Step 5: Examine the Differences in Functionality Between the MMC Snap-in and the Netsh Command-line Tool
Updated: December 7, 2009
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
In this topic, you examine the differences between the Windows Firewall with Advanced Security MMC snap-in, and the netsh command-line tool. The following table identifies features supported in Windows 7 and Windows Server 2008 R2 that can be configured either in the MMC snap-in or the netsh command-line tool, but not both. The table identifies how to find the option in the snap-in, or which netsh option implements the feature. Do not modify any of these settings at this point.
| Features | Windows Firewall with Advanced Security MMC snap-in support | Netsh support |
|---|---|---|
Configure the global IPsec quick mode default settings. These settings are used when a connection security rule does not specify otherwise. |
On the Windows Firewall with Advanced Security Properties dialog box, on the IPsec Settings tab, under IPsec defaults, click Customize, and then under Data protection (Quick Mode), select Advanced and then click Customize. |
You cannot use netsh to configure the global quick mode default settings. |
Configure the global IPsec main mode default settings. The global default settings are used when a connection security rule does not specify its own main mode settings, and a separate main mode rule (Windows 7 or Windows Server 2008 R2 only) does not match the connection. |
On the Windows Firewall with Advanced Security Properties dialog box, on the IPsec Settings tab, under IPsec defaults, click Customize, and then under Key Exchange (Main Mode), select Advanced and then click Customize. |
You cannot use netsh to configure the global main mode default settings. |
Configure which network connections are protected by each profile. If the check box for a network connection is cleared then that network connection is not protected by the profile even if the attached network matches that network location type. |
On the Windows Firewall with Advanced Security Properties dialog box, under any of the Profile tabs, next to Protected network connections, click Customize. |
You cannot use netsh to configure per profile enabling or disabling of specific connection types. |
Create main mode rules that specify authentication settings for connections between specified IP addresses, or for connections using specific network location profiles. If a connection matches a main mode rule then it is used instead of the global default settings, or even the settings specified in the connection security rule. Main mode rules are supported on Windows 7 and Windows Server 2008 R2 only. |
You cannot use the MMC snap-in to create main mode rules. |
Use the netsh advfirewall mainmode add rule command. |
Create a connection security rule that uses a specific quick mode configuration instead of the global defaults. |
You cannot use the MMC snap-in to create rules with per-rule quick mode settings. Rules created in the MMC snap-in, they always use the global quick mode default settings. |
Use the qmsecmethods parameter of the netsh advfirewall consec add rule command. |
Create a rule that specifies that Perfect Forward Secrecy (PFS) is used in Quick Mode negotiations. |
You cannot use the MMC snap-in to create rule that specifies quick mode PFS. |
Use the qmpfs parameter of the netsh advfirewall consec add rule command. |
Configure how the computer performs certificate revocation list (CRL) checking. |
You cannot use the MMC snap-in to change the configuration for strong CRL checking. |
Use the strongcrlcheck parameter of the netsh advfirewall set global command. |
Configure the time-out value for an IPsec security association (SA). |
You cannot use the MMC snap-in to configure the IPsec SA time-out. |
Use the saidletimemin parameter of the netsh advfirewall set global command. |
Specify whether IPv6 Neighbor Discovery protocol is exempted from the requirements of IPsec. |
You cannot use the MMC snap-in to configure a global IPsec exemption for the IPv6 Neighbor Discovery protocol. |
Use the neighbordiscovery value in the defaultexemptions parameter of the netsh advfirewall set global command. |
Specify whether DHCP is exempted from the requirements of IPsec. |
You cannot use the MMC snap-in to configure a global IPsec exemption for the DHCP protocol. |
Use the dhcp value in the defaultexemptions parameter of the netsh advfirewall set global command. |
Configure a connection security rule that matches UDP packets that contain embedded Teredo packets. |
You cannot use the MMC snap-in to configure a firewall rule that matches Teredo packets. |
Use the teredo value in the localport parameter of the netsh advfirewall firewall add rule command. |
Configure Windows Firewall with Advanced Security to allow remote management. |
You cannot use the MMC snap-in to enable remote management of Windows Firewall with Advanced Security. |
Use the remotemanagement option of the netsh advfirewall set domainprofile settings command. |
When configuring a Group Policy that contains a list of users or computers that are authorized to use an IPsec tunnel, remove the list and set the effective setting back to “Not configured”. |
You cannot use the MMC snap-in, when you are managing a GPO, to set IPsec tunnel authorization for users and computers back to “Not configured”. |
Use the authzusergrp and authzcomputergrp options in the netsh advfirewall set global ipsec command, and set each to the value of notconfigured. |
Next topic: Deploying Basic Settings by Using Group Policy