Using IPsec for Domain Isolation

You can use IPsec for domainisolation. You first add this IPsec policy to your default domain group policy:

• Filter list - use the existing All IP Traffic example filter list
• Filter action - ESP only, null encryption, SHA-1 integrity; require security; don't communicate with non-IPsec machines
• Rule - link the list with the action; all interfaces; no tunnel; Kerboros authentication; no default response

You also need to create a rule that exempts your domain controllers, because you need to communicate with them to authticate and get the Kerberos ticket that's used for all other communications:

• Filter list - filters with the addresses or address ranges of your domain controllers
• Filter action - permit
• Rule - link the list with the action; all interfaces; no tunnel; any authentication method (it doesn't matter because there's no IPsec security association here)

You also need similar exceptions for devices that can't participate in IPsec, such as network printers, computers with older OS that can't run IPsec, and so on.

Notes are taken from Protect Your Windows Network : From Perimeter to Data by Jesper M. Johansson, Steve Riley.