I see where you're coming from on all points here. The IPSec isolation stuff *IS* hard. And, I really struggled with what to tell Yann on this one.
OK, OK - I give. I submit to the wisdom of the 'joe'. ;o> Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, June 06, 2005 9:49 PM To: [email protected] Subject: RE: [ActiveDir] LDAP SSL and Ipsec. I actually kind of agree with Yann on this one. If you aren't using a service, shut it off. This is good for security, stability, and resource use. The future use of a service doesn't mean you should leave it on unless you already have it planned and ready to implement (i.e. if it were off, you would be in the process of turning it back on at that point in time). Implementing any ipsec structure is not going to be a "oh ok, just flip the switch", it will be or should be a seriously designed/planned project with a good implementation time line. If they haven't started yet, it isn't going to be done in near future at least in my definition of that time frame in terms of whether or not a service should be on or off - if it will be months before I need a service, it is going to be off. Anyway, it is pretty easy to turn this stuff back on again. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, June 06, 2005 12:21 PM To: [email protected] Subject: RE: [ActiveDir] LDAP SSL and Ipsec. Trust me on this.... You're going to WANT IPSec in the near future. Check out "Domain Isolation with IPSec" white papers on the Microsoft site. I don't have the links available at the moment. This is important now, and will become even more important when and if you decide that you have a need for Network Access Protection (NAP). Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Monday, June 06, 2005 10:43 AM To: [email protected] Subject: RE: [ActiveDir] LDAP SSL and Ipsec. Thanks for your input. Yes I'd like to disable services that do not need to run on DC in order to reduce open ports :-), and i do not need Ipsec service for my DC BUT only LDAPs. Regards, Yann -----Message d'origine----- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Rick Kingslan Envoy� : lundi 6 juin 2005 17:24 � : [email protected] Objet : RE: [ActiveDir] LDAP SSL and Ipsec. There is no dependency between IPSec and the LDAP/S function. That being said, is there any reason that you NEED to disable IPSec? I'd leave it running - but that's just me. Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Monday, June 06, 2005 8:40 AM To: [email protected] Subject: [ActiveDir] LDAP SSL and Ipsec. Hello, I implement LDAPs (SSL) in my windows 2003 DC. Do I need to enable ipsec service for LDAPs to function ?Is there any dependancy between LDAPs and Ipsec or could I safely disable Ipsec service. Thank U. Cheers, Yann List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
