Step 2: Deploying and Testing Your Connection Security Rules

Updated: December 7, 2009

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

In this step, you deploy and test your domain isolation rule. You link the GPO that contains the rule to the OUs that contain the computer accounts, and then you test connectivity and view the IPsec security associations (SAs) that are created to support the connection.

Start by linking your GPO to the OUs that contains the computers to receive the rule.

  1. On MBRSVR1, open the Group Policy Management snap-in.

  2. Right-click MyClientComputers, and then click Link an Existing GPO.

  3. In the Group Policy objects list, select Domain Isolation, and then click OK.

  4. Right-click MyMemberServers, and then click Link an Existing GPO.

  5. In the Group Policy objects list, select Domain Isolation, and then click OK.

    If you browse your OUs, you see a list that resembles the following diagram:


Do not apply the domain isolation GPOs to domain controllers.


In the previous procedure, you did not use WMI or security group filters because of the simplicity of the lab setup used in this guide, and because it is not important to what is being demonstrated here. However, in a production environment, make sure that your GPOs are carefully deployed using appropriate WMI and security group filters to only the desired target computers.

Now, make sure that both computers receive and apply the new GPO.

To test the new GPO on your computers

  1. On both MBRSVR1 and CLIENT1, at an Administrator: Command Prompt, run gpupdate /force. Wait until the commands finish.

  2. On CLIENT1, at the command prompt, run telnet mbrsvr1.

    The connection succeeds. Do not end the Telnet session yet.

  3. Open the Windows Firewall with Advanced Security snap-in.

  4. Expand Monitoring, expand Security Associations, and then click Main Mode.

  5. In the Main Mode pane, double-click the security association (SA) that is displayed.

  6. Examine the settings, as shown in the following figure, that the local computer (CLIENT1) negotiated with the remote computer (MBRSVR1). The specific algorithms displayed might vary depending on whether you use Windows 7 or Windows Vista on CLIENT1, and Windows Server 2008 R2 or Windows Server 2008 for MBRSVR1.

  7. Click OK.

  8. In the navigation pane, click Quick Mode, and then double-click the SA that is displayed.

  9. Examine the settings, which show that any traffic between the two computers using any protocol is protected using the Encapsulating Security Payload (ESP) integrity algorithm Secure Hash Algorithm (SHA-1). ESP integrity uses a cryptographically protected checksum to ensure that the packets that are received have not been modified after they are sent. Any packets that fail the integrity tests are silently dropped.


SAs have a limited lifetime. Therefore, if you let the connection sit idle long enough, the SA can expire and be removed from the list. By sending more network traffic, the SA is automatically renegotiated and reappears in the list.

  1. Type exit at the Telnet prompt to end the Telnet session.

Next topic: Step 3: Changing the Isolation Rule to Require Authentication