Creating Connection Security Rules

  • Article

Updated: December 1, 2009

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

A connection security rule forces two peer computers to authenticate before they can establish a connection and to secure information transmitted between the two computers. Windows Firewall with Advanced Security uses IPsec to enforce these rules.

To create a connection security rule

  1. In Windows Firewall with Advanced Security, in the console tree, click Connection Security Rules.

  2. In the Actions list, click New Rule.

    The Rule Type page, shown in Figure 10, allows you to select the type of rule you want to create. Select a type, and use the wizard to configure the new rule according to the information in the following sections.

By using Windows Firewall with Advanced Security, you can create the rule types described in the following sections.

Isolation

An isolation rule isolates computers by restricting inbound connections based on credentials, such as domain membership or compliance with policies that define the required software and system configurations. Isolation rules allow you to implement a server or domain isolation strategy. When you create an isolation rule, you will see the following wizard pages:

  • Requirements. You can choose when authentication is required:

    • Request authentication for inbound and outbound connections

    • Require authentication for inbound connections and request authentication for outbound connections

    • Require authentication for inbound and outbound connections

  • Authentication Method. You can select from the following authentication methods:

    • Default. This selection uses the current computer default selections specified on the IPsec Settings tab of the Windows Firewall Properties page.

    • Computer and user (Kerberos V5). This method uses both computer- and user-based Kerberos V5 authentication to restrict connections to domain-joined users and computers. User authentication, and therefore this method, is compatible only with computers running Windows Vista and later.

    • Computer (Kerberos V5). This method uses Kerberos V5 authentication to restrict connections to domain-joined computers. This method is compatible with computers running Windows 2000 or later.

    • Advanced. This setting allows you to designate multiple authentication methods, such as computer certificate, NTLMv2, and preshared key.

  • Profile. Choose the profiles (Domain, Public, and Private) to which the rule applies.

  • Name. Name the rule and type an optional description.

Authentication exemption

You can use an authentication exemption to designate computers that do not require authentication. Computers in an isolated domain can communicate with computers listed in this rule even though they cannot authenticate. You can designate computers by IP address, an IP address range, a subnet, or a predefined group, such as gateway. When you create an authentication exemption rule, you must configure options on the following wizard pages:

  • Exempt Computers. Add computers that are exempt from authentication. You can add a computer by IP address or IP address range, or you can add a computer based on its role, such as the default gateway, or the DNS servers that the local computer is configured to use.

  • Profile. Choose the profiles (Domain, Public, and Private) to which the rule applies.

  • Name. Name the rule and type an optional description.

Server-to-server

A server-to-server rule protects connections between specified computers. This type of rule usually protects connections between servers. When you create the rule, you specify the network endpoints between which communications are protected. You then designate authentication requirements and the types of authentication that you want to use. When you create a server-to-server rule, you must configure options on the following wizard pages:

  • Endpoints. Specify the computers that are part of Endpoint 1 and Endpoint 2. Endpoint 1 can contain all computers, computers specified by IP address, or computers that are accessible through a specified connection type (such as a local area network or wireless connection). Endpoint 2 can contain all computers or computers specified by IP address.

  • Requirements. Choose when authentication is required. Options are identical to those described in the section “Isolation.”

  • Authentication Method. Choose a method for authentication, including Computer Certificate or a customized Advanced method.

  • Profile. Choose the profiles (Domain, Public, and Private) to which the rule applies.

  • Name. Name the rule and type an optional description.

Tunnel

A tunnel rule allows you to protect connections between gateway computers and is typically used when connecting across the Internet between two security gateways. You must specify the tunnel endpoints by IP address and specify the authentication method by configuring the following wizard pages:

  • Tunnel Type. Specify the type of tunnel that you want to create: client-to-gateway, or gateway-to-client, or a custom-defined tunnel. You can also specify whether traffic that arrives at a tunnel endpoint that is already IPsec-protected must be encapsulated a second time by the tunnel rule before being forwarded to the other tunnel endpoint.

  • Requirements. Specify whether network traffic passing through the tunnel must be authenticated, and if so, whether authentication is requested or required.

  • Tunnel Endpoints. Identify by IP address or IP address range the computers that serve as gateways to computers that are part of each endpoint – Endpoint 1 and Endpoint 2. Also identify by IP address which tunnel computer in each endpoint is closest to computers in that endpoint. The options available on this page depend on the tunnel type you selected on the first page.

  • Authentication Method. Choose a method for authentication, including Computer Certificate, or a customized Advanced method.

  • Profile. Choose the profiles (Domain, Public, and Private) to which the rule applies.

  • Name. Name the rule and type an optional description.

Custom

Use a custom rule to authenticate connections between two endpoints when you cannot set up authentication rules you need by using the other types of rules available in the new Connection Security Rule wizard. You can configure options on the following wizard pages:

  • Endpoints. Specify the computers that are part of Endpoint 1 and Endpoint 2. Endpoint 1 can contain all computers, computers specified by IP address, or computers that are accessible through a specified connection type (such as a local area network or wireless connection). Endpoint 2 can contain all computers or computers specified by IP address.

  • Requirements. Choose when authentication is required. Options are identical to those described in the section “Isolation.”

  • Authentication Method. Choose the authentication method. Options are identical to those described in the section “Isolation.”

  • Protocol and Ports. Specify the protocol, and if TCP or UDP, the source and destination ports that are affected by this connection security rule.

  • Profile. Choose the profiles (Domain, Public, and Private) to which the rule applies.

  • Name. Name the rule and type an optional description.