Create a New IP Security Policy in a GPO for Earlier Versions of Windows

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Computers running Windows Server 2003, Windows XP, and Windows 2000 use an IPsec policy, which is a collection of filter lists and filter actions, combined with authentication settings. Only one policy can be active on a computer at a time. A policy consists of a collection of rules. A rule consists of an IPsec filter list, a filter action, and if required by the filter action, a list of authentication methods. Inbound and outbound network packets are compared to the criteria in the filter lists. If a packet matches the criteria, then the associated filter action is applied. Filter actions can allow or block the packet, or require that the packet is authenticated and, optionally, encrypted.

In this procedure, you create the IPsec policy to contain the IPsec rules you define.

Administrative credentials

To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.

To create a new IPsec policy in a GPO

  1. Open the Group Policy Management Console to IP Security Policies.

  2. Click Action, and then click Create IP Security Policy.

  3. On the Welcome page of the wizard, click Next.

  4. On the IP Security Policy Name page, type a name for your IPsec policy, type a description for the policy, and then click Next.

  5. On the Requests for Secure Communication page, clear the Activate the default response rule option, and then click Next.

  6. On the Completing the IP Security Policy Wizard page, clear the Edit properties option, click Finish, and then click OK. You will modify the policy’s properties later.

    Your new policy appears in the list in the details pane.

  7. If you want this IPsec policy to be the active one for the GPO, right-click the policy, and then click Assign.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.