Step 3: Changing the Isolation Rule to Require Authentication
Updated: December 7, 2009
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
In this step, modify the rule that you created so that authentication is required instead of requested. After you complete this step, clients that cannot authenticate or that do not have a connection security rule to authenticate the traffic, cannot communicate with computers that are domain members.
Warning
In a production environment, only perform this procedure after confirming that all the clients and servers are communicating by using the IPsec settings in the “request” version of the rule. If you change the rule to “require” before confirming that your computers can communicate successfully using its settings then you might unintentionally put your computers in a state where they cannot communicate.
To change the policy from requesting to requiring authentication
On MBRSVR1, switch to the Group Policy Management Editor.
In the results pane, right-click Request Inbound Request Outbound, and then click Properties.
In the Name text box, change the name to Require Inbound Request Outbound to accurately reflect its new behavior.
Click the Authentication tab.
Under Requirements, change Authentication mode to Require inbound and request outbound, and then click OK.
Note
Although using Require inbound and outbound would work for this guide, in a production environment it is usually not practical to require outbound authentication. Domain-member computers often must initiate communications with computers that are not in the domain, such as remote Web sites.
Confirm that the computers can still communicate even though authentication is required.
To test the modified GPO requiring authentication
On both MBRSVR1 and CLIENT1, at an Administrator: Command Prompt, run gpupdate /force.
On CLIENT1, at the command prompt, run telnet mbrsvr1.
The connection succeeds.
Type exit to end the Telnet session.
Next topic: Step 4: Testing Isolation with a Computer That Does Not Have the Domain Isolation Rule