Microsoft KB Archive/925631

= How to configure remote IPsec management and remote IPsec monitoring from Windows Server 2003-based and Windows XP Professional-based computers =

Article ID: 925631

Article Last Modified on 10/24/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows XP Professional

-



SUMMARY


Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



INTRODUCTION
This article describes how to configure Microsoft Windows Server 2003-based and Microsoft Windows XP Professional-based computers to manage Internet Protocol security (IPsec) policies and to monitor IPsec activity for remote computers.

On Windows Server 2003-based and on Windows XP Professional-based computers, you can use the IP Security Policy Management Microsoft Management Console (MMC) snap-in to remotely manage IPsec policies. Additionally, you can use the IP Security Monitor MMC snap-in to remotely monitor IPsec activity.

On Windows Server 2003-based computers, you can also use the Netsh command-line utility to remotely manage IPsec policies and to remotely monitor IPsec activity.

Note Windows XP does not have an IPsec context for the Netsh command. Therefore, the Netsh command cannot be used to configure IPsec on Windows XP-based computers.



MORE INFORMATION
To manage an IPsec policy for a remote computer on a Windows Server 2003-based or a Windows XP SP2-based remote computer, both of the following conditions must be true:
 * You must be an administrator on the remote computer.
 * Remote management must be enabled on the remote computer.

Add yourself as an administrator on the remote computer

 * 1) On the remote computer that you want to remotely manage or monitor, click Start, click Run, type compmgmt.msc, and then click OK.
 * 2) In the Computer Management Microsoft Management Console (MMC) snap-in, expand Local Users and Groups, and then click Groups.
 * 3) Double-click Administrators.
 * 4) In the Properties dialog box, click Add.
 * 5) In the Enter the object names to select area, type the name of the user account that you want to add as an administrator for this computer.
 * 6) Click Check Names, and then click OK two times.

Enable remote management on the remote computer
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
 * 1) On the computer that you want to remotely manage or monitor, click Start, click Run, type regedit, and then click OK.
 * 2) Locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
 * 3) On the Edit menu, point to New, and then click DWORD Value.
 * 4) Type EnableRemoteMgmt, and then press ENTER.
 * 5) Right-click the EnableRemoteMgmt entry, and then click Modify.
 * 6) In the Value data box, type 1, and then click OK.
 * 7) Exit Registry Editor.
 * 8) Restart the computer.

Configure the IP Security Policy Management MMC snap-in to manage IPsec policies for remote computers

 * 1) On the computer that you are using to manage IPsec policies for remote computers, click Start, click Run, type mmc, and then click OK.
 * 2) On the File menu, click Add/Remove Snap-in.
 * 3) In the Add/Remove Snap-in dialog box, click Add.
 * 4) In the Available Standalone Snap-ins dialog box, click IP Security Policy Management, and then click Add.
 * 5) In the Select which computer or domain this snap-in will manage dialog box, click Another computer, type the name or the IP address of the remote computer that you want to manage, and then click Finish.
 * 6) Click Close, and then click OK.

Configure the IP Security Monitor MMC snap-in to monitor IPsec activity for remote computers

 * 1) On the computer that you are using to monitor IPsec activity for remote computers, click Start, click Run, type mmc, and then click OK.
 * 2) On the File menu, click Add/Remove Snap-in.
 * 3) In the Add/Remove Snap-in dialog box, click Add.
 * 4) In the Available Standalone Snap-ins dialog box, click IP Security Monitor, and then click Add.
 * 5) Click Close, and then click OK.
 * 6) In MMC, right-click IP Security Monitor, and then click Add Computer.
 * 7) In the Add Computer dialog box, click The following computer, type the name or the IP address of the remote computer that you want to manage, and then click OK.

Use the Netsh command-line utility to remotely manage IPsec policies and to remotely monitor IPsec activity
On a Windows Server 2003-based computer, you can use the Netsh command-line utility to remotely manage IPsec policies and to remotely monitor IPsec activity. To do this, follow these steps:  On the computer that you are using to remotely manage IPsec policies and to remotely monitor IPsec activity, click Start, click Run, type cmd, and then click OK. At the command prompt, type the following command, and then press ENTER:

Netsh –c ipsec –r [ | -f  ]



For more information about how to use the Netsh command-line utility, visit the following Microsoft Web site:

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/netsh.mspx

For more information about how to use the Netsh command-line utility for IPsec, visit the following Microsoft Web site:

http://technet2.microsoft.com/WindowsServer/en/library/c3ae0d03-f18f-40ac-ad33-c0d443d5ed901033.mspx?mfr=true

Keywords: kbhowto kbinfo kbipsec kbnetwork KB925631

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.