Compartir a través de


Checklist: Configuring Rules for the Boundary Zone

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain. The way in which you configure these rules and settings depends on whether the computers to which the GPO applies are running Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 or an earlier version of the Windows operating system.

Rules for the boundary zone are typically the same as those for the isolated domain, with the exception that the final rule is left to only request, not require, authentication.

In this topic:

  • Checklist for Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2

  • Checklist for Windows XP, Windows Server 2003, and Windows 2000

Checklist: Configuring boundary zone rules for computers running Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2

A GPO for Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2 can simply be copied and then customized. This checklist assumes that you have already created the GPO for the isolated domain as described in Checklist: Implementing a Domain Isolation Policy Design. After you create a copy for the boundary zone, make sure that you do not change the rule from request authentication to require authentication when you create the other GPOs.

  Task Reference

Make a copy of the domain isolation GPO for this version of Windows to serve as a starting point for the GPO for the boundary zone. Unlike the GPO for the main isolated domain zone, this copy is not changed after deployment to require authentication.

Copy a GPO to Create a New GPO

If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the boundary zone and version of Windows for which this GPO is intended.

Modify GPO Filters to Apply to a Different Zone or Version of Windows

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Link the GPO to the Domain

Add your test computers to the membership group for the boundary zone. Be sure to add at least one for each operating system supported by a different GPO in the group.

Add Test Computers to the Membership Group for a Zone

Verify that the connection security configuration is protecting network traffic with authentication when it can, and that unauthenticated traffic is accepted.

Verify That Network Traffic Is Authenticated

Checklist: Creating boundary zone rules for computers running Windows XP, Windows Server 2003, or Windows 2000

This checklist assumes that you have already created the IPsec policy for the isolated domain as described in Checklist: Implementing a Domain Isolation Policy Design. The key exchange settings, filter lists, and filter actions that you defined in that section can be reused in the GPO for the boundary zone.

  Task Reference

Make a copy of the domain isolation GPO for this version of Windows to serve as a starting point for the GPO for the boundary zone.

Copy a GPO to Create a New GPO

If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the boundary zone and version of Windows for which this GPO is intended.

Modify GPO Filters to Apply to a Different Zone or Version of Windows

Create a new IP Security policy in the GPO to contain the boundary zone settings.

Create a New IP Security Policy in a GPO for Earlier Versions of Windows

Combine the relevant filter lists and filter actions into IPsec rules to implement the boundary zone. For the boundary zone, use the request authentication filter action.

Create IPsec Rules for an Isolated Domain on Earlier Versions of Windows

Assign the boundary zone IPsec policy to your GPO.

Assign an IPsec Policy to a GPO for Earlier Versions of Windows

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Link the GPO to the Domain

Add your test computers to the membership group for the boundary zone. Be sure to add at least one for each operating system supported by a different GPO in the group.

Add Test Computers to the Membership Group for a Zone

Verify that the IPsec policy is protecting network traffic with authentication when it can, and that unauthenticated traffic is accepted.

Verify That Network Traffic Is Authenticated

In the boundary zone, do not change the rule to require authentication when you change the GPOs for the other zones.