Create Filter Lists for Clients of Isolated Server Running Earlier Versions of Windows

  • Article

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

IP Security rules for Windows 2000, Windows XP, and Windows Server 2003 are composed of filter lists, filter actions, and authentication methods. In this section, you create the filter lists for your isolated server zone clients that you later combine with filter actions and authentication method lists.

The filter lists you need for either a domain isolation or server isolation scenario include:

  • All ICMP Traffic. This filter list exists by default, but the procedure in this topic shows you how to re-create it, if necessary. This filter contains a single filter that matches any ICMP network packets. It is used to create an exemption rule that allows ICMP to work without authentication to simplify network troubleshooting.

  • All Exempted Computers. This is a new filter that you must create. The list contains filters for any computers that cannot participate in IPsec authentication, and that do not work well with the delays caused by fallback-to-clear behavior.

Note

Remember that with the simplified IPsec policy described in article 914841 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?linkid=110514), and implemented in Configure Settings to Optimize IPsec Behavior on Earlier Versions of Windows, the fallback-to-clear timeout is reduced from 3 seconds to 500 milliseconds. Consider not including in this list any servers whose network services work with fallback-to-clear to keep the list small and manageable. Include only those servers whose services do not work well even with the reduced fallback-to-clear timeout.

  • All IP Traffic. This filter list exists by default, but the procedure in this topic shows you how to re-create it, if necessary. This filter list contains a single filter that matches traffic that is not better matched by another filter list.

    If all of the services on your network work well with the 500 ms fallback-to-clear timeout used by IPsec in Windows Server 2003 and earlier versions of Windows, then you can simplify your deployment by associating this filter list with the Request Security filter action in the GPO for the client computers that are members of the NAG. In that case, you do not need to create the IP Traffic to Isolated Servers filter list. If you must use the IP Traffic to Isolated Servers filter list, then associate this filter list with the Permit filter action in the GPO.

  • IP Traffic to Isolated Servers. This filter list contains only the IP addresses of the computers in the isolated server zone.

    Create this filter list if you have network services that do not work well with the 500 ms fallback-to-clear timeout. It requires more maintenance, because you must keep the list of IP addresses up to date. This IP filter list is associated with the Request Security filter action in the GPO.

Administrative credentials

To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the relevant GPOs.

To create the All ICMP Traffic filter

  1. Open the Group Policy Management Console to IP Security Policies.

  2. In the navigation pane, right-click IP Security Policies on Active Directory (YourDomainName), and then click Manage IP filter lists and filter actions.

  3. Select the Manage IP Filter Lists tab.

  4. If All ICMP Traffic appears in the list, and that filter list has not been modified, you can use it as is. If it does not exist, click Add.

  5. In the Name text box, type All ICMP Traffic.

  6. Provide a good description that will help you understand the purpose of the filter list when you refer to it in the future (for example, Matches all ICMP packets between this computer and any other computer).

  7. Click Add.

  8. On the Welcome page, click Next.

  9. On the IP Filter Description and Mirrored Property page, type a good description that will help you understand the purpose of the IP filter when you refer to it in the future.

  10. Select Mirrored, and then click Next. Mirroring allows the rule to apply to traffic flowing either way for a connection, without having to create a second rule in which the addresses are reversed.

  11. On the IP Traffic Source page, select My IP Address from the list, and then click Next.

  12. On the IP Traffic Destination page, select Any IP Address from the list, and then click Next.

  13. On the IP Protocol Type page, select ICMP from the list, and then click Next.

  14. On the Completing the IP Filter Wizard page, click Finish.

To create the All Exempted Computers filter

  1. Open the Group Policy Management Console to IP Security Policies.

  2. In the navigation pane, right-click IP Security Policies on Active Directory (YourDomainName), and then click Manage IP filter lists and filter actions.

  3. Select the Manage IP Filter Lists tab.

  4. Click Add.

  5. In the Name text box, type All Exempted Computers.

  6. Provide a good description that will help you to understand the purpose of the filter list when you refer to it in the future (for example, Matches all network traffic between this computer and any computer on the exemption list).

  7. Click Add.

  8. On the Welcome page, click Next.

  9. On the IP Filter Description and Mirrored Property page, type a good description that will help you understand the purpose of the IP filter when you refer to it in the future (for example, All Exchange servers on the 10.1.2.0/24 Network).

  10. Check Mirrored, and then click Next. Mirroring allows the rule to apply to traffic flowing either way for a connection, without having to create a second rule in which the addresses are reversed.

