned" it

seems

--->> like I

--->> --->> cannot

--->> --->> --->have them both assigned. Can someone please explain this to

me. I

--->> am

--->> --->> --->following KB 816521

--->> --->> --->

--->> --->> --->Thanks.

--->> --->> --->

--->> --->>

--->> --->

--->>

--->

June 5, 2008

RE: Assigning New IPSec Policy to terminal server

Morgan,

Thanks for the follow up. I am setting up an OU for the TS to reside in. I

have been configuring the group policy for that OU. Once completed I will

move the TS to the OU for the Group Policy settings to be applied. Based on

my previous posts, which setting should be applied in this case?

All users will access the new TS via RDC

"Morgan che(MSFT)" wrote:

> Hi,

>

> How are you?

>

> I am writing to see if you have any update about this post. If my

> suggestion is helpful or you have solved this ssue, please feel free to let

> me know.

> Sincerely

> Morgan Che

> Microsoft Online Support

> Microsoft Global Technical Support Center

>

> Get Secure! - http://www.microsoft.com/security

> =====================================================

> When responding to posts, please "Reply to Group" via your newsreader so

> that others may learn and benefit from your issue.

> =====================================================

> This posting is provided "AS IS" with no warranties, and confers no rights.

>

> --------------------

> --->Thread-Topic: Assigning New IPSec Policy to terminal server

> --->thread-index: AcjAwVePyIIqK2KjSuuhizk9rSQmKw==

> --->X-WBNR-Posting-Host: 207.46.193.207

> --->From: =?Utf-8?B?U0pNUA==?= <sjmp@newsgroup.nospam>

> --->References: <5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@microsoft.com>

> <wja$7cxvIHA.1788@TK2MSFTNGHUB02.phx.gbl>

> <E3F5C2ED-0451-4CFA-A87E-BA8C45226B7E@microsoft.com>

> <FCWFX4JwIHA.3644@TK2MSFTNGHUB02.phx.gbl>

> --->Subject: RE: Assigning New IPSec Policy to terminal server

> --->Date: Wed, 28 May 2008 05:50:01 -0700

> --->Lines: 185

> --->Message-ID: <41DA272A-ED0F-469D-B24D-F0D3506A4AF9@microsoft.com>

> --->MIME-Version: 1.0

> --->Content-Type: text/plain;

> ---> charset="Utf-8"

> --->Content-Transfer-Encoding: 7bit

> --->X-Newsreader: Microsoft CDO for Windows 2000

> --->Content-Class: urn:content-classes:message

> --->Importance: normal

> --->Priority: normal

> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992

> --->Newsgroups: microsoft.public.windows.terminal_services

> --->Path: TK2MSFTNGHUB02.phx.gbl

> --->Xref: TK2MSFTNGHUB02.phx.gbl

> microsoft.public.windows.terminal_services:17993

> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

> --->X-Tomcat-NG: microsoft.public.windows.terminal_services

> --->

> --->Thanks Morgan,

> --->

> --->So regarding the original question: " "to make sure that clients

> respond to

> --->the TS requests for security" I right click the Client (Respon Only)

> and

> --->assign it. But this

> --->changes the IPSec policy to NO for "Policy Assigned" it seems like I

> cannot

> --->have them both assigned"

> --->

> --->By enabling Client (respond only) to "yes" this is normal operation for

> --->IPSec Policy to change from yes to no?

> --->

> --->"Morgan che(MSFT)" wrote:

> --->

> --->> Hi,

> --->>

> --->> Thanks for the reply.

> --->>

> --->> When I said 'link to this OU', I exactly mean 'apply Group Policy to

> this

> --->> OU'. I will explain this process in detail.

> --->>

> --->> For TS server, we can define a OU named TS and put the TS server

> account

> --->> into this OU. Then, we can define a group policy according to the

> steps

> --->> "Create an IPSec filter list to match the Terminal Services packets"

> and

> --->> "Create an IPSec policy to enforce IPSec protection, and then enable

> the

> --->> policy" of KB 816521 and apply this GP for TS OU. Accordingly, we add

> some

> --->> AD uses into Remote Desktop Users group to grant them remote access

> --->> permission.

> --->>

> --->> However, in order to secure the communication between clients and

> Terminal

> --->> server, we have to apply "Enable the Client (respond-only)" policy

> for

> --->> these users as KB816521 said. Due to the fact we couldn't directly

> apply a

> --->> Group Policy to the user accounts, we can simply apply the "Enable

> the

> --->> Client (respond-only)" policy to the whole domain or an OU which

> contains

> --->> clients computer objects that need to access the terminal server.

> --->>

> --->> After completing the above methods, when users logon TS, the traffic

> --->> between clients and TS will be secured.

> --->>

> --->> Hope this helps. if anything is unclear, please post back.

> --->>

> --->> Sincerely

> --->> Morgan Che

> --->> Microsoft Online Support

> --->> Microsoft Global Technical Support Center

> --->>

> --->> Get Secure! - http://www.microsoft.com/security

> --->> =====================================================

> --->> When responding to posts, please "Reply to Group" via your newsreader

> so

> --->> that others may learn and benefit from your issue.

> --->> =====================================================

> --->> This posting is provided "AS IS" with no warranties, and confers no

> rights.

