Configure Connection Security Rules for End-to-end Access
Updated: October 7, 2009
Applies To: Windows Server 2008 R2
Important
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=179989).
After you have used the DirectAccess Setup Wizard to create a base configuration for selected server access, you must manually modify the connection security rules to require end-to-end IPsec peer authentication and encryption between the DirectAccess client and intranet resources. You can configure these rules for the following:
Encryption is required between DirectAccess clients and intranet resources only when the DirectAccess client is on the Internet (no encryption when the DirectAccess client is on the intranet).
Encryption is always required between DirectAccess clients and intranet resources (encryption when the DirectAccess client is on the intranet or the Internet).
Because the default connection security rules contain settings that are not configurable with the Windows Firewall with Advanced Security snap-in, you must modify the connection security rules with commands in the netsh advfirewall consec context.
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to change Group Policy settings. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
In this procedure, you configure end-to-end access connection security rules to require encryption only when DirectAccess clients are on the Internet.
To configure end-to-end access connection security rules to require encryption only when DirectAccess clients are on the Internet
On a domain controller, start a command prompt as an administrator.
From the Command Prompt window, run the netsh –c advfirewall command.
From the netsh advfirewall prompt, run the following commands:
set store gpo="DomainName\DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}"
consec set rule name=”DirectAccess Policy-clientToAppServer” new qmsecmethods=”ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AES128+60min+100000kb” action=requireinrequireout
consec set rule name=”DirectAccess Policy-ClientToCorp” new exemptipsecprotectedconnections=yes
consec set rule name=”DirectAccess Policy-ClientToDnsDc” new exemptipsecprotectedconnections=yes
consec set rule name=”DirectAccess Policy-ClientToMgmt” new exemptipsecprotectedconnections=yes
set store gpo="DomainName\DirectAccess Policy-{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300}”
consec set rule name=”DirectAccess Policy-DaServerToMgmt” new exemptipsecprotectedconnections=yes
consec set rule name=”DirectAccess Policy-DaServerToCorp” new exemptipsecprotectedconnections=yes
consec set rule name=”DirectAccess Policy-DaServerToDnsDc” new exemptipsecprotectedconnections=yes
set store gpo=”DomainName\DirectAccess Policy-{f7b77f47-7c33-4d8c-bb9a-a913c5675d8d}”
consec set rule name=”DirectAccess Policy-appServerToIpHttpsClientPolicy” new qmsecmethods=”ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AES128+60min+100000kb”
consec set rule name=”DirectAccess Policy-appServerToClient” new qmsecmethods=”ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AES128+60min+100000kb”
In this procedure, you configure end-to-end access connection security rules to always require encryption.
To configure end-to-end access connection security rules to always require encryption
On a domain controller, start a command prompt as an administrator.
From the Command Prompt window, run the netsh –c advfirewall command.
From the netsh advfirewall prompt, run the following commands:
set store gpo=”DomainName\DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}”
consec set rule name=”DirectAccess Policy-clientToAppServer” new endpoint2=any qmsecmethods=”ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AES128+60min+100000kb”
consec set rule name=”DirectAccess Policy-ClientToCorp” new exemptipsecprotectedconnections=yes
consec set rule name=”DirectAccess Policy-ClientToDnsDc” new exemptipsecprotectedconnections=yes
consec set rule name=”DirectAccess Policy-ClientToMgmt” new exemptipsecprotectedconnections=yes
set store gpo=”DomainName\DirectAccess Policy-{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300}”
consec set rule name=”DirectAccess Policy-DaServerToMgmt” new exemptipsecprotectedconnections=yes
consec set rule name=”DirectAccess Policy-DaServerToCorp” new exemptipsecprotectedconnections=yes
consec set rule name=”DirectAccess Policy-DaServerToDnsDc” new exemptipsecprotectedconnections=yes
set store gpo=”DomainName\DirectAccess Policy-{f7b77f47-7c33-4d8c-bb9a-a913c5675d8d}”
consec set rule name=”DirectAccess Policy-appServerToIpHttpsClientPolicy” new endpoint2=any qmsecmethods=”ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AES128+60min+100000kb”
consec set rule name=”DirectAccess Policy-appServerToClient” new endpoint2=any qmsecmethods=”ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AES128+60min+100000kb”
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.