Windows Firewall with Advanced Security and IPsec

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Windows Firewall with Advanced Security is an advanced interface for IT professionals to use to configure both Windows Firewall and Internet Protocol security (IPsec) settings for the computers on their networks. Windows Firewall with Advanced Security is not for home users or for users who are not familiar with advanced firewall or IPsec technologies.

This topic describes the documentation currently available for Windows Firewall with Advanced Security in Windows Vista®, Windows Server® 2008, Windows® 7, and Windows Server® 2008 R2. Additional documentation is in development, so check back periodically to see what has been added.

Your feedback is valuable and welcome! Please send your comments and suggestions to Windows Firewall with Advanced Security Documentation Feedback (wfasdoc@microsoft.com). The author of this guide will review your comments and use them to improve this documentation. Your e-mail address will not be saved or used for any other purposes.

Product Evaluation

• What's New in Windows Firewall with Advanced Security

  This document identifies new Windows Firewall with Advanced Security features introduced in Windows 7 and Windows Server 2008 R2, as well as features that were introduced with Windows Vista and Windows Server 2008.

• Introduction to Windows Firewall with Advanced Security

  Windows Firewall with Advanced Security is a stateful, host-based firewall that blocks incoming and outgoing connections according to the rules configured by an administrator.

• Introduction to Server and Domain Isolation

  You can mitigate some of the risks associated with unauthorized and potentially malicious access to your network and its resources by creating an isolated network. By using Active Directory® Domain Services (AD DS) and Group Policy settings, you can isolate both your domain and servers that store sensitive data, thus limiting access to only authenticated and authorized users.

• Server Isolation with Microsoft Windows Explained

  This topic provides a detailed overview of server isolation. It explains how server isolation protects isolated servers and the benefits of deploying server isolation. It also provides a brief overview of how to deploy server isolation.

• Domain Isolation with Microsoft Windows Explained

  This white paper provides a detailed overview of domain isolation. It explains how domain isolation protects domain member computers and the benefits of deploying domain isolation. It also provides a brief overview of how to deploy domain isolation.

Getting Started

Getting Started documents are designed to help you get the technology up and running in the minimum amount of time.

• Windows Firewall with Advanced Security Learning Roadmap

  If you are new to Windows Firewall with Advanced Security, this topic can help you identify what you need to learn to fully understand and use all of the features available in Windows Firewall with Advanced Security. It includes prerequisite topics that cover a variety of networking fundamentals. You must understand the prerequisite topics first, because the topics for Windows Firewall with Advanced Security build upon them and assume an understanding of them. Afterwards, you can begin learning about Windows Firewall with Advanced Security by reading the documents in the Level 100, 200, and 300 sections.

• Windows Firewall with Advanced Security Getting Started Guide

  Although typical end-user configuration of Windows Firewall still takes place through the Windows Firewall program in Control Panel, advanced configuration now takes place in the Microsoft Management Control (MMC) snap-in named Windows Firewall with Advanced Security. This snap-in not only provides an advanced interface for configuring Windows Firewall locally, but also for configuring Windows Firewall on remote computers by using Group Policy. Firewall settings are now integrated with IPsec settings, allowing for some synergy: Windows Firewall can now allow traffic based on whether it is secured by IPsec.

• Windows Firewall and IPsec Policy Deployment Step-by-Step Guide

  This step-by-step guide describes how to deploy Group Policy objects (GPOs) to configure Windows Firewall with Advanced Security in Windows® 7, Windows Vista®, Windows Server® 2008 R2, and Windows Server® 2008. You get hands-on experience in a lab environment using Group Policy Management tools to create and edit GPOs that implement typical firewall settings. You also configure GPOs to implement common server and domain isolation scenarios. This document is also available as a Word .doc file in the Microsoft Download Center at Windows Firewall with Advanced Security Step-by-Step Guide - Deploying Firewall Policies (https://go.microsoft.com/fwlink/?LinkID=102503).

Planning and Architecture

• Windows Firewall with Advanced Security Design Guide

  This guide helps you design Windows Firewall with Advanced Security settings and rules that meet your goals for network security. Use this guide with the Windows Firewall with Advanced Security Deployment Guide during your planning stages. The Windows Firewall with Advanced Security Design Guide answers the "what," "why," and "when" questions before you work on the "how" questions answered in the Windows Firewall with Advanced Security Deployment Guide. This document is also available combined with the Deployment Guide as a Word .doc file in the Microsoft Download Center at Windows Firewall with Advanced Security Design and Deployment Guide (https://go.microsoft.com/fwlink/?LinkID=114659).

