Test Lab Guide: Deploy Windows Firewall with Advanced Security to Protect Network Communication to a Domain Controller

  • Article

Applies To: Windows 7, Windows Server 2008 R2

Introduction

Windows Firewall with Advanced Security (WFAS) combines a host-based firewall and an Internet Engineering Task Force (IETF)-compliant implementation of Internet Protocol security (IPsec).

As a host-based firewall, WFAS runs on each computer that is running Windows Vista® or a later version of Windows to provide local protection from network attacks that might pass through your perimeter network firewall or originate from inside your organization.

WFAS also provides IPsec-based computer-to-computer connection security which lets you protect the network data by setting rules that require authentication, integrity checking, or encryption when your computers exchange data. WFAS works with both Internet Protocol version 4 (IPv4) and IPv6 traffic.

In a typical deployment, WFAS connection security rules are configured to use IPsec network authentication and/or encryption between domain members and/or between domain members and computers outside the domain. Domain controllers are typically excluded from the IPsec requirements because of the complex rules required to allow new clients to join the domain. This test lab shows you how to include a domain controller in an IPsec environment so that:

  • New clients can join the domain

  • Network traffic between domain members and a domain controller is authenticated and optionally encrypted using WFAS connection security rules.

In this guide

Tip

This Test Lab Guide is also available as a downloadable Word .docx file in the Microsoft Download Center at https://go.microsoft.com/fwlink/?LinkId=211693.

This guide contains instructions for setting up a test lab based on the Base Configuration test lab and deploying WFAS connection security rules using two server computers and one client computer. The resulting WFAS Protected Domain Controller test lab demonstrates protecting network traffic between domain members (a client computer and a member server) and a domain controller computer.

Important

The following instructions are for configuring a WFAS Protected Domain Controller test lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. This configuration is neither designed to reflect best practices nor does it reflect a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network.
Attempting to adapt this WFAS Protected Domain Controller test lab configuration to a pilot or production deployment can result in configuration or functionality issues. To ensure proper configuration and operation for your pilot or production WFAS deployment, use the information in the Windows Firewall with Advanced Security Design Guide at the Microsoft website (https://go.microsoft.com/fwlink/?LinkId=209621) and the Windows Firewall with Advanced Security Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=209622) for planning and design decisions and the steps to properly configure Windows Firewall with Advanced Security and supporting infrastructure servers.

Test lab overview

In this test lab, WFAS is deployed with:

  • One computer running Windows Server 2008 R2 Enterprise Edition named DC1 that is configured as an intranet domain controller, Domain Name System (DNS) server, Dynamic Host Configuration Protocol (DHCP) server, and an enterprise root certification authority (CA).

  • One intranet member server running Windows Server 2008 R2 Enterprise Edition named APP1 that is configured as a general application server.

  • One roaming member client computer running Windows 7 Ultimate Edition named CLIENT1.

The WFAS Protected Domain Controller test lab consists of one subnet that simulates the following:

  • An intranet named Corpnet (10.0.0.0/24).

Computers on the subnet connect using a hub or switch.

When the WFAS Protected Domain Controller test lab is complete, it demonstrates a client domain member and a member server using WFAS connection security rules to protect the network communication to the domain controller.

Hardware and software requirements

The following are required components of the test lab:

  • The product disc or files for Windows Server 2008 R2.

  • The product disc or files for Windows 7.

  • Two computers that meet the minimum hardware requirements for Windows Server 2008 R2 Enterprise Edition.

  • One computer that meets the minimum hardware requirements for Windows 7 Ultimate Edition.

Steps for Configuring the WFAS Test Lab

There are six steps to follow when setting up a WFAS Protected Domain Controller test lab based on the Base Configuration test lab (https://go.microsoft.com/fwlink/?LinkId=198140).

  1. Set up the Base Configuration test lab.

    The WFAS test lab requires the Base Configuration as its starting point.

  2. Configure DC1.

    DC1 is already configured as a domain controller with Active Directory, the DNS and DHCP server for the intranet subnet, and the enterprise root CA for the domain. For the WFAS Protected Domain Controller test lab, DC1 must be configured with:

    1. WFAS connection security rules for the domain controller.

    2. A group policy for WFAS connection security rules on client and member server computers.

    3. A WMI filter for the group policy which applies the policy only to Windows client and member server computers.

    4. A registry key that controls the TCP ports used by Remote Procedure Call (RPC) dynamic port allocation.

  3. Configure CLIENT1.

    CLIENT1 is a client computer running Windows 7 Enterprise or Ultimate. For the WFAS Protected Domain Controller test lab, CLIENT1 begins as a workgroup member rather than a domain member.

