Step 2: Create the Connection Security Rules for the Remote Client and IPsec Gateway
Updated: December 7, 2009
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
You now have a client on a “public” network, and a server that is dual-homed on the “public” network with the client computer, and the “private” network with the domain controller. Because the client does not have access to the domain controller to receive Group Policy updates, you must create the tunnel mode IPsec rules manually.
Important
This section of the guide uses features that are present only on computers that are running Windows 7 and Windows Server 2008 R2, and will not work as written on computers that are running earlier versions of Windows.
To create the tunnel mode rule on CLIENT1
On CLIENT1, start the Windows Firewall with Advanced Security MMC snap-in.
Right-click Connection Security Rules, and then click New Rule.
On the Rule Type page, select Tunnel, and then click Next.
On the Tunnel Type page, select Client-to-gateway, and then click Next.
On the Requirements page, select Require authentication for inbound and outbound connections, and then click Next.
On the Tunnel Endpoints (Client-to-Gateway) page, in Remote tunnel endpoint, type the IPv4 address of MBRSVR1: 131.107.0.100.
Note that you do not have to specify the local tunnel endpoint; it is already configured as My IP address. This is a new feature of Windows 7 and Windows Server 2008 R2 that simplifies GPO deployment, because this rule matches all clients of the gateway server. You no longer have to deploy multiple rules with specific local tunnel endpoint settings for each client computer.
Under What are the remote endpoints?, click Add.
Type the subnet identifier for the private network behind the gateway by using classless inter-domain routing (CIDR) notation: 192.168.0.0/24, click OK, and then click Next.
On the Authentication Method page, select Advanced, and then click Customize.
Under First authentication methods, click Add.
On the Add First Authentication Methods page, select Preshared key, type TunnelPassword123 in the text box, click OK two times, and then click Next.
Warning
Do not use preshared keys in a production environment. They are not considered secure, and are not easily managed. Use computer certificates either purchased from a third-party vendor, or created by an in-house certification authority, such as a computer that is running Windows Server 2008 R2 with the Active Directory Certificate Services server role. The Preshared key authentication method is used in this guide only because it is beyond the scope of the guide to create a certification authority for this one step.
On the Profile page, click Next.
On the Name page, type Tunnel on Client, and then click Finish.
To create the tunnel mode rule on MBRSVR1
On MBRSVR1, start the Windows Firewall with Advanced Security MMC snap-in.
Right-click Connection Security Rules, and then click New Rule.
On the Rule Type page, select Tunnel, and then click Next.
On the Tunnel Type page, select Gateway-to-client, and then click Next.
On the Requirements page, select Require authentication for inbound and outbound connections, and then click Next.
On the Tunnel Endpoints (Gateway-to-Client) page, in What are the local endpoints, click Add. Type the subnet identifier for the private network behind the gateway by using classless inter-domain routing (CIDR) notation: 192.168.0.0/24.
Under Local tunnel endpoint, type the IPv4 address of the public network connection on MBRSVR1, 131.107.0.100, and then click Next.
Note that you do not have to specify the client IP address; it is already configured as Any IP address. This is a new feature of Windows 7 and Windows Server 2008 R2 that simplifies GPO deployment, because this rule matches all clients of the gateway server. You no longer have to deploy multiple rules with specific local tunnel endpoint settings for each client computer.
Also note the Apply IPsec tunnel authorization check box. This is a feature new of Windows 7 and Windows Server 2008 R2, and appears on Gateway-to-Client and Custom tunnel rule types. On the Properties page of Windows Firewall with Advanced Security, on the IPsec Settings tab, you can specify users and computers that are authorized to connect to this gateway by using the tunnel. Then you can use this check box to specify whether the tunnel established by this rule is subject to those user and computer restrictions. If you use this option then the authentication type you specify on the next page must include support for the credential types that can identify the user or computer accounts authorized.
On the Authentication Method page, select Advanced, and then click Customize.
Under First authentication methods, click Add.
On the Add First Authentication Methods page, select Preshared key, type TunnelPassword123 in the text box, click OK two times, and then click Next.
Warning
Do not use preshared keys in a production environment. They are not considered secure, and are not easily managed. Use computer certificates either purchased from a third-party vendor, or created by an in-house certification authority, such as a computer that is running Windows Server 2008 R2 with the Active Directory Certificate Services server role. The Preshared key authentication method is used in this guide only because it is beyond the scope of the guide to create a certification authority for this one step.
On the Profile page, click Next.
On the Name page, type Tunnel on Gateway, and then click Finish.
Next topic: Step 3: Test Your Tunnel Mode Rules