Configuring connection security rules
After you configure the IPsec defaults for the computer, you can
then create connection security rules. As explained at the start of
this lesson, a connection security rule is a set of criteria that
specifies how IPsec will be used to secure traffic between the local
computer and other computers on the network. They can be used to
specify whether a network connection between two computers must first
be authenticated before data can be exchanged between them and to make
sure any data exchanged between the computers is encrypted to protect
against eavesdropping or modification.
Types of connection security rules
Connection security rules can be created using the New
Connection Security Rule Wizard. As Figure 7 shows, Windows
Firewall with Advanced Security supports five types of connection
security rules:
-
Isolation This type of
connection security rule can be used to isolate computers from
other computers. For example, you can use isolation rules to
protect computers that are joined to your domain from computers
that are outside your domain.
-
Authentication Exemption
This type of connection security rule can be used to specify
computers that should be exempted from being required to
authenticate, regardless of any other connection security rules
that have been configured. For example, you can use
authentication exemption rules to allow access to domain
controllers and other infrastructure servers that the computer
needs to communicate with before authentication can be
performed.
-
Server-to-Server This type
of connection security rule can be used to protect
communications between two computers, two groups of computers,
two subnets, or some combination of these, such as between a
computer and a subnet. For example, you can use server-to-server
rules to protect communications between a database server and a
front-end web server.
-
Tunnel This type of
connection security rule can be used to protect communications
between two computers using IPsec tunnel mode instead of IPsec
transport mode. For example, you can use tunnel rules to specify
a gateway computer that routes traffic to a private
network.
-
Custom This type of
connection security rule can be used to configure custom rules
using criteria from other rule types except tunnel rules.
To create new connection security rules using the New
Connection Security Rule Wizard, right-click on the Connection
Security Rules node in the Windows Firewall with Advanced Security
snap-in, select New Rule, and follow the steps of the wizard. The
sections that follow explain more regarding the steps involved in
creating each of these different types of connection security
rules.
Creating an isolation rule
The following steps can be used to create a new isolation rule
using the Windows Firewall with Advanced Security snap-in:
-
Launch the New Connection Security Rule Wizard, and choose
Isolation on the Rule Type page.
-
On the Requirements page, specify whether to request or
require authentication for inbound connections, outbound
connections, or both by selecting one of the following
options:
-
Request Authentication For
Inbound And Outbound Connections This option is
typically used in low-security environments or where
computers are unable to use the IPsec authentication methods
available with Windows Firewall with Advanced Security. You
can also use it for computers in the boundary zone in a
server and in a domain isolation scenario.
-
Require Authentication For
Inbound Connections And Request Authentication For Outbound
Connections This option is typically used in
environments where computers are able use the IPsec
authentication methods available with Windows Firewall with
Advanced Security. You can also use it for computers in the
main isolation zone in a server and in a domain isolation
scenario.
-
Require Authentication For
Inbound And Outbound Connections This option is
typically used in environments where network traffic must be
controlled and secured. You can also use it for computers in
the main isolation zone in a server and in a domain
isolation scenario.
-
On the Authentication Method page, specify whether to use
the default authentication methods or to specify a different
method or list of methods:
-
On the Profile page, select which firewall profiles the
new rule should apply to. By default, new connection security
rules apply to all three profiles (domain, private, and
public).
-
On the Name page, specify a name and optional description
for the new rule.
Note
Enabled by default
When you create a new connection security rule using the New
Connection Security Rule Wizard, the new rule is automatically
enabled by default.