Deployment

• Windows Firewall with Advanced Security Deployment Guide

  This guide helps you deploy the design that you created by using the Windows Firewall with Advanced Security Design Guide. It includes checklists and procedures that answer the “how” questions to go along with the “what,” “when,” and “why” questions you answered in the Windows Firewall with Advanced Security Design Guide. This document is also available combined with the Design Guide as a Word .doc file in the Microsoft Download Center at Windows Firewall with Advanced Security Design and Deployment Guide (https://go.microsoft.com/fwlink/?LinkID=114659).

Operations

Operations content provides procedures that help you in performing the day-to-day tasks that keep your implementation running smoothly.

• How to Configure Windows Firewall for a Passive Mode FTP Server

  This article shows you how to create authenticated bypass rules to allow network traffic from trusted computers and users into a computer that would normally be blocked by Windows Firewall.

• How to Enable Authenticated Firewall Bypass

  This article shows you how to configure firewall rules on an FTP server that allow it to operate in “passive” FTP mode.

Technical Reference

• How Windows Firewall with Advanced Security Works

  This article contains an explanation of how Windows Firewall with Advanced Security performs its assigned tasks.

• IPsec Algorithms and Methods Supported in Windows

  This article contains tables that show which IPsec key exchange algorithms, integrity algorithms, encryption algorithms, and authentications methods are supported in each version of the Windows operating system.

• Improving Network Performance by Using IPsec Task Offload

  This article describes the performance benefits of using a network adapter that contains a dedicated cryptographic processor to offload IPsec computational work from the main processor.

• Stealth Mode in Windows Firewall with Advanced Security

  This article describes how Windows Firewall with Advanced Security helps to protect your computer by preventing network scanners from discovering information about the network services hosted on the computer.

• Netsh Commands for Windows Firewall with Advanced Security

  This command-line reference describes how to configure IPsec and Windows Firewall in Windows Vista and later versions of Windows by using the netsh command line tool.

• Netsh Commands for IPsec Denial of Service Protection

  This command-line reference describes how to configure a computer running Windows Server 2008 R2 to help protect it from denial-of-service attacks. It permits only IPsec-protected IPv6 network traffic, and is configured by using the netsh command line tool.

• Netsh Commands for Windows Firewall

  This command-line reference describes how to configure Windows Firewall on computers that are running Windows XP and Windows Server 2003 by using the netsh command line tool.

• Netsh Commands for Internet Protocol Security (IPsec)

  This command-line reference describes how to configure IPsec on computers that are running Windows XP and Windows Server 2003 by using the netsh command line tool.

Troubleshooting

Troubleshooting documentation helps you solve problems that arise when you try to deploy, manage, or use Windows Firewall with Advanced Security.

• Windows Firewall with Advanced Security Troubleshooting Guide: Diagnostics and Tools

  This article describes common troubleshooting situations and tools you can use for troubleshooting.

• Windows Firewall with Advanced Security Event Messages (https://go.microsoft.com/fwlink/?LinkId=96306)

  These pages describe some of the Event Log messages that can be generated by Windows Firewall with Advanced Security. Each event message is accompanied by probable causes and recommended resolution steps.

• Enable IPsec and Windows Firewall Audit Events

  Most of the event messages for Windows Firewall with Advanced security are generated by Windows only when you enable them. This document describes how to enable and disable the events.

Installed Help

Installed Help is available when you open any of the following Microsoft Management Consoles (MMCs), and then press F1: Windows Firewall with Advanced Security, IP Security Policies, and IP Security Monitor. The installed Help provides information about how to use and configure Windows Firewall with Advanced Security and IPsec.

• Windows Firewall with Advanced Security (for Windows Vista and Windows Server 2008)

  Windows Firewall with Advanced Security (for Windows 7 and Windows Server 2008 R2)

  The Authfw.chm file is installed with Windows. It is displayed when you open the Windows Firewall with Advanced Security MMC snap-in and press F1.

• Creating and Using IPsec Policies

  The Ipsecpolicy.chm file is installed with Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. It is displayed when you open the IP Security Policies MMC snap-in and press F1.

• Monitoring IPsec

  The Ipsecmonitor.chm file is installed with Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. It is displayed when you open the IP Security Monitor MMC snap-in and press F1.

Other Information

Windows Firewall and IPsec documentation for earlier versions of Windows

• More information about Windows Firewall in earlier versions of Windows can be found at Windows Firewall (https://go.microsoft.com/fwlink/?linkid=95393).

• More information about IPsec in earlier versions of Windows can be found at IPsec (https://go.microsoft.com/fwlink/?linkid=95394).

• More information about using IPsec for server and domain isolation in earlier versions of Windows can be found at Server and Domain Isolation (https://go.microsoft.com/fwlink/?linkid=95395).