Guest Tim Posted August 27, 2008 Posted August 27, 2008 I have a bunch of servers in my environment that have IPSec enabled but not configured; some of theose servers are having serious performance issues, but if I stop and disable the IPSec service, the performance issues go away. I have read some articles that say that IPSec should only be enabled if it's going to be configured, but I'm not that familiar with IPSec. I have two questions: 1. Is the statement that IPSec should only be enabled if it's going to be configured and used a valid statement? 2. What's the easiest way - besides opening the IPSec Snap-In on every server and checking for policies - to know whether or not a server is actually using IPSec policies? Thanks in advance for your help! Quote
Guest S. Pidgorny Posted August 28, 2008 Posted August 28, 2008 G'day, The answers: no, and by creating IPsec policy in a GPO applying to all servers. To elaborate on the answer to the #1: do nothing is viable and attractive option in your case. Only change defaults if you have good reasons to do so. -- Svyatoslav Pidgorny, MS MVP - Security, MCSE -= F1 is the key =- http://sl.mvps.org http://msmvps.com/blogs/sp Tim wrote:<span style="color:blue"> > I have a bunch of servers in my environment that have IPSec enabled but not > configured; some of theose servers are having serious performance issues, but > if I stop and disable the IPSec service, the performance issues go away. I > have read some articles that say that IPSec should only be enabled if it's > going to be configured, but I'm not that familiar with IPSec. I have two > questions: > > 1. Is the statement that IPSec should only be enabled if it's going to be > configured and used a valid statement? > > 2. What's the easiest way - besides opening the IPSec Snap-In on every > server and checking for policies - to know whether or not a server is > actually using IPSec policies? > > > Thanks in advance for your help!</span> Quote
Guest Tim Posted August 28, 2008 Posted August 28, 2008 Thanks for responding so quickly, but your answers left me with a few more questions. For example, I'm not sure why I would create an IPSec policy I don't plan to use. Second, how is doing nothing an attractive option when we're taking a performance hit because of it? Also, I've read that IPSec is supposed to be disabled by default; is that not the case and, if it is, shouldn't I disable it until or unless I need it? I'm not trying to be difficult; I just need to understand this stuff better. Thanks again. "S. Pidgorny <MVP>" wrote: <span style="color:blue"> > G'day, > > The answers: no, and by creating IPsec policy in a GPO applying to all > servers. > > To elaborate on the answer to the #1: do nothing is viable and > attractive option in your case. Only change defaults if you have good > reasons to do so. > -- > Svyatoslav Pidgorny, MS MVP - Security, MCSE > -= F1 is the key =- > > http://sl.mvps.org http://msmvps.com/blogs/sp > > Tim wrote:<span style="color:green"> > > I have a bunch of servers in my environment that have IPSec enabled but not > > configured; some of theose servers are having serious performance issues, but > > if I stop and disable the IPSec service, the performance issues go away. I > > have read some articles that say that IPSec should only be enabled if it's > > going to be configured, but I'm not that familiar with IPSec. I have two > > questions: > > > > 1. Is the statement that IPSec should only be enabled if it's going to be > > configured and used a valid statement? > > > > 2. What's the easiest way - besides opening the IPSec Snap-In on every > > server and checking for policies - to know whether or not a server is > > actually using IPSec policies? > > > > > > Thanks in advance for your help!</span> > > </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.