Because the Internet is inherently insecure,
businesses still need to preserve the privacy of data travelling over
the network. IPSec creates a standard platform to develop secure
networks and electronic tunnels between two machines. The two machines
are known as endpoints. After the tunnel has been defined and both endpoints
agree on the same parameters, the data will be encrypted on one end,
encapsulated in a packet, and sent to the other endpoint (where the data
In Windows XP and
Windows Server 2003, you configure the Windows Firewall and IPSec
separately. Unfortunately, because both can block or allow incoming
traffic, it is possible that the firewall and IPSec rules can conflict
with each other. In Windows Vista, Windows Firewall with Advanced
Security provides a single, simplified interface for managing both
firewall filters and IPSec rules.
with Advanced Security uses authentication rules to define IPSec
policies. No authentication rules are defined by default. To create a
new authentication rule, follow these steps:
In Windows Firewall with Advanced Security, select the Computer Connection Security node.
the Computer Connection Security node in the console tree, and then
click New Rule to start the New Connection Security Rule Wizard.
From the Rule Type page of the New Authentication Rule Wizard, you can select the following:
- Isolation. Used to
specify that computers are isolated from other computers based on
membership in a common Active Directory domain or current health status.
You must specify when you want authentication to occur (for example,
for incoming or outgoing traffic and whether you want to require or only
request protection), the authentication method for protected traffic,
and a name for the rule.
- Authentication exemption. Used to specify computers that do not have to authenticate or protect traffic by their IP addresses.
- Server to server.
Used to specify traffic protection between specific computers,
typically servers. You must specify the set of endpoints that will
exchange protected traffic by IP address, when you want authentication
to occur, the authentication method for protected traffic, and a name
for the rule.
Used to specify traffic protection that is tunneled, typically used
when sending packets across the Internet between two security gateway
computers. You must specify the tunnel endpoints by IP address, the
authentication method, and a name for the rule.
- Custom. Used
to create a rule that does not specify a protection behavior. You would
select this option when you want to manually configure a rule, perhaps
based on advanced properties that cannot be configured through the pages
of the New Authentication Rule Wizard. You must specify a name for the
To configure advanced properties for the rule, follow these steps:
Right-click the name of the rule, and then click Properties.
From the Properties dialog box for a rule, you can configure settings on the following tabs:
- General. The rule’s name and description and whether the rule is enabled.
- Computers. The set of computers, by IP address, for which traffic is protected.
When you want authentication for traffic protection to occur (for
example, for incoming or outgoing traffic and whether you want to
require or only request protection) and the authentication method for
- Advanced. The profiles and types of interfaces to which the rule applies and IPSec tunneling behavior.