Add, edit, or remove filter actions

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To add, edit, or remove filter actions

  1. Create a console containing IP Security Policies. Or, open a saved console file containing IP Security Policies.

  2. Double-click the policy that you want to modify.

  3. Double-click the rule that you want to modify, and then click the Filter Action tab.

  4. To add a filter action, decide whether you want to use the IP Security Filter Action Wizard or add the filter action manually:

    • To add a filter action by using the IP Security Filter Action Wizard, confirm that the Use Add Wizard check box is selected, click Add, and then follow the instructions.

    • To add a filter action manually, confirm that the Use Add Wizard check box is cleared, click Add, and then define settings on the Security Methods and General tabs.

  5. To modify an existing filter action, select the filter action that you want to modify, and then click Edit.

  6. To remove a filter action, select the filter action that you want to remove, and then click Remove.

  7. If you are adding or modifying a filter action, choose a filter action type:

    • Click Permit to allow receiving or sending of packets in plaintext (unsecured traffic). Security will not be requested for these packets.

    • Click Block to discard packets. Security will not be requested for these packets.

    • Click Negotiate security to use the list of security methods in Security method preference order to provide security for packets that match this filter. Security requests will be accepted for these packets.

  8. If you chose Negotiate security, add new security methods or edit the existing ones for the filter action.

  9. If you do not want to block incoming, unsecured communications, but you want to ensure that all outgoing communications and subsequent two-way communications are secured, select the Accept unsecured communication, but always respond using IPSec check box.

  10. To enable communication with other computers that do not support IPSec, and ensure that communication continues if there is no response to a request for IPSec negotiation, select the Allow unsecured communication with non-IPSec-aware computers check box. After the initial IPSec negotiation has failed, IPSec negotiation will be retried at five minute intervals.

  11. To guarantee that no master keys or master keying material will be reused to generate the session key, select the Use session key perfect forward secrecy (PFS) check box.

  12. On the General tab, in Name, type a unique name.

  13. In Description, type a description. For example, you might type what security levels this filter action represents.

Notes

  • To manage Active Directory-based IPSec policies, you must be a member of the Domain Admins group in Active Directory, or you must have been delegated the appropriate authority. To manage local or remote IPSec policies for a computer, you must be a member of the Administrators group on the local or remote computer. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. For more information, see Default local groups and Default groups.

  • To create a console containing IP Security Policies, start the IP Security Policies snap-in. To open a saved console file, open MMC. For more information, see Related Topics.

  • The filter action types Permit and Block and the options to Allow unsecured communication with non-IPSec-aware computers and Accept unsecured communication, but always respond using IPSec are not available in the default response rule.

  • Session key perfect forward secrecy (PFS) renegotiates new master key keying material during every session rekey operation. This is the most secure setting. However, it adds overhead and increases the time required to complete a rekey operation. Both initiator and responder must be configured with the same setting for successful negotiation.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Start the IP Security Policy Management snap-in
Open MMC
Select a filter action for a rule
Add, edit, or remove IPSec security methods
Filter action
Working with MMC console files