Configure Packet Filters to Allow ICMP Traffic

Updated: February 19, 2010

Applies To: Windows Server 2008 R2

To provide connectivity for Teredo-based DirectAccess clients, you need to configure Windows Firewall with Advanced Security rules for all of your domain member computers to allow Internet Control Message Protocol for Internet Protocol version 6 (IPv6) (ICMPv6) Echo Request messages and, when using a NAT64 to translate IPv6 to IPv4 traffic on your intranet, Internet Control Message Protocol for Internet Protocol version 4 (IPv4) (ICMPv4) Echo Request messages.

To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to configure Group Policy settings. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To create and enable firewall rules for ICMPv6 traffic

1. Click Start, click Run, type gpmc.msc, and then press ENTER.

2. In the console tree, open **Forest/Domains/**YourDomain, right-click the Group Policy object (GPO) that applies to all of your intranet domain members, and then click Edit.

3. In the console tree of the Group Policy Management Editor, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security.

4. In the console tree, right-click Inbound Rules, and then click New Rule.

5. On the Rule Type page, click Custom, and then click Next. On the Program page, click Next. On the Protocols and Ports page, for Protocol type, click ICMPv6, and then click Customize. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and then click OK. Click Next. On the Scope page, click Next. On the Action page, click Next. On the Profile page, click Next. On the Name page, for Name, type Inbound ICMPv6 Echo Requests, and then click Finish.

6. In the console tree, right-click Outbound Rules, and then click New Rule.

7. On the Rule Type page, click Custom, and then click Next. On the Program page, click Next. On the Protocols and Ports page, for Protocol type, click ICMPv6, and then click Customize. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and then click OK. Click Next. On the Scope page, click Next. On the Action page, click Allow the connection, and then click Next. On the Profile page, click Next. On the Name page, for Name, type Outbound ICMPv6 Echo Requests, and then click Finish.

The following procedure is only needed when you are using a NAT64 on your intranet.

To create and enable firewall rules for ICMPv4 traffic

1. Click Start, click Run, type gpmc.msc, and then press ENTER.

2. In the console tree, open **Forest/Domains/**YourDomain, right-click the Group Policy object (GPO) that applies to all of your intranet domain members, and then click Edit.

3. In the console tree of the Group Policy Management Editor, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security.

4. In the console tree, right-click Inbound Rules, and then click New Rule.

5. On the Rule Type page, click Custom, and then click Next. On the Program page, click Next. On the Protocols and Ports page, for Protocol type, click ICMPv4, and then click Customize. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and then click OK. Click Next. On the Scope page, click Next. On the Action page, click Next. On the Profile page, click Next. On the Name page, for Name, type Inbound ICMPv4 Echo Requests, and then click Finish.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.