Step 3: Creating a Firewall Rule for the Client to Support Encryption

Updated: December 7, 2009

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

In this step, you create a new firewall rule that applies to the client computer so that it can successfully encrypt the connection as required by the server.

To create a Telnet firewall rule that requires authentication for the client

  1. On MBRSVR1, in Group Policy Management, under Group Policy Objects, right-click Firewall Settings for Windows Clients, and then click Edit.

  2. In the Group Policy Management Editor, expand Policies, expand Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security, expand Windows Firewall with Advanced Security - LDAP://cn={GUID},cn=policies,cn=system,DC=contoso,DC=com, right-click Outbound Rules, and then click New Rule.

  3. On the Rule Type page, click Custom, and then click Next.

  4. On the Program page, click All Programs, and then click Next.

Note

By restricting the rule to the Telnet port number (in the next step), instead of the program name, any correctly configured Telnet client can be used. If you specify a program by path and file name then only that specific program works, and other Telnet client programs fail. This configuration is recommended only for outbound rules. For inbound rules, we recommend that you use both a port restriction and a program restriction. That way the port is only open when the program is running. If you do not specify a program then the port remains open all the time.

  1. On the Protocol and Ports page, change the Protocol type to TCP.

  2. Change the Remote port list to Specific Ports, type 23 in the text box, and then click Next.

  3. On the Scope page, under Which remote IP addresses does this rule match, select the These IP addresses check box. Make sure to select the option under remote.

  4. To the right of the Remote address section, click Add.

  5. In the IP Address dialog box, type 192.168.0.100 (the IP address of MBRSVR1) in the top text box, click OK, and then click Next.

Important

Adding the IP address of the server makes this rule more specific than the outbound Telnet rule that you created earlier. When two rules potentially match a connection, the most specific one is select. This means that when you try to Telnet to 192.168.0.100, the authentication and encryption requirements are enforced. If you Telnet to any other server, the other rule is matched and authentication and encryption are not required.

  1. Perform one of the following:

    • If you are running Windows Server 2008 R2: On the Action page, select Allow the connection if it is secure, click Customize, select Require the connections to be encrypted, click OK, and then click Next.

    • If you are running Windows Server 2008: On the Action page, select Allow the connection if it is secure, click Require the connections to be encrypted, and then click Next.

  2. On the Computers page, click Next.

  3. On the Profile page, clear the Private and Public check boxes, and then click Next.

  4. Name the rule Allow only encrypted Telnet to MBRSVR1, and then click Finish.

  5. At an Administrator: Command Prompt, run gpupdate /force. Wait until the command finishes.

Next topic: Step 4: Testing the Rule When Admin1 Is Not a Member of the Group