  4. Configure APP1.

    APP1 is a member server (not a domain controller) that is a general application server and Web server. For the WFAS Protected Domain Controller test lab, APP1 begins as a workgroup member rather than a domain member.

  5. Verify connection security rules on CLIENT1.

  6. Verify connection security rules on APP1.

Note

You must be logged on as a member of the Domain Admins group or a member of the Administrators group on each computer to complete the tasks described in this guide. If you cannot complete a task while you are logged on with an account that is a member of the Administrators group, try performing the task while you are logged on with an account that is a member of the Domain Admins group.

This guide provides steps for configuring the computers of the WFAS Protected Domain Controller test lab, configuring WFAS, and demonstrating protected network communication between a domain controller and domain members. The following sections provide details about how to perform these tasks.

Step 1: Set up the Base Configuration Test Lab

Set up the Base Configuration test lab for the Corpnet subnet using the procedures in the “Steps for Configuring the Corpnet Subnet” section of the Test Lab Guide: Base Configuration (https://go.microsoft.com/fwlink/?LinkId=198140).

Step 2: Configure DC1

DC1 configuration for the WFAS Protected Domain Controller test lab consists of the following procedures:

  • Configure WFAS.

  • Create the Client and Member Server WFAS group policy.

  • Create the Client and Member Servers Only WMI filter.

  • Add the RPC Internet registry key.

The following sections explain these procedures in detail.

Configure WFAS

Connection security rules on the domain controller protect network communication to and from the domain controller using IPsec. Some rules will be configured to request a secure connection (rather than require it) so that computers that are not members of the domain can still join the domain.

To create the Require In/Request Out connection security rule

  1. Log on to DC1 as Administrator.

  2. Open Windows Firewall with Advanced Security.

    Click Start, Administrative Tools, Windows Firewall with Advanced Security.

  3. Click Connection Security Rules in the left pane.

  4. Right-click in the middle pane under Connection Security Rules and click New Rule.

  5. Click Custom, and then click Next.

  6. Leave Endpoint 1 and Endpoint 2 at the default Any IP address and click Next.

  7. Click Require authentication for inbound connections and request authentication for outbound connections and click Next.

  8. Click Advanced, and then click Customize.

  9. Under First authentication, click Add.

  10. Click Computer certificate from this certification authority (CA) and then click Browse.

  11. Click corp-DC1-CA and click OK.

  12. Click OK to close the Add First Authentication Method dialog box.

  13. Under Second authentication, click Add.

  14. Click User (NTLMv2) and click OK.

  15. Click Second authentication is optional and click OK to complete the Customize Advanced Authentication Methods dialog, and then click Next.

  16. Leave the Protocol type at the default Any and click Next.

  17. Leave all three profiles checked and click Next.

  18. In the Name text box type Require In/Request Out All and click Finish.

To create the Request Inbound and Outbound connection security rules

  1. Right-click in the middle pane under Connection Security Rules and click New Rule.

  2. Click Custom, and then click Next.

  3. Leave Endpoint 1 and Endpoint 2 at the default Any IP address and click Next.

  4. Leave the default Request authentication for inbound connections and outbound connections and click Next.

  5. Click Advanced, and then click Customize.

  6. Under First authentication, click Add.

  7. Click Computer certificate from this certification authority (CA) and then click Browse.

  8. Click corp-DC1-CA and click OK.

  9. Click OK to close the Add First Authentication Method dialog box.

  10. Under Second authentication, click Add.

  11. Click User (NTLMv2) and click OK.

  12. Click Second authentication is optional and click OK to complete the Customize Advanced Authentication Methods dialog, and then click Next.

  13. On the Protocol type drop-down list, select TCP. Leave the default All Ports Endpoint 1 port, and for Endpoint 2 port select Specific Ports and type 135, 389, 445, 53, 5355, 88, 5000, 5001, 5002, 5003, 5004, 5005, 5006, 5007, 5008, 5009, 5010 in the text box and click Next.