> --->>

> --->> --------------------

> --->> --->Thread-Topic: Assigning New IPSec Policy to terminal server

> --->> --->thread-index: Aci/9aqUHoqiHhaSSRq8lymwfjH6Ng==

> --->> --->X-WBNR-Posting-Host: 207.46.19.197

> --->> --->From: =?Utf-8?B?U0pNUA==?= <sjmp@newsgroup.nospam>

> --->> --->References: <5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@microsoft.com>

> --->> <wja$7cxvIHA.1788@TK2MSFTNGHUB02.phx.gbl>

> --->> --->Subject: RE: Assigning New IPSec Policy to terminal server

> --->> --->Date: Tue, 27 May 2008 05:32:02 -0700

> --->> --->Lines: 85

> --->> --->Message-ID: <E3F5C2ED-0451-4CFA-A87E-BA8C45226B7E@microsoft.com>

> --->> --->MIME-Version: 1.0

> --->> --->Content-Type: text/plain;

> --->> ---> charset="Utf-8"

> --->> --->Content-Transfer-Encoding: 7bit

> --->> --->X-Newsreader: Microsoft CDO for Windows 2000

> --->> --->Content-Class: urn:content-classes:message

> --->> --->Importance: normal

> --->> --->Priority: normal

> --->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992

> --->> --->Newsgroups: microsoft.public.windows.terminal_services

> --->> --->Path: TK2MSFTNGHUB02.phx.gbl

> --->> --->Xref: TK2MSFTNGHUB02.phx.gbl

> --->> microsoft.public.windows.terminal_services:17956

> --->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

> --->> --->X-Tomcat-NG: microsoft.public.windows.terminal_services

> --->> --->

> --->> --->Morgan,

> --->> --->

> --->> --->Not sure I follow you. This TS server is going to be assigned to

> a

> --->> specific

> --->> --->OU created just for TS. Can you elaborate on "link to this OU."

> This OU

> --->> is

> --->> --->not linked and was not going to be linked. I was going to assign

> the TS

> --->> --->computer object to this OU and give Remote Desktop Users group

> --->> permissions,

> --->> --->while assigning AD users to this group.

> --->> --->

> --->> --->"Morgan che(MSFT)" wrote:

> --->> --->

> --->> --->> Hi,

> --->> --->>

> --->> --->> Thanks for posting here.

> --->> --->>

> --->> --->> I also built environment to test the behavior according to KB

> 816521.

> --->> As KB

> --->> --->> mentioned, the " Create an IPSec filter list to match the

> Terminal

> --->> Services

> --->> --->> packets" and "Create an IPSec policy to enforce IPSec

> protection, and

> --->> then

> --->> --->> enable the policy" steps should be completed on Terminal server

> side.

> --->> The "

> --->> --->> Enable the Client (respond-only) policy on the Terminal

> Services

> --->> clients"

> --->> --->> action should apply on terminal server clients.

> --->> --->>

> --->> --->> We can create a new OU and put the clients that you want to

> secure

> --->> --->> communication with Terminal server in this OU, then we can

> define

> --->> "Enable

> --->> --->> the Client (respond-only)" policy and link to this OU. To do

> so, when

> --->> --->> clients connecting Terminal server, they will negotiate

> encryption

> --->> method

> --->> --->> and apply the security configuration we define on terminal

> server.

> --->> --->>

> --->> --->> Hope this helps. Have a good day!

> --->> --->>

> --->> --->> Sincerely

> --->> --->> Morgan Che

> --->> --->> Microsoft Online Support

> --->> --->> Microsoft Global Technical Support Center

> --->> --->>

> --->> --->> Get Secure! - http://www.microsoft.com/security

> --->> --->> =====================================================

> --->> --->> When responding to posts, please "Reply to Group" via your

> newsreader

> --->> so

> --->> --->> that others may learn and benefit from your issue.

> --->> --->> =====================================================

> --->> --->> This posting is provided "AS IS" with no warranties, and

> confers no

> --->> rights.

> --->> --->>

> --->> --->> --------------------

> --->> --->> --->Thread-Topic: Assigning New IPSec Policy to terminal server

> --->> --->> --->thread-index: Aci84yku5/bXvlRJT/aIIs7blq3ikg==

> --->> --->> --->X-WBNR-Posting-Host: 207.46.19.168

> --->> --->> --->From: =?Utf-8?B?U0pNUA==?= <sjmp@newsgroup.nospam>

> --->> --->> --->Subject: Assigning New IPSec Policy to terminal server

> --->> --->> --->Date: Fri, 23 May 2008 07:42:01 -0700

> --->> --->> --->Lines: 8

> --->> --->> --->Message-ID:

> <5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@microsoft.com>

> --->> --->> --->MIME-Version: 1.0

> --->> --->> --->Content-Type: text/plain;

> --->> --->> ---> charset="Utf-8"

> --->> --->> --->Content-Transfer-Encoding: 7bit

> --->> --->> --->X-Newsreader: Microsoft CDO for Windows 2000

> --->> --->> --->Content-Class: urn:content-classes:message

> --->> --->> --->Importance: normal

> --->> --->> --->Priority: normal

> --->> --->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992

> --->> --->> --->Newsgroups: microsoft.public.windows.terminal_services

> --->> --->> --->Path: TK2MSFTNGHUB02.phx.gbl

> --->> --->> --->Xref: TK2MSFTNGHUB02.phx.gbl

> --->> --->> microsoft.public.windows.terminal_services:17902

> --->> --->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

> --->> --->> --->X-Tomcat-NG: microsoft.public.windows.terminal_services

> --->> --->> --->

> --->> --->> --->When I right click and apply a new IPSec policy in group

> policy

> --->> the

> --->> --->> policy is

> --->> --->> --->assigned. Then "to make sure that clients respond to the TS

> --->> requests

> --->> --->> for

> --->> --->> --->security" I right click the Client (Respon Only) and assign

> it.

