Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Windows Server 2012 : Configuring IPsec (part 6) - Configuring connection security rules - Creating a custom rule, Configuring authenticated bypass

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
10/20/2014 9:27:27 PM

Creating a custom rule

Creating a custom rule involves configuring options on the Endpoints, Requirements, Authentication Method, Protocols And Ports, and Profile And Name pages. The only new page here is the Protocol And Ports page shown in Figure 8. You can use this page to specify which protocol and which port or ports specified in a network packet match this connection security rule. Once you have done this, only network traffic that matches the criteria on this page and the Endpoints page match the rule and will be subject to its authentication requirements.

Configuring protocols and ports for a custom connection security rule.
Figure 8. Configuring protocols and ports for a custom connection security rule.

Creating connection security rules using Windows PowerShell

You can also use Windows PowerShell to view, create, configure, and remove connection security rules either in the policy store on the local computer, a remote computer, or a GPO. You can do this using the cmdlets from the NetSecurity module of Windows PowerShell.

For example, you can use the New-NetIPsecRule to create a new server isolation rule in the persistent store on the local machine that requires both inbound and outbound authentication:

PS C:\> New-NetIPsecRule -DisplayName "Server Isolation Rule"`
-InboundSecurity Require -OutboundSecurity Require

IPsecRuleName : {8215b76f-e6f2-42da-a8b9-1f8416b9a358}
DisplayName : Server Isolation Rule
Description :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Mode : Transport
InboundSecurity : Require
OutboundSecurity : Require
QuickModeCryptoSet : Default
Phase1AuthSet : Default
Phase2AuthSet : Default
KeyModule : Default
AllowWatchKey : False
AllowSetKey : False
LocalTunnelEndpoint :
RemoteTunnelEndpoint :
RemoteTunnelHostname :
ForwardPathLifetime : 0
EncryptedTunnelBypass : False
RequireAuthorization : False
User : Any
Machine : Any
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local

If you open the Windows Firewall with Advanced Security snap-in at this point and select the Connection Security Rules node, you will see the new rule that you created.

You can also use the Get-NetIPsecRule cmdlet to view connection security rules, Set-NetIPsecRule to modify them, or Remove-NetIPsecRule to delete them. For more help concerning any of these cmdlets, use the Get-Help cmdlet.

Configuring authenticated bypass

One of the configuration options in that wizard was deferred until later because it had to do with how firewall rules interact with IPsec. That setting is the Allow The Connection If It Is Secure option on the Action page. (See Figure 9.)

Selecting this option specifies that only connections protected by IPsec will be allowed by the new firewall rule. Such IPsec protection is implemented separately using connection security rules.

Configuring a new firewall rule to allow only connections that are protected by IPsec.
Figure 9. Configuring a new firewall rule to allow only connections that are protected by IPsec.

As Figure 9 shows, selecting the Allow The Connection If It Is Secure option also adds two new wizard pages named Users and Computers to the New Inbound (or Outbound) Rules Wizard. You can use these two new pages to specify trusted users, computers, or both that are allowed to connect to the local computer.

The default behavior of a firewall rule that has the Allow The Connection If It Is Secure option selected is for network traffic matching the firewall rule to be allowed if the traffic is both authenticated and integrity-protected by IPsec. This default option is supported on computers running Windows Vista, Windows Server 2008, or later.

By clicking Customize on the Action page, you can change this behavior by selecting a different option on the Customize Allow If Secure Settings dialog box shown in Figure 10. Specifically, you can select from the following options:

  • Require The Connections To Be Encrypted Choosing this option adds the requirement of data encryption to the default requirements of authentication and data integrity. If you are creating an inbound rule, you can also select Allow The Computers To Dynamically Negotiate Encryption to allow the network connection to send and receive unencrypted traffic while an IPsec encryption algorithm is being negotiated after IPsec authentication has been achieved.

  • Allow The Connection To Use Null Encapsulation Choosing this option requires that matching network traffic use IPsec authentication, but it does not require either integrity or encryption protection. You should select this option only if you have network equipment or software that is not compatible with either the ESP or AH integrity protocols.

  • Override Block Rules Choosing this option allows matching network traffic to override any firewall rules that would block such traffic. In general, firewall rules that explicitly block a connection take priority over firewall rules that explicitly allow the connection. But if you select the Override Block Rules option, the connection will be allowed even if a different rule is configured to block it.

Configuring the behavior of a firewall rule that has the Allow The Connection If It Is Secure option selected.
Figure 10. Configuring the behavior of a firewall rule that has the Allow The Connection If It Is Secure option selected.

Important

Security warning

If you select the Allow The Computers To Dynamically Negotiate Encryption check box shown in Figure 10, network traffic will be sent in clear text while an encryption algorithm is being negotiated.

Selecting the Override Block Rules option when creating a new firewall rule is called authenticated bypass, because it means that matching network traffic is allowed because it has been authenticated as coming from an authorized and trusted user or computer. As Figure 11 shows, you must specify at least one trusted computer when configuring authenticated bypass for a firewall rule.

Configuring trusted computers for an authenticated bypass firewall rule.
Figure 11. Configuring trusted computers for an authenticated bypass firewall rule.

Note

Cannot override blocking all connections

If you configured Windows Firewall with Advanced Security to block all connections, the Override Block Rules option will not override such behavior.

Other -----------------
- Microsoft Lync Server 2013 : Director Troubleshooting (part 3) - Synthetic Transactions,Telnet
- Microsoft Lync Server 2013 : Director Troubleshooting (part 2) - DNS Records, Logs
- Microsoft Lync Server 2013 : Director Troubleshooting (part 1) - Redirects, Certificates
- Microsoft Lync Server 2013 : Administration of the Director Role (part 4) - Services Management, Client Version Filter
- Microsoft Lync Server 2013 : Administration of the Director Role (part 3) - Topology Status
- Microsoft Lync Server 2013 : Administration of the Director Role (part 2) - Ports,Firewall Rules
- Microsoft Lync Server 2013 : Administration of the Director Role (part 1) - Services
- Microsoft Lync Server 2013 : Configuring the Director (part 2) - Web Services Ports,Reverse Proxy
- Microsoft Lync Server 2013 : Configuring the Director (part 1) - SRV Records, Web Services FQDN Overrides
- Sharepoint 2013 : SharePoint Designer 2013 (part 2) - Locking Down SharePoint Designer
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server