我有几个 Server 2008 R2 域控制器,它们在其下配置了 IPSec当地的组策略。Windows 防火墙或网络 GPO 中不存在这些条目。这些策略陈旧且复杂,阻止我们添加新的 DC。
我希望导出/转储规则,以便简化并在单独的环境中进行测试。我首选的解决方案是在 CMD/PowerShell 中。
答案1
不管它是在本地策略还是组策略中,一旦导入,服务器就会在本地存储中看到它。由于这是带有 POSHv2 的 Server 2008 R2,我们只能使用命令netsh,但是我将输出包装在 PowerShell 中,以创建可以导出到远程计算机进行分析的对象。
$OutFile = "$env:temp\IPsecRules.csv"
$objects = @()
netsh ipsec static show filterlist all level=verbose |
Select-String ':' |
ForEach-Object {
$split = $_.Line.Split(':')
$name = $split[0].Trim()
$value = $split[1].Trim()
switch ($name) {
'Description' {${Description} = $value}
'Store' {${Store} = $value}
'Last Modified' {${Last Modified} = $value}
'GUID' {${GUID} = $value}
'No. of Filters' {${No. of Filters} = $value}
'Mirrored' {${Mirrored} = $value}
'Source IP Address' {${Source IP Address} = $value}
'Source Mask' {${Source Mask} = $value}
'Source DNS Name' {${Source DNS Name} = $value}
'Destination IP Address' {${Destination IP Address} = $value}
'Destination Mask' {${Destination Mask} = $value}
'Destination DNS Name' {${Destination DNS Name} = $value}
'Protocol' {${Protocol} = $value}
'Source Port' {${Source Port} = $value}
'Destination Port' {${Destination Port} = $value}
#'FilterList Name' {${FilterList Name} = $value}
}
If (${Destination Port}) {
$object = New-Object psobject -Property @{
'Description' = ${Description}
'Store' = ${Store}
'Last Modified' = ${Last Modified}
'GUID' = ${GUID}
'No. of Filters' = ${No. of Filters}
#'Description' = ${Description}
'Mirrored' = ${Mirrored}
'Source IP Address' = ${Source IP Address}
'Source Mask' = ${Source Mask}
'Source DNS Name' = ${Source DNS Name}
'Destination IP Address' = ${Destination IP Address}
'Destination Mask' = ${Destination Mask}
'Destination DNS Name' = ${Destination DNS Name}
'Protocol' = ${Protocol}
'Source Port' = ${Source Port}
'Destination Port' = ${Destination Port}
#'FilterList Name' = ${FilterList Name}
}
$objects += $object
${Destination Port} = ""
}
}
$objects | Export-Csv -Path "c:\temp\IPsecRules.csv" -NoTypeInformation -Force
已编辑:重写脚本以提供更多信息。仅需要详细的筛选器列表查询。