Configure Connection Security Rules for Traffic Between DirectAccess Clients

  • Article

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

Important

This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=179989).

To protect the traffic sent between DirectAccess clients, you must configure additional connection security rules.

To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to change Group Policy settings. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To configure connection security rules for traffic between DirectAccess clients

  1. On a domain controller, start a command prompt as an administrator.

  2. From the Command Prompt window, run the netsh –c advfirewall command.

  3. From the netsh advfirewall prompt, run the set store gpo=”DomainName\DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}” command.

  4. To exempt the traffic between DirectAccess clients and intranet resources when the DirectAccess clients are connected to the intranet, from the netsh advfirewall prompt, run the **consec add rule name=**RuleName **endpoint1=**IntranetIPv6Prefix **endpoint2=**IntranetIPv6Prefix action=noauthentication profile=domain,public,private command.

  5. To create an inbound firewall rule for an application that needs to accept unsolicited inbound connection requests, from the netsh advfirewall prompt, run the **firewall add rule name=**RuleName **profile=public,private program=system action=allow security=authenc protocol=**Protocol **localport=**Port command.

    For example, to create an inbound firewall rule for Remote Desktop traffic, run the firewall add rule name=RemoteDesktop profile=public,private program=system action=allow security=authenc protocol=tcp localport=3389 command.

  6. To request protection of traffic between DirectAccess clients for all applications, from the netsh advfirewall prompt, run the **consec add rule name=**RuleName **endpoint1=any endpoint2=any action=requestinrequestout profile=public,private auth1=computercert auth1ca=**CANameString command.

  7. To require protection of traffic between DirectAccess clients for all applications, from the netsh advfirewall prompt, run the **consec add rule name=**RuleName **endpoint1=any endpoint2=any action=requireinrequestout profile=public,private auth1=computercert auth1ca=**CANameString command.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.