  14. Leave all three profiles checked and click Next.

  15. In the Name text box type Request TCP Ports and click Finish.

Repeat the previous procedure to create another rule for the following UDP ports:

Protocol Endpoint 2 ports Name

UDP

135, 389, 445, 53, 5355, 88

Request UDP Ports

To change WFAS properties

  1. In the left pane, right-click Windows Firewall with Advanced Security on Local Computer and click Properties.

  2. Click the IPsec Settings tab.

  3. In the IPsec exemptions section, select Yes from the Exempt ICMP from IPsec drop-down list and click OK.

Create a group policy object for the domain members

Next, you will create a group policy object to configure WFAS on the domain members.

To create the client and member server computer group policy object

  1. Log on to DC1 as Administrator.

  2. Click Start, select Administrative Tools, and click Group Policy Management.

  3. In the left pane, expand the forest, expand domains, then right-click corp.contoso.com and click Create a GPO in this domain, and Link it here.

  4. In the Name text box, type Client and Member Server WFAS, and click OK.

  5. Right-click the Client and Member Server WFAS group policy object and click Edit.

  6. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security, and then expand Windows Firewall with Advanced Security – LDAP… .

  7. Click Connection Security Rules, then right-click it and select New Rule.

  8. Create three corresponding rules, following the same procedures that you used to create the rules on the server. Use the following table for guidance:

Authentication Protocol Endpoint 2 ports Name

Require inbound and request outbound

Any

All ports

GP Require In/Request Out

Request inbound and outbound

TCP

135, 389, 445, 53, 5355, 88, 5000,5001,5002,5003,5004,5005,5006,5007,5008,5009,5010

GP Request TCP Ports

Request inbound and outbound

UDP

135, 389, 445, 53, 5355, 88

GP Request UDP Ports

To change WFAS properties

  1. In Group Policy Management Editor, right-click Windows Firewall with Advanced Security – LDAP… and click Properties.

  2. Click the IPsec Settings tab.

  3. In the IPsec exemptions section, select Yes from the Exempt ICMP from IPsec drop-down list and click OK.

Create the Client Computers and Member Servers Only WMI filter

Next, you will create a WMI filter for the Client and Member Server WFAS GPO so that the GPO only applies to client or member server computers.

To create the WMI filter

  1. In Group Policy Management, expand corp.contoso.com (if necessary), right-click WMI Filters and click New.

  2. In the Name text box, type Client and Member Servers Only.

  3. Click Add, and in the Queries text box type:

    Select * from Win32_OperatingSystem where ProductType = ”1” or ProductType = “3”

Note

For more information about the WMI Query Language (WQL) see Querying with WQL at the Microsoft web site (https://go.microsoft.com/fwlink/?LinkId=211674).

  1. Click OK, and then click Save.

  2. In the left pane, click the Client and Member Server WFAS GPO. In the right pane, scroll down to the WMI Filtering section, and select the Client and Member Servers Only filter from the drop-down list and then click Yes to change the filter.

Add the RPC Internet registry key

Next add the RPC Internet registry key using the registry editor. This controls the TCP ports used by the RPC dynamic port allocation.

To add the Internet registry key

  1. On DC1, click Start and type regedit in the search text box and press ENTER.

  2. Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc.

  3. Right-click Rpc, select New, and click Key.

  4. Type Internet for the key name and press ENTER.

  5. In the right pane, right-click and select New then click Multi-String Value.

  6. Type Ports for the name.

  7. Right-click Ports and click Modify.

  8. In the Value data text box, type 5000-5010 and click OK.

  9. In the right pane, right-click and select New and click String Value.

  10. Type UseInternetPorts for the name.

  11. Right-click UseInternetPorts and click Modify.

  12. In the Value data text box, type Y and click OK.

  13. In the right pane, right-click and select New and click String Value.

  14. Type PortsInternetAvailable for the name.

  15. Right-click PortsInternetAvailable and click Modify

  16. In the Value data text box, type Y and click OK.

  17. Exit the Registry Editor and restart DC1.

Step 3: Configure CLIENT1

CLIENT1 configuration for the WFAS Protected Domain Controller test lab consists of the following procedures:

  • Join the workgroup WORKGROUP

The following section explains this procedure in detail.

