Now that we’ve learned how to configure an IPSec policy it’s time to learn how to configure a Connection Security Rule. If you haven’t followed the previous articles please take some time and read them before proceeding to this post just to get in touch with all the elements we’ve learned so far. Without further delays let’s open up the Group Policy Management Console and create a new GPO. In the GPO editing mode, navigate to Computer Configuration/Policies/Windows Settings/Security Settings/Windows Firewall with Advanced Security, right click on Connection Security Rule and select New Rule:
From the Rule Type section we can create five different types of security rules as follows:
- Isolation – the rule will take consideration on the network profile type used by computers. When a connection security rule on a network profile is matched, the negotiation process will start as configured in the rule. The network profile can be changed from Network and Sharing Center.
- Authentication exemption – these rules are used to exclude certain computers, group of computers or IP addresses from authenticating.
- Server-To-Server – you would configure such rule when creating authentication rules between servers or IP addresses.
- Tunnel – these rules are configured when IPSec operates in tunnel mode for VPN gateways.
- Custom – custom rule provides a combination of features from other types of rules.
After you select the desired rule type and continue with the wizard, you will be redirected to one of the following pages:
Requirements – on this page you specify when do you want authentication to occur. There are three options available here: authentication is requested for inbound and outbound connections, authentication is required for inbound connections and requested for outbound connections and authentication is required for both inbound and outbound connections:
Exempt Computers – in this section you add which remote computers are exempt from authentication requirements:
Endpoints – here is where you configure computers that will participate in the secured communication. The secured connection will be made between Endpoint 1 and 2:
Tunnel type – when creating a connection security rule in an IPSec tunnel mode, you have to choose one of the following tunnel types: custom configuration, client-to-gateway and gateway-to-client. In the bottom section of this window you can select if all traffic will be sent through the tunnel or not. Exceptions may occur if there is another IPSec connection that is not using the tunnel:
Authentication method – in this section you specify the authentication method used by the IPSec connection. From this page you can select the authentication method by using certificates (signing algorithm, certificate store type and CA name) or by using advanced authentication:
In the advanced section you can select one or two authentication methods. If the first authentication fails, the second method will be used. You can select one of the following authentication methods:
Kerberos, NTLMv2, Computer certificate from a specified CA or Preshared key
Profile – in this section you specify where is the rule applied: domain, private or public networks:
Name – at the end of the wizard you’ll have to specify the rule’s name and description:
There are other configurable options for IPSec connection that can be viewed by right clicking on Windows Firewall with Advanced Security – LDAP and selecting Properties:
In the IPSec settings you can configure the default settings that will be used by all computers if there are no rules to overwrite them. You can enable or disable ICMP with IPSec connections, you can specify what computers are authorized to establish IPSec tunnel connections with the present computer or you can configure the default IPSec settings used to establish secured connections:
When customizing IPSec settings you can choose the main and quick mode settings or you can choose the preferred authentication method:
That’s it for the connection security rules folks, hope you’ve enjoyed this article. Wish you all the best and stay tuned for the following articles.