Export (0) Print
Expand All
Expand Minimize

Configure Connection Security Rules for End-to-end Access

Published: October 7, 2009

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

ImportantImportant
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=179989).

After you have used the DirectAccess Setup Wizard to create a base configuration for selected server access, you must manually modify the connection security rules to require end-to-end IPsec peer authentication and encryption between the DirectAccess client and intranet resources. You can configure these rules for the following:

  • Encryption is required between DirectAccess clients and intranet resources only when the DirectAccess client is on the Internet (no encryption when the DirectAccess client is on the intranet).

  • Encryption is always required between DirectAccess clients and intranet resources (encryption when the DirectAccess client is on the intranet or the Internet).

Because the default connection security rules contain settings that are not configurable with the Windows Firewall with Advanced Security snap-in, you must modify the connection security rules with commands in the netsh advfirewall consec context.

To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to change Group Policy settings. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

In this procedure, you configure end-to-end access connection security rules to require encryption only when DirectAccess clients are on the Internet.

  1. On a domain controller, start a command prompt as an administrator.

  2. From the Command Prompt window, run the netsh –c advfirewall command.

  3. From the netsh advfirewall prompt, run the following commands:

    set store gpo=" DomainName \DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}"

    consec set rule name=”DirectAccess Policy-clientToAppServer” new qmsecmethods=”ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AES128+60min+100000kb” action=requireinrequireout

    consec set rule name=”DirectAccess Policy-ClientToCorp” new exemptipsecprotectedconnections=yes

    consec set rule name=”DirectAccess Policy-ClientToDnsDc” new exemptipsecprotectedconnections=yes

    consec set rule name=”DirectAccess Policy-ClientToMgmt” new exemptipsecprotectedconnections=yes

    set store gpo=" DomainName \DirectAccess Policy-{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300}”

    consec set rule name=”DirectAccess Policy-DaServerToMgmt” new exemptipsecprotectedconnections=yes

    consec set rule name=”DirectAccess Policy-DaServerToCorp” new exemptipsecprotectedconnections=yes

    consec set rule name=”DirectAccess Policy-DaServerToDnsDc” new exemptipsecprotectedconnections=yes

    set store gpo=” DomainName \DirectAccess Policy-{f7b77f47-7c33-4d8c-bb9a-a913c5675d8d}”

    consec set rule name=”DirectAccess Policy-appServerToIpHttpsClientPolicy” new qmsecmethods=”ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AES128+60min+100000kb”

    consec set rule name=”DirectAccess Policy-appServerToClient” new qmsecmethods=”ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AES128+60min+100000kb”

In this procedure, you configure end-to-end access connection security rules to always require encryption.

  1. On a domain controller, start a command prompt as an administrator.

  2. From the Command Prompt window, run the netsh –c advfirewall command.

  3. From the netsh advfirewall prompt, run the following commands:

    set store gpo=” DomainName \DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}”

    consec set rule name=”DirectAccess Policy-clientToAppServer” new endpoint2=any qmsecmethods=”ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AES128+60min+100000kb”

    consec set rule name=”DirectAccess Policy-ClientToCorp” new exemptipsecprotectedconnections=yes

    consec set rule name=”DirectAccess Policy-ClientToDnsDc” new exemptipsecprotectedconnections=yes

    consec set rule name=”DirectAccess Policy-ClientToMgmt” new exemptipsecprotectedconnections=yes

    set store gpo=” DomainName \DirectAccess Policy-{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300}”

    consec set rule name=”DirectAccess Policy-DaServerToMgmt” new exemptipsecprotectedconnections=yes

    consec set rule name=”DirectAccess Policy-DaServerToCorp” new exemptipsecprotectedconnections=yes

    consec set rule name=”DirectAccess Policy-DaServerToDnsDc” new exemptipsecprotectedconnections=yes

    set store gpo=” DomainName \DirectAccess Policy-{f7b77f47-7c33-4d8c-bb9a-a913c5675d8d}”

    consec set rule name=”DirectAccess Policy-appServerToIpHttpsClientPolicy” new endpoint2=any qmsecmethods=”ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AES128+60min+100000kb”

    consec set rule name=”DirectAccess Policy-appServerToClient” new endpoint2=any qmsecmethods=”ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AES128+60min+100000kb”

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft