views:

292

answers:

2

I want to be able to add or remove IP Security Policies on Windows Server 2003 programmatically with C#.

Normally you'd manipulate these policies manaully through the gpedit.msc snap-in (under Windows Settings -> Local Policies -> IP Security Policies on Local Computer). But I need to be able to add IP filter policies through code.

Any ideas on how to do this?

A: 

You could use System.Diagnostics.Process and run "cmd.exe" with the ipsec command as the arguments.

Another resource you can try is Microsoft's website or Google.

Zack
I've already Googled it, and searched StackOverflow.com, and if you read the MS page you link to, you'd see that the IPSecpol.exe (which appears to be a likely candidate for the correct tool) *isn't included in included in Windows Server 2003*
ZeroBugBounce
A: 

I've been dealing with this issue for about two weeks, and, unfortunately, you have two options, depending on the depth of control you need:

1) Direct manipulation with WMI. Counter-intuitively, this actually exposes LESS control than option #2 (which is what I am doing myself). This is all done through the Win32_NetworkAdapterConfiguration class. Here's a link to the question I asked about this, with my response to it awhile later after researching it:

http://stackoverflow.com/questions/1609882/methods-of-programatically-altering-ipsec-rules-with-c

This exposes less functionality because you can only control three things through IPsec for the adapters: TCP ports, UDP ports, IP Protocols. (You cannot deal with multiple policies, different subnet masks, etc.)

2) Wrapping netsh ipsec to do all your dirty work. This is the way to go, as powershell (which can be invoked through the PowerShell class in System.Management.Automation) is currently lacking a cmdlet to do IPSec changes.

http://stackoverflow.com/questions/1703205/is-there-a-cmdlet-in-powershell-2-to-handle-ipsec-changes

Wrapping netsh ipsec THROUGH a powershell pipeline called through System.Management.Automation.PowerShell is what I ended up doing.

Use either System.Diagnostics.Process to spawn and control a shell, or use the PowerShell class as mentioned above. Either should get the job done.

NOTE If you switch to 2008 at some point, note that netsh ipsec is deprecated, and make sure to use netsh advfirewall instead.

Good luck!

asteroid