  11. On the IP Traffic Source page, select My IP Address from the list, and then click Next.

  12. On the IP Traffic Destination page, select one of the following:

    • For a single computer by name, select A specific DNS Name, type the host name, and then click Next. On the Security Warning dialog box, the discovered IP addresses are displayed. Click Yes to add each address to the IP filter list.

Warning

The DNS name is not stored. It is only used to look up the IP address, which is stored in the IP filter. If the IP address of the computer changes, this value is not dynamically updated; you must manually update the IP filter with the new IP address. 

  - For a single computer by IP address, or for a group of computers by subnet address, select **A specific IP Address or Subnet.**, type the IP address or subnet address in the text box, and then click **Next**. For a typical IPv4 subnet address, use the format **ipaddress/nn**, where **nn** is the number of bits in the subnet mask. For example, 192.168.0.0/24 indicates all IP addresses from 192.168.0.1 to 192.168.0.254.  
      
  - For computers performing a specified server role, select one of the following: **DNS Servers**, **WINS Servers**, **DHCP Servers**, or **Default Gateway**. This filter matches when the local computer attempts to connect to a computer for the specified service.

  1. On the IP Protocol Type page, select Any from the list, and then click Next.

  2. On the Completing the IP Filter Wizard page, click Finish.

  3. Using the set of computers that you identified as your exemption list in your domain isolation design, repeat steps 6 through 13 for each computer or set of computers to complete the exemption list.

  4. When the list is complete, click OK to save the exemption list.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.

To create the All IP Traffic filter

  1. Open the Group Policy Management Console to IP Security Policies

  2. In the navigation pane, right-click IP Security Policies on Active Directory (YourDomainName), and then click Manage IP filter lists and filter actions.

  3. Select the Manage IP Filter Lists tab.

  4. If the list includes All IP Traffic, and that filter list has not been modified, you can use it as is. If it does not exist, click Add.

  5. In the Name text box, type All IP Traffic.

  6. Provide a good description that will help you understand the purpose of the filter list when you refer to it in the future (for example, Matches all IP packets from this computer to any other computer, except those protocols exempted by “NoDefaultExempt” registry key).

  7. Click Add.

  8. On the Welcome page, click Next.

  9. On the IP Filter Description and Mirrored Property page, type a good description that will help you understand the purpose of the IP filter when you refer to it in the future.

  10. Check Mirrored, and then click Next. Mirroring allows the rule to apply to traffic flowing either way for a connection, without having to create a second rule in which the addresses are reversed.

  11. On the IP Traffic Source page, select My IP Address from the list, and then click Next.

  12. On the IP Traffic Destination page, select Any IP Address from the list, and then click Next.

  13. On the IP Protocol Type page, select Any from the list, and then click Next.

  14. On the Completing the IP Filter Wizard page, click Finish.

To create the IP Traffic to Isolated Servers filter

  1. Open the Group Policy Management Console to IP Security Policies.

  2. In the navigation pane, right-click IP Security Policies on Active Directory (YourDomainName), and then click Manage IP filter lists and filter actions.

  3. Select the Manage IP Filter Lists tab.

  4. Click Add to create a new IP filter list.

  5. In the Name text box, type IP Traffic to Isolated Servers.

  6. Provide a good description that will help you understand the purpose of the filter list when you refer to it in the future (for example, Matches IP packets from this computer to the servers in the Isolated Server zone).

  7. Click Add to create a new IP filter.

  8. On the Welcome page, click Next.

  9. On the IP Filter Description and Mirrored Property page, type a good description that will help you understand the purpose of the IP filter when you refer to it in the future. For example, enter the name of the isolated server whose IP address is being added here.

  10. Check Mirrored, and then click Next. Mirroring allows the rule to apply to traffic flowing either way for a connection, without having to create a second rule in which the addresses are reversed.

  11. On the IP Traffic Source page, select My IP Address from the list, and then click Next.

  12. On the IP Traffic Destination page, select A Specific IP Address or Subnet from the list.

Important

Alternatively, you can enter the address by using the A specific DNS Name option, but DNS name resolution only occurs when the filter list is created. If the IP address of the server changes, the policy is not updated automatically. To update the IP address, you must edit the policy.

  1. Type the IP address of one of the isolated servers in the zone, and then click Next.

  2. On the IP Protocol Type page, select Any from the list, and then click Next.

  3. On the Completing the IP Filter Wizard page, click Finish.