Connection Security Rule Wizard: Tunnel Endpoints Page - Gateway-to-Client

Published: January 20, 2009

Updated: January 20, 2009

Applies To: Windows 7, Windows Server 2008 R2

Select Gateway-to-client on the Tunnel Type page if the connection security rule is for a computer that will be the local tunnel endpoint (gateway) to the computers on a private network. You can use this page to configure the IP addresses of the remote clients that can establish a tunnel to this gateway, and the computers that are behind the gateway on the private network.

The following figure shows the components that you can configure by using this wizard page.


  1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule.

  2. On the Rule Type page, select Tunnel.

  3. In Steps, click Tunnel Type, and then select Gateway-to-client.

  4. Click Next until you reach the Tunnel Endpoints page.

The local endpoints are computers on the private network behind the gateway that must be able to send data to and receive data from the remote client through the tunnel. Click Add to add an individual IP address, an IP subnet address, an IP address range, or a predefined set of computers by using the IP Addresses dialog box. To change an entry in the list, select the item, and then click Edit. To remove an entry, select the item, and then click Remove.

The local endpoints are referred to as Endpoint 1 on the IPsec Tunneling Settings dialog box, in the Netsh command-line tool, and if you select Custom configuration on the Tunnel Type page.

The local tunnel endpoint is the computer to which the remote client sends packets that are addressed to a computer in Endpoint 1. The local tunnel computer receives a network packet from the remote client, decapsulates the original packet, and then routes it to the destination computer that is in Endpoint 1. You can specify an Internet Protocol version 4 (IPv4) address, an Internet Protocol version 6 (IPv6) address, or both.

The IP version of the address at each end of the tunnel must match. For example, if you specify an IPv4 address at one end, then the other end must also have an IPv4 address. You can specify both an IPv4 and an IPv6 address, but if you do so at one end, then you must also do so at the other end. Also, you must specify the same version of IP for both the remote tunnel endpoint (the gateway) and the remote endpoints behind the gateway.

This option is set to Any IP address and cannot be changed. The client computer in this scenario is both the remote tunnel endpoint and the only computer in Endpoint 2.

After you create the connection security rule, you can change these settings in the Connection Security Rule Properties dialog box. This dialog box opens when you double-click a rule in Connection Security Rules. To change the computers that are accessible behind the local tunnel endpoint, use the Computers tab and configure the settings for Endpoint 1. To change the local tunnel endpoint (the gateway), from the Advanced tab, under IPsec Tunneling, click Customize, and then change Local tunnel endpoint.

Community Additions