I am looking at configuring IPSec as follows:
- Isolation
- Request authentication for inbound and outbound connections
- Computer and user (Kerberos V5)
I am looking to do a blanket deployment across all servers and domain controllers.
Workstations I will leave as not set.
What impact in terms of the domain controllers with the 2-way forest trust do think I would see?
Should I exclude the IP addresses of the trusted domain controllers?
I don't want to stop communication between the current and trusted forest, however I do want IPsec to be used within the current forest on all servers.
The trusted forest is running 2008 R2 and the current forest is 2012 R2.
Best Answer
I have now implemented the new 2012 R2 domain and set up the trust with the old 2008 R2 forest.
I had no issues, I am now putting this as a standard for all other domains that I manage as it caused me no headaches with applications breaking etc.
I simply decided to setup the IPsec on the 'Default Domain Policy' GPO as:
I then also setup an additional rule in the 'Default Domain Policy' that excluded the domain controllers, as not excluding them caused login problems and issues as expected.
The trust worked fine in this configuration and the domain is now isolated on all devices except when communicating with a domain controller (DC).
As most traffic is encrypted when communicating with a DC this was not an issue for me.
I hope this helps someone understand the impact of rolling this out, I have chosen to use request as it has the least impact and was the easiest to rollout.