Monitoring IPSEC traffic

We were testing something where we enabled IPSEC for port 445 on both server and client, but when browsing shares we were not seeing the secured connection in IP Security Policy Monitor. The reason was NetBIOS. SMB connections were being made on 139 instead of 445. After disabling NetBIOS over TCP/IP, then the secured connections showed up on port 445.

To disable SMB use of Netbios port 139 (Forces use of port 445):
On the Start menu, point to Settings, and then click Network and Dial-up Connections
Right-click Internet facing connection, and then click Properties.
Select Internet Protocol TCP/IP and select Properties
Click Advanced and select the WINS tab
Tick Disable NetBIOS over TCP/IP and click Ok

IPSEC

Working on IPSEC configuration. I wanted to set an SMB encryption policy using domain policy but I am getting 'access denied' when I get to the edit properties part of the new policy creation.

Here's why (I am not a domain admin):

To manage Active Directory-based IPSec policies, you must be a member of the
Domain Admins group in Active Directory, or you must have been delegated the
appropriate authority. -Assign or unassign IPSEC policy in Group Policy

This can be done through a local gpo though. But for deployment on multiple systems we will probably need to script this. I will look at Netsh for this:

Managing IPSec from the command line

Apply these steps to your file server and the host computer(s) that you would like to establish an encrypted SMB session.
Note: You need to test this in a development environment before you deploy it to your production environment.
Open the MMC with ‘IP Security Monitor’ and IP Security Policy Management’ (local computer)