> --->> But

> --->> --->> this

> --->> --->> --->changes the IPSec policy to NO for "Policy Assigned" it

> seems

> --->> like I

> --->> --->> cannot

> --->> --->> --->have them both assigned. Can someone please explain this to

> me. I

> --->> am

> --->> --->> --->following KB 816521

> --->> --->> --->

> --->> --->> --->Thanks.

> --->> --->> --->

> --->> --->>

> --->> --->

> --->>

> --->

>

June 6, 2008

RE: Assigning New IPSec Policy to terminal server

Hi,

As KB 816521mentioned, the " Create an IPSec filter list to match the

Terminal Services

packets" and "Create an IPSec policy to enforce IPSec protection, and then

enable the policy" steps should be completed on OU containing Terminal

server.

Thanks.

Sincerely

Morgan Che

Microsoft Online Support

Microsoft Global Technical Support Center

Get Secure! - http://www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

--->Thread-Topic: Assigning New IPSec Policy to terminal server

--->thread-index: AcjHA/YYLSTMWIi9ScWQVvz1Um9zcA==

--->X-WBNR-Posting-Host: 207.46.19.197

--->From: =?Utf-8?B?U0pNUA==?= <sjmp@newsgroup.nospam>

--->References: <5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@microsoft.com>

<wja$7cxvIHA.1788@TK2MSFTNGHUB02.phx.gbl>

<E3F5C2ED-0451-4CFA-A87E-BA8C45226B7E@microsoft.com>

<FCWFX4JwIHA.3644@TK2MSFTNGHUB02.phx.gbl>

<41DA272A-ED0F-469D-B24D-F0D3506A4AF9@microsoft.com>

<qhnMv4uxIHA.1784@TK2MSFTNGHUB02.phx.gbl>

--->Subject: RE: Assigning New IPSec Policy to terminal server

--->Date: Thu, 5 Jun 2008 05:02:00 -0700

--->Lines: 284

--->Message-ID: <E38372B1-34F7-4129-91E4-E1E7DC800FC3@microsoft.com>

--->MIME-Version: 1.0

--->Content-Type: text/plain;

---> charset="Utf-8"

--->Content-Transfer-Encoding: 7bit

--->X-Newsreader: Microsoft CDO for Windows 2000

--->Content-Class: urn:content-classes:message

--->Importance: normal

--->Priority: normal

--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992

--->Newsgroups: microsoft.public.windows.terminal_services

--->Path: TK2MSFTNGHUB02.phx.gbl

--->Xref: TK2MSFTNGHUB02.phx.gbl

microsoft.public.windows.terminal_services:18174

--->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

--->X-Tomcat-NG: microsoft.public.windows.terminal_services

--->

--->Morgan,

--->

--->Thanks for the follow up. I am setting up an OU for the TS to reside

in. I

--->have been configuring the group policy for that OU. Once completed I

will

--->move the TS to the OU for the Group Policy settings to be applied.

Based on

--->my previous posts, which setting should be applied in this case?

--->

--->All users will access the new TS via RDC

--->

--->"Morgan che(MSFT)" wrote:

--->

--->> Hi,

--->>

--->> How are you?

--->>

--->> I am writing to see if you have any update about this post. If my

--->> suggestion is helpful or you have solved this ssue, please feel free

to let

--->> me know.

--->> Sincerely

--->> Morgan Che

--->> Microsoft Online Support

--->> Microsoft Global Technical Support Center

--->>

--->> Get Secure! - http://www.microsoft.com/security

--->> =====================================================

--->> When responding to posts, please "Reply to Group" via your newsreader

so

--->> that others may learn and benefit from your issue.

--->> =====================================================

--->> This posting is provided "AS IS" with no warranties, and confers no

rights.

--->>

--->> --------------------

--->> --->Thread-Topic: Assigning New IPSec Policy to terminal server

--->> --->thread-index: AcjAwVePyIIqK2KjSuuhizk9rSQmKw==

--->> --->X-WBNR-Posting-Host: 207.46.193.207

--->> --->From: =?Utf-8?B?U0pNUA==?= <sjmp@newsgroup.nospam>

--->> --->References: <5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@microsoft.com>

--->> <wja$7cxvIHA.1788@TK2MSFTNGHUB02.phx.gbl>

--->> <E3F5C2ED-0451-4CFA-A87E-BA8C45226B7E@microsoft.com>

--->> <FCWFX4JwIHA.3644@TK2MSFTNGHUB02.phx.gbl>

--->> --->Subject: RE: Assigning New IPSec Policy to terminal server

--->> --->Date: Wed, 28 May 2008 05:50:01 -0700

--->> --->Lines: 185

--->> --->Message-ID: <41DA272A-ED0F-469D-B24D-F0D3506A4AF9@microsoft.com>

--->> --->MIME-Version: 1.0

--->> --->Content-Type: text/plain;

--->> ---> charset="Utf-8"

--->> --->Content-Transfer-Encoding: 7bit

--->> --->X-Newsreader: Microsoft CDO for Windows 2000

--->> --->Content-Class: urn:content-classes:message

--->> --->Importance: normal

--->> --->Priority: normal

--->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992

--->> --->Newsgroups: microsoft.public.windows.terminal_services

--->> --->Path: TK2MSFTNGHUB02.phx.gbl

--->> --->Xref: TK2MSFTNGHUB02.phx.gbl

--->> microsoft.public.windows.terminal_services:17993

--->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

--->> --->X-Tomcat-NG: microsoft.public.windows.terminal_services

--->> --->

--->> --->Thanks Morgan,

--->> --->

--->> --->So regarding the original question: " "to make sure that clients

--->> respond to

--->> --->the TS requests for security" I right click the Client (Respon

Only)

--->> and

--->> --->assign it. But this

--->> --->changes the IPSec policy to NO for "Policy Assigned" it seems

like I

--->> cannot

--->> --->have them both assigned"

--->> --->

--->> --->By enabling Client (respond only) to "yes" this is normal

operation for

--->> --->IPSec Policy to change from yes to no?

--->> --->

--->> --->"Morgan che(MSFT)" wrote:

--->> --->

--->> --->> Hi,

--->> --->>

--->> --->> Thanks for the reply.

--->> --->>

--->> --->> When I said 'link to this OU', I exactly mean 'apply Group

Policy to

--->> this

--->> --->> OU'. I will explain this process in detail.

--->> --->>

--->> --->> For TS server, we can define a OU named TS and put the TS

server

--->> account

--->> --->> into this OU. Then, we can define a group policy according to

the

--->> steps

--->> --->> "Create an IPSec filter list to match the Terminal Services

packets"

--->> and

--->> --->> "Create an IPSec policy to enforce IPSec protection, and then

enable

--->> the

--->> --->> policy" of KB 816521 and apply this GP for TS OU. Accordingly,

we add

--->> some

--->> --->> AD uses into Remote Desktop Users group to grant them remote

access

--->> --->> permission.

--->> --->>

--->> --->> However, in order to secure the communication between clients

and

--->> Terminal

--->> --->> server, we have to apply "Enable the Client (respond-only)"

policy

--->> for

--->> --->> these users as KB816521 said. Due to the fact we couldn't

directly

--->> apply a

--->> --->> Group Policy to the user accounts, we can simply apply the

"Enable

--->> the

--->> --->> Client (respond-only)" policy to the whole domain or an OU

which

--->> contains

--->> --->> clients computer objects that need to access the terminal

server.

--->> --->>

--->> --->> After completing the above methods, when users logon TS, the

traffic

--->> --->> between clients and TS will be secured.

--->> --->>

--->> --->> Hope this helps. if anything is unclear, please post back.

--->> --->>

--->> --->> Sincerely

--->> --->> Morgan Che

--->> --->> Microsoft Online Support

--->> --->> Microsoft Global Technical Support Center

--->> --->>

--->> --->> Get Secure! - http://www.microsoft.com/security

--->> --->> =====================================================

--->> --->> When responding to posts, please "Reply to Group" via your

newsreader

--->> so

--->> --->> that others may learn and benefit from your issue.

--->> --->> =====================================================

--->> --->> This posting is provided "AS IS" with no warranties, and

confers no

--->> rights.

--->> --->>

--->> --->> --------------------

--->> --->> --->Thread-Topic: Assigning New IPSec Policy to terminal server

--->> --->> --->thread-index: Aci/9aqUHoqiHhaSSRq8lymwfjH6Ng==

--->> --->> --->X-WBNR-Posting-Host: 207.46.19.197

--->> --->> --->From: =?Utf-8?B?U0pNUA==?= <sjmp@newsgroup.nospam>

--->> --->> --->References:

<5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@microsoft.com>

--->> --->> <wja$7cxvIHA.1788@TK2MSFTNGHUB02.phx.gbl>

--->> --->> --->Subject: RE: Assigning New IPSec Policy to terminal server

--->> --->> --->Date: Tue, 27 May 2008 05:32:02 -0700

--->> --->> --->Lines: 85

--->> --->> --->Message-ID:

<E3F5C2ED-0451-4CFA-A87E-BA8C45226B7E@microsoft.com>

--->> --->> --->MIME-Version: 1.0

--->> --->> --->Content-Type: text/plain;

--->> --->> ---> charset="Utf-8"

--->> --->> --->Content-Transfer-Encoding: 7bit

--->> --->> --->X-Newsreader: Microsoft CDO for Windows 2000

--->> --->> --->Content-Class: urn:content-classes:message

--->> --->> --->Importance: normal

--->> --->> --->Priority: normal

--->> --->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992

--->> --->> --->Newsgroups: microsoft.public.windows.terminal_services

--->> --->> --->Path: TK2MSFTNGHUB02.phx.gbl

--->> --->> --->Xref: TK2MSFTNGHUB02.phx.gbl

--->> --->> microsoft.public.windows.terminal_services:17956

--->> --->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

--->> --->> --->X-Tomcat-NG: microsoft.public.windows.terminal_services

--->> --->> --->

--->> --->> --->Morgan,

--->> --->> --->

--->> --->> --->Not sure I follow you. This TS server is going to be

assigned to

--->> a

--->> --->> specific

--->> --->> --->OU created just for TS. Can you elaborate on "link to this

OU."

--->> This OU

--->> --->> is

--->> --->> --->not linked and was not going to be linked. I was going to

assign

--->> the TS

--->> --->> --->computer object to this OU and give Remote Desktop Users

group

--->> --->> permissions,

--->> --->> --->while assigning AD users to this group.

--->> --->> --->

--->> --->> --->"Morgan che(MSFT)" wrote:

--->> --->> --->

--->> --->> --->> Hi,

--->> --->> --->>

--->> --->> --->> Thanks for posting here.

--->> --->> --->>

--->> --->> --->> I also built environment to test the behavior according

to KB

--->> 816521.

--->> --->> As KB

--->> --->> --->> mentioned, the " Create an IPSec filter list to match the

--->> Terminal

--->> --->> Services

--->> --->> --->> packets" and "Create an IPSec policy to enforce IPSec

--->> protection, and

--->> --->> then

--->> --->> --->> enable the policy" steps should be completed on Terminal

server

--->> side.

--->> --->> The "

--->> --->> --->> Enable the Client (respond-only) policy on the Terminal

--->> Services

--->> --->> clients"

--->> --->> --->> action should apply on terminal server clients.

--->> --->> --->>

--->> --->> --->> We can create a new OU and put the clients that you want

to

--->> secure

--->> --->> --->> communication with Terminal server in this OU, then we

can

--->> define

--->> --->> "Enable

--->> --->> --->> the Client (respond-only)" policy and link to this OU. To

do

--->> so, when

--->> --->> --->> clients connecting Terminal server, they will negotiate

--->> encryption

--->> --->> method

--->> --->> --->> and apply the security configuration we define on

terminal

--->> server.

--->> --->> --->>

--->> --->> --->> Hope this helps. Have a good day!

--->> --->> --->>

--->> --->> --->> Sincerely

--->> --->> --->> Morgan Che

--->> --->> --->> Microsoft Online Support

--->> --->> --->> Microsoft Global Technical Support Center

--->> --->> --->>

--->> --->> --->> Get Secure! - http://www.microsoft.com/security

--->> --->> --->> =====================================================

--->> --->> --->> When responding to posts, please "Reply to Group" via

your

--->> newsreader

--->> --->> so

--->> --->> --->> that others may learn and benefit from your issue.

--->> --->> --->> =====================================================

--->> --->> --->> This posting is provided "AS IS" with no warranties, and

--->> confers no

--->> --->> rights.

--->> --->> --->>

--->> --->> --->> --------------------

--->> --->> --->> --->Thread-Topic: Assigning New IPSec Policy to terminal

server

--->> --->> --->> --->thread-index: Aci84yku5/bXvlRJT/aIIs7blq3ikg==

--->> --->> --->> --->X-WBNR-Posting-Host: 207.46.19.168

--->> --->> --->> --->From: =?Utf-8?B?U0pNUA==?= <sjmp@newsgroup.nospam>

--->> --->> --->> --->Subject: Assigning New IPSec Policy to terminal server

--->> --->> --->> --->Date: Fri, 23 May 2008 07:42:01 -0700

--->> --->> --->> --->Lines: 8

--->> --->> --->> --->Message-ID:

--->> <5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@microsoft.com>

--->> --->> --->> --->MIME-Version: 1.0

--->> --->> --->> --->Content-Type: text/plain;

--->> --->> --->> ---> charset="Utf-8"

--->> --->> --->> --->Content-Transfer-Encoding: 7bit

--->> --->> --->> --->X-Newsreader: Microsoft CDO for Windows 2000

--->> --->> --->> --->Content-Class: urn:content-classes:message

--->> --->> --->> --->Importance: normal

--->> --->> --->> --->Priority: normal

--->> --->> --->> --->X-MimeOLE: Produced By Microsoft MimeOLE

V6.00.3790.2992

--->> --->> --->> --->Newsgroups: microsoft.public.windows.terminal_services

--->> --->> --->> --->Path: TK2MSFTNGHUB02.phx.gbl

--->> --->> --->> --->Xref: TK2MSFTNGHUB02.phx.gbl

--->> --->> --->> microsoft.public.windows.terminal_services:17902

--->> --->> --->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

--->> --->> --->> --->X-Tomcat-NG:

microsoft.public.windows.terminal_services

--->> --->> --->> --->

--->> --->> --->> --->When I right click and apply a new IPSec policy in

group

--->> policy

--->> --->> the

--->> --->> --->> policy is

--->> --->> --->> --->assigned. Then "to make sure that clients respond to

the TS

--->> --->> requests

--->> --->> --->> for

--->> --->> --->> --->security" I right click the Client (Respon Only) and

assign

--->> it.

--->> --->> But

--->> --->> --->> this

--->> --->> --->> --->changes the IPSec policy to NO for "Policy Assigned"

it

--->> seems

--->> --->> like I

--->> --->> --->> cannot

--->> --->> --->> --->have them both assigned. Can someone please explain

this to

--->> me. I

--->> --->> am

--->> --->> --->> --->following KB 816521

--->> --->> --->> --->

--->> --->> --->> --->Thanks.

