Change Rules from Request to Require Mode

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Do not change the rules for the boundary zone; they must stay in request mode so that computers in the boundary zone can continue to accept connections from computers that are not part of the isolated domain.

Administrative credentials

To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.

In this topic:

  • Convert a rule in a GPO for Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2

  • Convert a rule for an earlier version of Windows

  • Refresh policy on the client computers to receive the modified GPOs

To convert a rule from request to require mode for Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2

  1. Open the Group Policy Management Console to Windows Firewall with Advanced Security.

  2. In the navigation pane, click Connection Security Rules.

  3. In the details pane, double-click the connection security rule that you want to modify.

  4. Click the Authentication tab.

  5. In the Requirements section, change Authenticated mode to Require inbound and request outbound, and then click OK.

To convert a rule from request to require mode for Windows XP, Windows Server 2003, or Windows 2000

  1. Open the Group Policy Management Console to IP Security Policies.

  2. In the details pane, double-click the domain isolation policy that you created earlier.

  3. Find the rule that requests authentication for all IP traffic except ICMP and the exemption list. Select the rule, but do not clear the check box, and then click Edit.

  4. In the Edit Rule Properties dialog box, select the Filter Action tab.

  5. Select Require Authentication or Require Authentication and Encryption as required by your design, and then click OK twice to save your changes.

  6. Either manually refresh Group Policy on your client computers, or wait for automatic GPO refresh. The only change you should see to your network traffic is that unauthenticated network connections are now rejected instead of being allowed to continue in clear text.

To apply the modified GPOs to the client computers

  1. The next time each computer refreshes its Group Policy, it will receive the updated GPO and apply the modified rule. To force an immediate refresh, start a command prompt as an administrator and run one of the following commands:

    • On computers that are running Windows XP or later, run the following command:

      gpupdate /force
      
    • On computers that are running Windows 2000, run the following command:

      secedit /refreshpolicy machine_policy /enforce
      
  2. To verify that the modified GPO is correctly applied to the client computers, you can run one of the following commands:

    • On computers that are running Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2, run the following command:

      gpresult /r /scope computer
      
    • On computers that are running Windows XP or Windows Server 2003, run the following command:

      gpresult /scope computer
      
    • On computers that are running Windows 2000, run the following command:

      gpresult /C
      
  3. Examine the command output for the list of GPOs that are applied to the computer, and make sure that the list contains the GPOs you expect to see on that computer.