Configure Authenticated IPsec Bypass
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Use this procedure to allow authenticated traffic protected by Internet Protocol security (IPsec) to bypass Windows Firewall. When you perform this procedure, you must provide a Security Descriptor Definition Language (SDDL) string that contains a list of the computers or groups of computers that you want to bypass Windows Firewall. If you enable the Windows Firewall: Allow authenticated IPSec bypass Group Policy setting, and a computer that is a member of one of the security groups on the SDDL list receives an IPsec-protected packet, Windows Firewall does not process it to see whether it is allowed. This setting is useful if you use Windows Firewall and IPsec in your organization and assume that any computer using IPsec is protected and that its traffic should be allowed to pass through Windows Firewall.
Important
This information applies only to IPsec in Windows Server 2003 with Service Pack (SP) 1 and Windows XP with SP2. It does not apply to Microsoft Windows Vista® or Windows Server® 2008, or later versions of Windows. For information about using authenticated bypass on Windows Vista or Windows Server 2008, see How to Enable Authenticated Bypass or "Allow if Secure" at https://go.microsoft.com/fwlink/?linkid=111313 in the Windows Server 2008 Technical Library.
For information about creating SDDL strings, see Managing IPsec, Multicast, and ICMP Settings.
Administrative Credentials
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.
Special Considerations
If you perform this procedure and enable the Windows Firewall: Allow authenticated IPSec bypass Group Policy setting, and then later disable the Windows Firewall: Allow authenticated IPSec bypass Group Policy setting, the SDDL strings that you entered will be deleted. Therefore, you should save the SDDL strings that you use to perform this procedure in case you need to perform this procedure again in the future.
To allow traffic protected by IPsec through Windows Firewall
This procedure can be performed through Group Policy only. You cannot use the graphical user interface or the command prompt to perform this procedure.
To allow traffic protected by IPsec through Windows Firewall
Open the Group Policy Object Editor snap-in to edit the Group Policy object (GPO) that is used to manage Windows Firewall settings in your organization.
Open Computer Configuration, open Administrative Templates, open Network, open Network Connections, and then click Windows Firewall.
In the details pane, double-click Windows Firewall: Allow authenticated IPSec bypass.
In the Windows Firewall: Allow authenticated IPSec bypass properties dialog box, on the Settings tab, click Enabled.
In Define IPSec peers to be exempted from firewall policy, type the SDDL string that corresponds to the group accounts for the computers to which this policy applies, and then click OK.
Note
See Also
Concepts
Configuring IPsec Settings
Known Issues for Managing IPsec, Multicast, and ICMP Settings