Join the workgroup WORKGROUP

This procedure changes the membership of CLIENT1 from the domain corp.contoso.com to the workgroup WORKGROUP.

To change CLIENT1 domain membership

  1. Click Start, right-click Computer, and then click Properties.

  2. On the System page, click Advanced system settings.

  3. In the System Properties dialog box, click the Computer Name tab. On the Computer Name tab, click Change.

  4. In the Computer Name/Domain Changes dialog box, click Workgroup, type workgroup, and then click OK.

  5. When you are prompted for a user name and password, type the user name and password for the Administrator domain account, and then click OK.

  6. When you see a dialog box that welcomes you to the workgroup WORKGROUP, click OK.

  7. When you see a dialog box that prompts you to restart the computer, click OK.

  8. In the System Properties dialog box, click Close. Click the button that restarts the computer.

  9. After the computer restarts, log on as CLIENT1\Administrator.

Step 4: Configure APP1

APP1 configuration for the WFAS test lab consists of the following procedures:

  • Join the workgroup WORKGROUP

The following section explains this procedure in detail.

Join the workgroup WORKGROUP

This procedure changes the membership of APP1 from the domain corp.contoso.com to the workgroup WORKGROUP.

To change APP1 domain membership

  1. Click Start, right-click Computer, and then click Properties.

  2. On the System page, click Advanced system settings.

  3. In the System Properties dialog box, click the Computer Name tab. On the Computer Name tab, click Change.

  4. In the Computer Name/Domain Changes dialog box, click Workgroup, type workgroup, and then click OK.

  5. When you are prompted for a user name and password, type the user name and password for the Administrator domain account, and then click OK.

  6. When you see a dialog box that welcomes you to the workgroup WORKGROUP, click OK.

  7. When you see a dialog box that prompts you to restart the computer, click OK.

  8. In the System Properties dialog box, click Close. Click the button that restarts the computer.

  9. After the computer restarts, log on as APP1\Administrator.

Step 5: Verify connection security rules on CLIENT1

Use the following procedures to verify that CLIENT1 can join the corp.contoso.com domain and uses connection security rules to protect network connections between CLIENT1 and DC1 after it is a member of the domain.

  • Verify WFAS configuration as a workgroup member.

  • Join the corp.contoso.com domain

  • Verify WFAS configuration as a domain member

The following sections explain these procedures in detail.

Verify WFAS configuration as a workgroup member

Examine the WFAS configuration and verify that there are no connection security rules in place on CLIENT1.

To verify the WFAS configuration on CLIENT1

  1. Open WFAS on CLIENT1.

    Click Start, type wf.msc in the search text box and press ENTER.

  2. Click Connection Security Rules and verify that there are no connection security rules configured for CLIENT1.

Join the corp.contoso.com domain

Configure CLIENT1 as a member of the corp.contoso.com domain.

To join the domain

  1. On CLIENT1, click Start, right-click Computer, and click Properties.

  2. In the Computer name, domain, and workgroup settings section, click Change settings.

  3. Click Change.

  4. Under Member of, click Domain and type corp.contoso.com and click OK.

  5. Type the administrator account name and password and click OK.

  6. On the Welcome dialog, click OK.

  7. Click OK, and then click Close to close the System Properties dialog box.

  8. Click Restart Now.

Verify WFAS configuration as a domain member

Examine the WFAS configuration and verify that there are connection security rules from group policy on CLIENT1 and that there are IPsec security associations between CLIENT1 and DC1.

To verify the WFAS configuration on CLIENT1

  1. Logon to CLIENT1 using the CORP\administrator account.

  2. Open WFAS on CLIENT1.

    Click Start, type wf.msc in the search text box and press ENTER.

  3. Click Connection Security Rules and verify that there are connection security rules from group policy.

To initiate communication with DC1

  1. On CLIENT1, click Start, type cmd.exe in the Search text box and press ENTER.

  2. At the command prompt, type gpupdate /force and press ENTER.

    You will see the following output:

    User Policy update has completed successfully.

    Computer Policy update has completed successfully.

To verify the IPsec security associations

  1. From WFAS, expand Monitoring.

  2. Expand Security Associations and click Quick Mode. Right-click Quick Mode and click Refresh to see the most recent security associations. If you don’t see any, or only a few security associations, repeat the procedure to initiate communication with DC1 and immediately refresh the Quick Mode security associations.

