IPSEC: Member to DC isn’t supported, but…
I stumbled across this issue a couple weeks ago, and Steve Riley clarified some of it for me. We have a really, really large project going with some new technology where securing the networks is a priority. We have run into the normal RPC challenges of limited port ranges because the firewall guys don’t want to open thousands of ports.
We also brought up the notion of running IPSec everywhere. I guess I had never realized that member server to DC IPSec is not supported by Microsoft. It is because of an issue with Kerberos: How can you use Kerberos to authenticate for IPsec if the computers haven't yet logged onto the domain? I never knew the official stance on this because I know customers that have implemented this with no problems. I have heard that Vista and the Longhorn Servers might have a fix for this so that it is officially supported, but just something to think about.
Don’t you just hate it when you have those circumstances that Microsoft doesn’t officially support something, but you know it works, and works well? We run into it all the time, and either have to back off into what is supported or sign a custom support agreement with Premier support, which can be a politically charged event.
Oh, and Steve made a good suggestion of forcing RPC authentication since most RPC based attacks are anonymous. Good suggestions, I believe this can be done rather easily with GPO, so we will take a look at it.