Creating Firewall Rules that Allow IPsec-protected Network Traffic (Authenticated Bypass)
Published: November 2, 2007
Updated: December 7, 2009
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
In a typical network, you want all network traffic blocked except for traffic that is truly required.
To help strengthen security, by default, rules that block traffic have a higher precedence than rules that allow traffic. So if traffic coming into (or going out of) the firewall matches both an allow rule and a block rule, the block rule takes precedence, and the traffic will be dropped.
There are times however, when you might want to allow network traffic into a computer that would ordinarily be blocked. For example, the network troubleshooting team might need to use network protocol analyzers or other network troubleshooting equipment in ways that the firewall rules would ordinarily prevent. In such circumstances, you can create a special type of allow rule that overrides a block rule when the network traffic meets certain administrator specified requirements.
These rules are referred to as “authenticated bypass” rules. If you enable the Override block rules setting on the firewall rule then correctly authenticated traffic that matches this rule is permitted, even if another rule would block it. The result is a set of rules that say "this traffic is blocked unless it is coming from an authorized computer."
In this section of the guide, you create a firewall rule that blocks all Telnet network traffic, and then test it with your existing Telnet allow rule you created in a previous section to see that the block rule takes precedence. Then you modify your existing Telnet allow rule to include the Override Block Rules setting, and confirm that you can connect from your approved computer.