Export (0) Print
Expand All
Expand Minimize

Configure Connection Security Rules for Traffic Between DirectAccess Clients

Published: October 7, 2009

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

ImportantImportant
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=179989).

To protect the traffic sent between DirectAccess clients, you must configure additional connection security rules.

To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to change Group Policy settings. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

  1. On a domain controller, start a command prompt as an administrator.

  2. From the Command Prompt window, run the netsh –c advfirewall command.

  3. From the netsh advfirewall prompt, run the set store gpo=”DomainName\DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}” command.

  4. To exempt the traffic between DirectAccess clients and intranet resources when the DirectAccess clients are connected to the intranet, from the netsh advfirewall prompt, run the consec add rule name=RuleName endpoint1=IntranetIPv6Prefix endpoint2=IntranetIPv6Prefix action=noauthentication profile=domain,public,private command.

  5. To create an inbound firewall rule for an application that needs to accept unsolicited inbound connection requests, from the netsh advfirewall prompt, run the firewall add rule name=RuleName profile=public,private program=system action=allow security=authenc protocol=Protocol localport=Port command.

    For example, to create an inbound firewall rule for Remote Desktop traffic, run the firewall add rule name=RemoteDesktop profile=public,private program=system action=allow security=authenc protocol=tcp localport=3389 command.

  6. To request protection of traffic between DirectAccess clients for all applications, from the netsh advfirewall prompt, run the consec add rule name=RuleName endpoint1=any endpoint2=any action=requestinrequestout profile=public,private auth1=computercert auth1ca=CANameString command.

  7. To require protection of traffic between DirectAccess clients for all applications, from the netsh advfirewall prompt, run the consec add rule name=RuleName endpoint1=any endpoint2=any action=requireinrequestout profile=public,private auth1=computercert auth1ca=CANameString command.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft