Configure Authenticated IPsec Bypass

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Use this procedure to allow authenticated traffic protected by Internet Protocol security (IPsec) to bypass Windows Firewall. When you perform this procedure, you must provide a Security Descriptor Definition Language (SDDL) string that contains a list of the computers or groups of computers that you want to bypass Windows Firewall. If you enable the Windows Firewall: Allow authenticated IPSec bypass Group Policy setting, and a computer that is a member of one of the security groups on the SDDL list receives an IPsec-protected packet, Windows Firewall does not process it to see whether it is allowed. This setting is useful if you use Windows Firewall and IPsec in your organization and assume that any computer using IPsec is protected and that its traffic should be allowed to pass through Windows Firewall.

Important

This information applies only to IPsec in Windows Server 2003 with Service Pack (SP) 1 and Windows XP with SP2. It does not apply to Microsoft Windows Vista® or Windows Server® 2008, or later versions of Windows. For information about using authenticated bypass on Windows Vista or Windows Server 2008, see How to Enable Authenticated Bypass or "Allow if Secure" at https://go.microsoft.com/fwlink/?linkid=111313 in the Windows Server 2008 Technical Library.

For information about creating SDDL strings, see Managing IPsec, Multicast, and ICMP Settings.

Administrative Credentials

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.

Special Considerations

If you perform this procedure and enable the Windows Firewall: Allow authenticated IPSec bypass Group Policy setting, and then later disable the Windows Firewall: Allow authenticated IPSec bypass Group Policy setting, the SDDL strings that you entered will be deleted. Therefore, you should save the SDDL strings that you use to perform this procedure in case you need to perform this procedure again in the future.

To allow traffic protected by IPsec through Windows Firewall

This procedure can be performed through Group Policy only. You cannot use the graphical user interface or the command prompt to perform this procedure.

To allow traffic protected by IPsec through Windows Firewall

  1. Open the Group Policy Object Editor snap-in to edit the Group Policy object (GPO) that is used to manage Windows Firewall settings in your organization.

  2. Open Computer Configuration, open Administrative Templates, open Network, open Network Connections, and then click Windows Firewall.

  3. In the details pane, double-click Windows Firewall: Allow authenticated IPSec bypass.

  4. In the Windows Firewall: Allow authenticated IPSec bypass properties dialog box, on the Settings tab, click Enabled.

  5. In Define IPSec peers to be exempted from firewall policy, type the SDDL string that corresponds to the group accounts for the computers to which this policy applies, and then click OK.

Note

  • The IPsec bypass only applies to computers that are the responder to an IPsec SA negotiation. The initiator of the session does not set the bypass flag for the connection, so the firewall on the initiator still inspects the packets. If the responder uses the same IPsec SA to connect back to the initiator, the packets are filtered out by the firewall on the initiator.

  • Windows Firewall is not included in the original release of the Windows Server 2003 operating systems.

  • Group Policy settings must be refreshed before they take effect.

    • See Also

    Concepts

    Configuring IPsec Settings
    Known Issues for Managing IPsec, Multicast, and ICMP Settings