--->> --->> --->> --->

--->> --->> --->>

--->> --->> --->

--->> --->>

--->> --->

--->>

--->

June 13, 2008

RE: Assigning New IPSec Policy to terminal server

Hi,

How are you?

I am writing to see if you have any update about this post. If my

suggestion is helpful or you have solved this ssue, please feel free to let

me know.

Sincerely

Morgan Che

Microsoft Online Support

Microsoft Global Technical Support Center

Get Secure! - http://www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

--->Thread-Topic: Assigning New IPSec Policy to terminal server

--->thread-index: AcjHA/YYLSTMWIi9ScWQVvz1Um9zcA==

--->X-WBNR-Posting-Host: 207.46.19.197

--->From: =?Utf-8?B?U0pNUA==?= <sjmp@newsgroup.nospam>

--->References: <5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@microsoft.com>

<wja$7cxvIHA.1788@TK2MSFTNGHUB02.phx.gbl>

<E3F5C2ED-0451-4CFA-A87E-BA8C45226B7E@microsoft.com>

<FCWFX4JwIHA.3644@TK2MSFTNGHUB02.phx.gbl>

<41DA272A-ED0F-469D-B24D-F0D3506A4AF9@microsoft.com>

<qhnMv4uxIHA.1784@TK2MSFTNGHUB02.phx.gbl>

--->Subject: RE: Assigning New IPSec Policy to terminal server

--->Date: Thu, 5 Jun 2008 05:02:00 -0700

--->Lines: 284

--->Message-ID: <E38372B1-34F7-4129-91E4-E1E7DC800FC3@microsoft.com>

--->MIME-Version: 1.0

--->Content-Type: text/plain;

---> charset="Utf-8"

--->Content-Transfer-Encoding: 7bit

--->X-Newsreader: Microsoft CDO for Windows 2000

--->Content-Class: urn:content-classes:message

--->Importance: normal

--->Priority: normal

--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992

--->Newsgroups: microsoft.public.windows.terminal_services

--->Path: TK2MSFTNGHUB02.phx.gbl

--->Xref: TK2MSFTNGHUB02.phx.gbl

microsoft.public.windows.terminal_services:18174

--->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

--->X-Tomcat-NG: microsoft.public.windows.terminal_services

--->

--->Morgan,

--->

--->Thanks for the follow up. I am setting up an OU for the TS to reside

in. I

--->have been configuring the group policy for that OU. Once completed I

will

--->move the TS to the OU for the Group Policy settings to be applied.

Based on

--->my previous posts, which setting should be applied in this case?

--->

--->All users will access the new TS via RDC

--->

--->"Morgan che(MSFT)" wrote:

--->

--->> Hi,

--->>

--->> How are you?

--->>

--->> I am writing to see if you have any update about this post. If my

--->> suggestion is helpful or you have solved this ssue, please feel free

to let

--->> me know.

--->> Sincerely

--->> Morgan Che

--->> Microsoft Online Support

--->> Microsoft Global Technical Support Center

--->>

--->> Get Secure! - http://www.microsoft.com/security

--->> =====================================================

--->> When responding to posts, please "Reply to Group" via your newsreader

so

--->> that others may learn and benefit from your issue.

--->> =====================================================

--->> This posting is provided "AS IS" with no warranties, and confers no

rights.

--->>

--->> --------------------

--->> --->Thread-Topic: Assigning New IPSec Policy to terminal server

--->> --->thread-index: AcjAwVePyIIqK2KjSuuhizk9rSQmKw==

--->> --->X-WBNR-Posting-Host: 207.46.193.207

--->> --->From: =?Utf-8?B?U0pNUA==?= <sjmp@newsgroup.nospam>

--->> --->References: <5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@microsoft.com>

--->> <wja$7cxvIHA.1788@TK2MSFTNGHUB02.phx.gbl>

--->> <E3F5C2ED-0451-4CFA-A87E-BA8C45226B7E@microsoft.com>

--->> <FCWFX4JwIHA.3644@TK2MSFTNGHUB02.phx.gbl>

--->> --->Subject: RE: Assigning New IPSec Policy to terminal server

--->> --->Date: Wed, 28 May 2008 05:50:01 -0700

--->> --->Lines: 185

--->> --->Message-ID: <41DA272A-ED0F-469D-B24D-F0D3506A4AF9@microsoft.com>

--->> --->MIME-Version: 1.0

--->> --->Content-Type: text/plain;

--->> ---> charset="Utf-8"

--->> --->Content-Transfer-Encoding: 7bit

--->> --->X-Newsreader: Microsoft CDO for Windows 2000

--->> --->Content-Class: urn:content-classes:message

--->> --->Importance: normal

--->> --->Priority: normal

--->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992

--->> --->Newsgroups: microsoft.public.windows.terminal_services

--->> --->Path: TK2MSFTNGHUB02.phx.gbl

--->> --->Xref: TK2MSFTNGHUB02.phx.gbl

--->> microsoft.public.windows.terminal_services:17993

--->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

--->> --->X-Tomcat-NG: microsoft.public.windows.terminal_services

--->> --->

--->> --->Thanks Morgan,

--->> --->

--->> --->So regarding the original question: " "to make sure that clients

--->> respond to

--->> --->the TS requests for security" I right click the Client (Respon

Only)

--->> and

--->> --->assign it. But this

--->> --->changes the IPSec policy to NO for "Policy Assigned" it seems

like I

--->> cannot

--->> --->have them both assigned"

--->> --->

--->> --->By enabling Client (respond only) to "yes" this is normal

operation for

--->> --->IPSec Policy to change from yes to no?

