How to configure Connection Security Rules

Now that we’ve learned how to configure an IPSec policy it’s time to learn how to configure a Connection Security Rule. If you haven’t followed the previous articles please take some time and read them before proceeding to this post just to get in touch with all the elements we’ve learned so far. Without further delays let’s open up the Group Policy Management Console and create a new GPO. In the GPO editing mode, navigate to Computer Configuration/Policies/Windows Settings/Security Settings/Windows Firewall with Advanced Security, right click on Connection Security Rule and select New Rule:
Connection Security Rule
From the Rule Type section we can create five different types of security rules as follows:
IPSec Connection Security Rule
  • Isolation – the rule will take consideration on the network profile type used by computers. When a connection security rule on a network profile is matched, the negotiation process will start as configured in the rule. The network profile can be changed from Network and Sharing Center.
  • Authentication exemption – these rules are used to exclude certain computers, group of computers or IP addresses from authenticating.
  • Server-To-Server – you would configure such rule when creating authentication rules between servers or IP addresses.
  • Tunnel – these rules are configured when IPSec operates in tunnel mode for VPN gateways.
  • Custom – custom rule provides a combination of features from other types of rules.
After you select the desired rule type and continue with the wizard, you will be redirected to one of the following pages:
Requirements – on this page you specify when do you want authentication to occur. There are three options available here: authentication is requested for inbound and outbound connections, authentication is required for inbound connections and requested for outbound connections and authentication is required for both inbound and outbound connections:
IPSec authentication
Exempt Computers – in this section you add which remote computers are exempt from authentication requirements:
IPSec Exempt Computers
Endpoints – here is where you configure computers that will participate in the secured communication. The secured connection will be made between Endpoint 1 and 2:
Connection Security Rules Endpoints
Tunnel type – when creating a connection security rule in an IPSec tunnel mode, you have to choose one of the following tunnel types: custom configuration, client-to-gateway and gateway-to-client. In the bottom section of this window you can select if all traffic will be sent through the tunnel or not. Exceptions may occur if there is another IPSec connection that is not using the tunnel:
IPSec Tunnel Type
Authentication method – in this section you specify the authentication method used by the IPSec connection. From this page you can select the authentication method by using certificates (signing algorithm, certificate store type and CA name) or by using advanced authentication:
Authentication method
In the advanced section you can select one or two authentication methods. If the first authentication fails, the second method will be used. You can select one of the following authentication methods:
Kerberos, NTLMv2, Computer certificate from a specified CA or Preshared key
IPSec Authentication Method
Profile – in this section you specify where is the rule applied: domain, private or public networks:
Name – at the end of  the wizard you’ll have to specify the rule’s name and description:
Connection Security Rule Name
There are other configurable options for IPSec connection that can be viewed by right clicking on Windows Firewall with Advanced Security – LDAP and selecting Properties:
Windows Firewall with Advanced Security - LDAP
In the IPSec settings you can configure the default settings that will be used by all computers if there are no rules to overwrite them. You can enable or disable ICMP with IPSec connections, you can specify what computers are authorized to establish IPSec tunnel connections with the present computer or you can configure the default IPSec settings used to establish secured connections:
Windows Firewall with Advanced Security - LDAP
When customizing IPSec settings you can choose the main and quick mode settings or you can choose the preferred authentication method:
IPSec default authentication method
That’s it for the connection security rules folks, hope you’ve enjoyed this article. Wish you all the best and stay tuned for the following articles.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s