I was hoping someone could help with the following issue. I need to give administrators the ability to administer some Windows 7 desktops. As these desktops could hold sensitive data, the filewall rules have to use IPSEC.
I am doing some testing in a lab as follows.
Target and Client PC:-
Created domain Isolation GPO and applied it to client and target pc's,
Target PC
Added the predefined Allow Remote Administration Rule
Set the 3 rules this creates to Allow the connection if it Secure and then "Require the connection to be encrypted"
Selected Client PC under Computers that are aloud to connect.
Client PC
Created an outbound rule that encrypts all traffic going to the target PC.
These rules do not fully work, I can remotely browse the admin shares but MMC snapin's fail with RPC error.
However if I also select the "Allow the computers to dynamically negotiate encryption" option on the RPC and RPC Endpoint Mapper inbound rules it does work.
I would rather not use this option as it allows unencrypted packets to be sent and received and I can see this being picked up by the PEN testers.
Has anyone got this working before?