--->> --->

--->> --->"Morgan che(MSFT)" wrote:

--->> --->

--->> --->> Hi,

--->> --->>

--->> --->> Thanks for the reply.

--->> --->>

--->> --->> When I said 'link to this OU', I exactly mean 'apply Group

Policy to

--->> this

--->> --->> OU'. I will explain this process in detail.

--->> --->>

--->> --->> For TS server, we can define a OU named TS and put the TS

server

--->> account

--->> --->> into this OU. Then, we can define a group policy according to

the

--->> steps

--->> --->> "Create an IPSec filter list to match the Terminal Services

packets"

--->> and

--->> --->> "Create an IPSec policy to enforce IPSec protection, and then

enable

--->> the

--->> --->> policy" of KB 816521 and apply this GP for TS OU. Accordingly,

we add

--->> some

--->> --->> AD uses into Remote Desktop Users group to grant them remote

access

--->> --->> permission.

--->> --->>

--->> --->> However, in order to secure the communication between clients

and

--->> Terminal

--->> --->> server, we have to apply "Enable the Client (respond-only)"

policy

--->> for

--->> --->> these users as KB816521 said. Due to the fact we couldn't

directly

--->> apply a

--->> --->> Group Policy to the user accounts, we can simply apply the

"Enable

--->> the

--->> --->> Client (respond-only)" policy to the whole domain or an OU

which

--->> contains

--->> --->> clients computer objects that need to access the terminal

server.

--->> --->>

--->> --->> After completing the above methods, when users logon TS, the

traffic

--->> --->> between clients and TS will be secured.

--->> --->>

--->> --->> Hope this helps. if anything is unclear, please post back.

--->> --->>

--->> --->> Sincerely

--->> --->> Morgan Che

--->> --->> Microsoft Online Support

--->> --->> Microsoft Global Technical Support Center

--->> --->>

--->> --->> Get Secure! - http://www.microsoft.com/security

--->> --->> =====================================================

--->> --->> When responding to posts, please "Reply to Group" via your

newsreader

--->> so

--->> --->> that others may learn and benefit from your issue.

--->> --->> =====================================================

--->> --->> This posting is provided "AS IS" with no warranties, and

confers no

--->> rights.

--->> --->>

--->> --->> --------------------

--->> --->> --->Thread-Topic: Assigning New IPSec Policy to terminal server

--->> --->> --->thread-index: Aci/9aqUHoqiHhaSSRq8lymwfjH6Ng==

--->> --->> --->X-WBNR-Posting-Host: 207.46.19.197

--->> --->> --->From: =?Utf-8?B?U0pNUA==?= <sjmp@newsgroup.nospam>

--->> --->> --->References:

<5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@microsoft.com>

--->> --->> <wja$7cxvIHA.1788@TK2MSFTNGHUB02.phx.gbl>

--->> --->> --->Subject: RE: Assigning New IPSec Policy to terminal server

--->> --->> --->Date: Tue, 27 May 2008 05:32:02 -0700

--->> --->> --->Lines: 85

--->> --->> --->Message-ID:

<E3F5C2ED-0451-4CFA-A87E-BA8C45226B7E@microsoft.com>

--->> --->> --->MIME-Version: 1.0

--->> --->> --->Content-Type: text/plain;

--->> --->> ---> charset="Utf-8"

--->> --->> --->Content-Transfer-Encoding: 7bit

--->> --->> --->X-Newsreader: Microsoft CDO for Windows 2000

--->> --->> --->Content-Class: urn:content-classes:message

--->> --->> --->Importance: normal

--->> --->> --->Priority: normal

--->> --->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992

--->> --->> --->Newsgroups: microsoft.public.windows.terminal_services

--->> --->> --->Path: TK2MSFTNGHUB02.phx.gbl

--->> --->> --->Xref: TK2MSFTNGHUB02.phx.gbl

--->> --->> microsoft.public.windows.terminal_services:17956

--->> --->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

--->> --->> --->X-Tomcat-NG: microsoft.public.windows.terminal_services

--->> --->> --->

--->> --->> --->Morgan,

--->> --->> --->

--->> --->> --->Not sure I follow you. This TS server is going to be

assigned to

--->> a

--->> --->> specific

--->> --->> --->OU created just for TS. Can you elaborate on "link to this

OU."

--->> This OU

--->> --->> is

--->> --->> --->not linked and was not going to be linked. I was going to

assign

--->> the TS

--->> --->> --->computer object to this OU and give Remote Desktop Users

group

--->> --->> permissions,

--->> --->> --->while assigning AD users to this group.

--->> --->> --->

--->> --->> --->"Morgan che(MSFT)" wrote:

--->> --->> --->

--->> --->> --->> Hi,

--->> --->> --->>

--->> --->> --->> Thanks for posting here.

--->> --->> --->>

--->> --->> --->> I also built environment to test the behavior according

to KB

--->> 816521.

