Share via


Firewall Properties - IPsec

Applies To: Windows Server 2008

Windows Firewall with Advanced Security integrates Windows Firewall features and Internet Protocol security (IPsec) into one console. These advanced options allow you to configure the key exchange, data protection (integrity and encryption), and authentication settings in ways required by your environment.

Key Exchange (Main Mode)

Key exchange settings you select here will apply to all connection security rules. To ensure successful and secure communication, Internet Key Exchange (IKE) performs a two-phase operation. Confidentiality and authentication are ensured during each phase by the use of encryption and authentication algorithms that are agreed upon by the two computers during security negotiations. With the duties split between two phases, key creation can be accomplished quickly.

During the first phase, the two computers establish a secure, authenticated channel. This is called the Phase I or Main Mode security association (SA). IKE automatically provides identity protection during this exchange.

Default

This is the key exchange settings that are installed by default or configured as defaults through Group Policy. This setting is used for all key exchanges. For more information, see Default Settings.

Advanced

Use this option to specify the key exchange settings that are applied to all key exchanges. This setting overrides the installed defaults.

Data Protection

Data protection settings you select here apply to all connection security rules created using the Windows Firewall with Advanced Security snap-in. Custom data protection settings are available using the netsh advfirewall context.

Default

This is the data integrity and encryption settings that are installed by default or configured as defaults through Group Policy. This setting is used for all key exchanges. For more information, see Default Settings.

Advanced

Use this option to specify data integrity and encryption settings that are applied by default. This setting overrides the installed defaults.

Authentication Method

Authentication method settings you select here apply only to connection security rules that have Default selected as the authentication method.

Default

This is the authentication settings that are installed by default or configured as defaults by using Group Policy. This setting is used whenever the Default method is selected on the Authentication tab of the Computer Connection Security Rule Properties dialog box. For more information, see Default Settings.

Computer and User (using Kerberos V5)

This method uses both computer and user authentication. This means that both the user and the computer must authenticate properly before communications can continue. Use this option to use user and computer authentication by default. This setting overrides the installed defaults. However, if you create a connection security rule that uses another method, you can override this setting by selecting it using the Method setting on the Authentication tab of the Computer Connection Security Rule Properties dialog box for the specific rule.

Using this option effectively creates domain isolation by limiting the computers and users that can access this computer to domain-joined computers or users.

Computer (using Kerberos V5)

This method requests or requires the computer to authenticate using the Kerberos version 5 authentication protocol. You can use this method to authenticate peer computers that are part of the same domain or in separate domains that have a trust relationship. This method uses the Kerberos version 5 authentication protocol and does not require any further configuration.

This setting overrides the installed defaults. However, if you create a connection security rule that uses another method, you can override this setting by selecting it using the Method setting on the Authentication tab of the Computer Connection Security Rule Properties dialog box for the specific rule.

Using this option effectively creates domain isolation by limiting the computers that can access this computer to domain-joined computer.

User (using Kerberos V5)

You can use this method to authenticate a user logged on to a remote computer that is part of the same domain or in separate domains that have a trust relationship. This method uses the Kerberos version 5 authentication protocol and does not require any further configuration. The logged-on user must have a domain account. This method requests or requires the user to authenticate using the Kerberos version 5 authentication protocol.

This setting overrides the installed defaults. However, if you create a connection security rule that uses another method, you can override this setting by selecting it using the Method setting on the Authentication tab of the Computer Connection Security Rule Properties dialog box for the specific rule.

Using this option effectively creates domain isolation by limiting the users that can access this computer to domain-joined users.

Computer certificate from this certification authority

You can use this method to authenticate peer computers based on computer certificates. To use this method, you must have a certification authority (CA). This method is useful when the computers are not in a domain or are in separate domains without a two-way trust relationship. This method might require further configuration of your CA.

This setting overrides the installed defaults. However, if you create a connection security rule that uses another method, you can override this setting by selecting it using the Method setting on the Authentication tab of the Computer Connection Security Rule Properties dialog box for the specific rule.

Accept only health certificates

This method requests or requires a valid health certificate to authenticate. Health certificates confirm that a computer has all of the software updates and other updates that are required for access to the network. These certificates are distributed during the Network Access Protection (NAP) process. For more information, see the NAP documentation.

Health certificates are published by Network Access Protection (NAP), a new feature in this version of Windows and Windows Server 2008, which helps you define and enforce health policies so that unhealthy computers, such as computers with viruses or those that do not have the latest software updates, are less likely to access your network. To implement NAP, you need to configure NAP settings on both server and client computers. NAP Client Management, a Microsoft Management Console (MMC) snap-in, helps you configure NAP settings on your client computers. For more information, see the NAP snap-in Help.

Note

To use this method you must have at least one NAP server set up in the domain.

This setting overrides the installed defaults. However, if you create a connection security rule that uses another method, you can override this setting by selecting it using the Method setting on the Authentication tab of the Computer Connection Security Rule Properties dialog box for the specific rule.

Advanced

You can use this option to create a method that is specific to your needs. For more information, see Authentication Settings.

The Customize option allows you to specify all of the settings available with all of the other options, giving you more flexibility when configuring a firewall rule.

This setting overrides the installed defaults. However, if you create a connection security rule that uses another method, you can override this setting by selecting it using the Method setting on the Authentication tab of the Computer Connection Security Rule Properties dialog box for the specific rule.

Additional references

Connection Security Rules

Authentication Settings

Default Settings