    Note the IP addresses, remote ports, and protocols that these security associations are associated with.

Step 6: Verify connection security rules on APP1

Use the following procedures to verify that APP1 can join the corp.contoso.com domain and uses connection security rules to protect network connections between the computers after it is a member of the domain.

  • Verify WFAS configuration as a workgroup member.

  • Join the corp.contoso.com domain

  • Verify WFAS configuration as a domain member

The following sections explain these procedures in detail.

Verify WFAS configuration as a workgroup member

Examine the WFAS configuration and verify that there are no connection security rules in place on APP1.

To verify the WFAS configuration on APP1

  1. Open WFAS on APP1.

    Click Start, type wf.msc in the search text box and press ENTER.

  2. Click Connection Security Rules and verify that there are no connection security rules configured for APP1.

Join the corp.contoso.com domain

Configure APP1 as a member of the corp.contoso.com domain.

To join the domain

  1. On APP1, click Start, right-click Computer, and click Properties.

  2. In the Computer name, domain, and workgroup settings section, click Change settings.

  3. Click Change.

  4. Under Member of, click Domain and type corp.contoso.com and click OK.

  5. Type the administrator account name and password and click OK.

  6. On the Welcome dialog, click OK.

  7. Click OK, and then click Close to close to close the System Properties dialog box.

  8. Click Restart Now.

Verify WFAS configuration as a domain member

Examine the WFAS configuration and verify that there are connection security rules from group policy on APP1 and that there are IPsec security associations between APP1 and DC1.

To verify the WFAS configuration on APP1

  1. Logon to APP1 using the CORP\administrator account.

  2. Open WFAS on APP1.

    Click Start, type wf.msc in the search text box and press ENTER.

  3. Click Connection Security Rules and verify that there are connection security rules from group policy.

To initiate communication with DC1

  1. On APP1, click Start, type cmd.exe in the Search text box and press ENTER.

  2. At the command prompt, type gpupdate /force and press ENTER.

    You will see the following output:

    User Policy update has completed successfully.

    Computer Policy update has completed successfully.

To verify the IPsec security associations

  1. From WFAS, expand Monitoring.

  2. Expand Security Associations and click Quick Mode. Right-click Quick Mode and click Refresh to see the most recent security associations. If you don’t see any, or only a few security associations, repeat the procedure to initiate communication with DC1 and immediately refresh the Quick Mode security associations.

    Note the IP addresses, remote ports, and protocols that these security associations are associated with.

Snapshot the Configuration

This completes the WFAS Protected Domain Controller test lab. To save this configuration so that you can quickly return to a working WFAS Protected Domain Controller configuration from which you can test other WFAS modular test lab guides (TLGs), TLG extensions, or for your own experimentation and learning, do the following:

  1. On all physical computers or virtual machines in the test lab, close all windows and then perform a graceful shutdown.

  2. If your lab is based on virtual machines, save a snapshot of each virtual machine and name the snapshots WFAS Protected Domain Controller. If your lab uses physical computers, create disk images to save the WFAS Protected Domain Controller test lab configuration.

Additional Resources

For more information about WFAS and Microsoft’s IPsec implementation, see the Microsoft website at https://www.microsoft.com/ipsec.

For the design and configuration of your pilot or production deployment of WFAS, see the Windows Firewall with Advanced Security Design Guide at the Microsoft website (https://go.microsoft.com/fwlink/?LinkId=209621) and the Windows Firewall with Advanced Security Deployment Guide at the Microsoft website (https://go.microsoft.com/fwlink/?LinkId=209622).

For information about troubleshooting WFAS see the Windows Firewall with Advanced Security Troubleshooting Guide: Diagnostics and Tools at the Microsoft website (https://go.microsoft.com/fwlink/?LinkID=184934).

To get your questions about this test lab or WFAS answered, see the Windows Server Platform Networking Forum at the Microsoft website (https://go.microsoft.com/fwlink/?LinkId=209626).

For a list of additional Microsoft TLGs, see Test Lab Guides (https://go.microsoft.com/fwlink/?LinkID=202817) in the TechNet Wiki.

To provide the authors of this guide with feedback or suggestions for improvement, send an email message to tlgfb@microsoft.com.