Configuring IPsec Settings
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
You can configure Windows Firewall so that all incoming authenticated traffic protected by Internet Protocol security (IPsec) completely bypasses Windows Firewall processing on specific computers. To do this, you must enable the Windows Firewall: Allow authenticated IPSec bypass Group Policy setting. To specify which computers allow incoming IPsec-protected traffic to bypass Windows Firewall, you must provide a Security Descriptor Definition Language (SDDL) string that corresponds to the group accounts for the computers to which this policy applies.
Important
This information applies only to IPsec in Windows Server 2003 with Service Pack (SP) 1 and Windows XP with SP2. It does not apply to Microsoft Windows Vista® or Windows Server® 2008, or later versions of Windows. For information about using authenticated bypass on Windows Vista or Windows Server 2008, see How to Enable Authenticated Bypass or "Allow if Secure" at https://go.microsoft.com/fwlink/?linkid=111313 in the Windows Server 2008 Technical Library.
The format of the SDDL string for a single group is:
O:DAG:DAD:(A;;RCGW;;;SID)
Where SID is the Security Identifier (SID) of a group account.
Use the Getsid.exe tool to obtain the SID of a group account. Getsid.exe is typically used to compare the SIDs of two accounts on different domain controllers, but you can also use it to obtain the SID of a specified user or group account.
To obtain a SID for a group account, use the following syntax:
**getsid \\domain_controller group_account\\**domain_controller group_account
Where domain_controller is the computer name of a domain controller and group_account is the group account name.
The following example uses the Getsid.exe tool with a domain controller named EXAMPLE2 in the example.com domain and a group account named IPsecComputers:
C:\>getsid \\example2 IPsecComputers \\example2 IPsecComputers
The SID for account EXAMPLE\IPsecComputers matches account EXAMPLE\IPsecComputers
The SID for account EXAMPLE\IPsecComputers is
S-1-5-21-3575094098-3669797271-991787341-1127
The SID for account EXAMPLE\IPsecComputers is
S-1-5-21-3575094098-3669797271-991787341-1127
Although redundant, it provides the information you need. To allow computers in the IPsecComputers group to bypass Windows Firewall, use the following string to configure the Windows Firewall: Allow authenticated IPSec bypass Group Policy setting:
O:DAG:DAD:(A;;RCGW;;;S-1-5-21-3575094098-3669797271-991787341-1127)
If you have more than one group, then the syntax for the SDDL string is:
O:DAG:DAD:(A;;RCGW;;;SID1) (A;;RCGW;;;SID2) (A;;RCGW;;;SID3)...
If you enable the Windows Firewall: Allow authenticated IPSec bypass Group Policy setting, and a computer that is a member of one of the security groups on the SDDL list receives an IPsec-protected packet, Windows Firewall does not process it to determine whether it is allowed.
If you disable or do not configure this Group Policy setting, incoming IPsec-protected traffic is processed by Windows Firewall. If you enable this Group Policy setting and configure an SDDL list, upon disabling this setting, Windows Firewall deletes the list.
When to perform this task
You can use this setting if your organization uses both IPsec and Windows Firewall, and you assume that traffic protected by IPsec is safe. If you enable the Windows Firewall: Allow authenticated IPSec bypass Group Policy setting, you might need to modify the SDDL list to include additional security groups on an ongoing basis.
Task requirements
Getsid.exe. For more information, see Windows Support Tools at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=43235).
Task procedures
To complete this task, perform the following procedure:
Configure Authenticated IPsec Bypass
See Also
Concepts
Known Issues for Managing IPsec, Multicast, and ICMP Settings