--->> --->> As KB

--->> --->> --->> mentioned, the " Create an IPSec filter list to match the

--->> Terminal

--->> --->> Services

--->> --->> --->> packets" and "Create an IPSec policy to enforce IPSec

--->> protection, and

--->> --->> then

--->> --->> --->> enable the policy" steps should be completed on Terminal

server

--->> side.

--->> --->> The "

--->> --->> --->> Enable the Client (respond-only) policy on the Terminal

--->> Services

--->> --->> clients"

--->> --->> --->> action should apply on terminal server clients.

--->> --->> --->>

--->> --->> --->> We can create a new OU and put the clients that you want

to

--->> secure

--->> --->> --->> communication with Terminal server in this OU, then we

can

--->> define

--->> --->> "Enable

--->> --->> --->> the Client (respond-only)" policy and link to this OU. To

do

--->> so, when

--->> --->> --->> clients connecting Terminal server, they will negotiate

--->> encryption

--->> --->> method

--->> --->> --->> and apply the security configuration we define on

terminal

--->> server.

--->> --->> --->>

--->> --->> --->> Hope this helps. Have a good day!

--->> --->> --->>

--->> --->> --->> Sincerely

--->> --->> --->> Morgan Che

--->> --->> --->> Microsoft Online Support

--->> --->> --->> Microsoft Global Technical Support Center

--->> --->> --->>

--->> --->> --->> Get Secure! - http://www.microsoft.com/security

--->> --->> --->> =====================================================

--->> --->> --->> When responding to posts, please "Reply to Group" via

your

--->> newsreader

--->> --->> so

--->> --->> --->> that others may learn and benefit from your issue.

--->> --->> --->> =====================================================

--->> --->> --->> This posting is provided "AS IS" with no warranties, and

--->> confers no

--->> --->> rights.

--->> --->> --->>

--->> --->> --->> --------------------

--->> --->> --->> --->Thread-Topic: Assigning New IPSec Policy to terminal

server

--->> --->> --->> --->thread-index: Aci84yku5/bXvlRJT/aIIs7blq3ikg==

--->> --->> --->> --->X-WBNR-Posting-Host: 207.46.19.168

--->> --->> --->> --->From: =?Utf-8?B?U0pNUA==?= <sjmp@newsgroup.nospam>

--->> --->> --->> --->Subject: Assigning New IPSec Policy to terminal server

--->> --->> --->> --->Date: Fri, 23 May 2008 07:42:01 -0700

--->> --->> --->> --->Lines: 8

--->> --->> --->> --->Message-ID:

--->> <5F0E8981-896E-4B73-A4E5-AC8CF0BF65D8@microsoft.com>

--->> --->> --->> --->MIME-Version: 1.0

--->> --->> --->> --->Content-Type: text/plain;

--->> --->> --->> ---> charset="Utf-8"

--->> --->> --->> --->Content-Transfer-Encoding: 7bit

--->> --->> --->> --->X-Newsreader: Microsoft CDO for Windows 2000

--->> --->> --->> --->Content-Class: urn:content-classes:message

--->> --->> --->> --->Importance: normal

--->> --->> --->> --->Priority: normal

--->> --->> --->> --->X-MimeOLE: Produced By Microsoft MimeOLE

V6.00.3790.2992

--->> --->> --->> --->Newsgroups: microsoft.public.windows.terminal_services

--->> --->> --->> --->Path: TK2MSFTNGHUB02.phx.gbl

--->> --->> --->> --->Xref: TK2MSFTNGHUB02.phx.gbl

--->> --->> --->> microsoft.public.windows.terminal_services:17902

--->> --->> --->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

--->> --->> --->> --->X-Tomcat-NG:

microsoft.public.windows.terminal_services

--->> --->> --->> --->

--->> --->> --->> --->When I right click and apply a new IPSec policy in

group

--->> policy

--->> --->> the

--->> --->> --->> policy is

--->> --->> --->> --->assigned. Then "to make sure that clients respond to

the TS

--->> --->> requests

--->> --->> --->> for

--->> --->> --->> --->security" I right click the Client (Respon Only) and

assign

--->> it.

--->> --->> But

--->> --->> --->> this

--->> --->> --->> --->changes the IPSec policy to NO for "Policy Assigned"

it

--->> seems

--->> --->> like I

--->> --->> --->> cannot

--->> --->> --->> --->have them both assigned. Can someone please explain

this to

--->> me. I

--->> --->> am

--->> --->> --->> --->following KB 816521

--->> --->> --->> --->

--->> --->> --->> --->Thanks.

--->> --->> --->> --->

--->> --->> --->>

--->> --->> --->

--->> --->>

--->> --->

--->>

--->

Sign In

Assigning New IPSec Policy to terminal server

Recommended Posts

Guest SJMP

Popular Days

Popular Days

Guest Morgan che

Guest SJMP

Guest Morgan che

Guest SJMP

Guest Morgan che

Guest Morgan che

Guest SJMP

Guest Morgan che

Guest Morgan che

Similar Content

Is there a way to make the DHCP server prefer assigning new IPs instead of "recylced" ones?

Terminal server error

How to troubleshoot Terminal Server issues?

User Rights Assignment GPO has no effect after promoting Server 2022 to a domain controller

ADK and Windows 2019 Server

Browse

Activity

Site Info