Connection Security Rule Wizard: Rule Type Page

Applies To: Windows 7, Windows Server 2008 R2

You can use the New Connection Security Rule wizard to create Internet Protocol security (IPsec) rules to meet different network security goals. Use this page to select the type of rule that you want to create.

The wizard provides four predefined rule types. You can also create a custom rule.

Note

As a best practice, give each connection security rule a unique name so that you can later use the Netsh command-line tool to manage your rules. Do not name a security rule ”all” because that name conflicts with the all keyword in the netsh command.

To get to this wizard page

  1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule.

  2. The Rule Type page is displayed.

Isolation

An isolation rule restricts connections based on authentication criteria that you define. For example, you can use this rule type to isolate computers that are joined to your domain from computers that are outside your domain, such as computers on the Internet. If you select this rule type, then the following pages in addition to the Name page are enabled in the wizard:

Authentication exemption

Use this option to create a rule that exempts specified computers from being required to authenticate, regardless of other connection security rules. This rule type is typically used to grant access to infrastructure computers, such as Active Directory domain controllers, certification authorities (CAs), or DHCP servers, that this computer must communicate with before authentication can be performed. It is also used for computers that cannot use the form of authentication you configured for this policy and profile.

If you select this rule type, then the following pages in addition to the Name page are enabled in the wizard:

Note

Although the computers are exempt from authentication, network traffic from them might still be blocked by Windows Firewall unless a firewall rule allows them to connect.

Server-to-server

Use this rule type to authenticate the communications between two specified computers, between two groups of computers, between two subnets, or between a specified computer and a group of computers or a subnet. You might use this rule to authenticate the traffic between a database server and a business-layer computer, or between an infrastructure computer and another server. This rule is similar to the isolation rule type, but the Endpoints page will be displayed so that you can identify the computers that are affected by this rule.

If you select this rule type, then the following pages in addition to the Name page are enabled in the wizard:

Tunnel

Use this rule type to secure communications between two computers by using tunnel mode, instead of transport mode, in IPsec. Tunnel mode embeds the entire network packet in a network packet that is routed between two defined endpoints. For each endpoint, you can specify a single computer that receives and consumes the network traffic sent through the tunnel, or you can specify a gateway computer that connects to a private network onto which the received traffic is routed after the receiving tunnel endpoint extracts it from the tunnel.

If you select this rule type, then the following pages in addition to the Name page are enabled in the wizard:

Custom

Use this rule type to create a rule that requires special settings. This option enables all of the wizard pages except those that are used only to create tunnel rules.

Additional references