Restricting Server-to-Server Communication

You can also use IPSec to provide server authentication. This is useful when restricting the range of computers that can connect to middle- tier application servers or database servers. IPSec provides three authentication options:

• Kerberos

  To use Kerberos, the computers must:

  • Be part of the same domain and forest

  • Be within a specific source address range

  • Be within the same subnet

  • Use static IP addresses

• Pre-shared secret key

  To use pre-shared secret-key-based authentication, the two computers must share an encryption key.

• Certificate-based authentication

  To use certificate authentication, the two computers must trust a common certificate authority (CA), and the server that performs the authentication must request and install a certificate from the CA.

In this section, you set up IPSec authentication between two servers by using a pre-shared secret key.

 Task   To perform server-to-server authentication

1. Start the Local Security Policy MMC snap-in.

2. Right-click IPSec Security policies on the local machine , and then click Create IP Security Policy .

3. Type "MyAuthPolicy" for the name , and then click Next .

4. Clear the Activate the default response rule check box.

5. Click Next and then Finish .

   The MyAuthPolicy Properties dialog box is displayed so that you can edit the policy properties.

6. Click Add , and then click Next three times.

7. In the Authentication Method dialog box, select Use this string to protect the key exchange (preshared key) .

8. Enter a long, random set of characters in the text box, and then click Next .

   You should copy the key to a floppy disk or CD. You need it to configure the communicating server.

9. In the IP Filter List dialog box, select All IP Traffic , and then click Next .

10. In the Filter Action dialog box, select Request Security (Optional) , and then click Next .

11. Click Finish .

12. Test your application to verify the configured policy.