3.1.1 Abstract Data Model

This section describes a conceptual model of possible data organization that an implementation maintains to participate in this protocol. The described organization is provided to facilitate the explanation of how the protocol behaves. This document does not mandate that implementations adhere to this model as long as their external behavior is consistent with what is described in this document.

GlobalConfiguration: A table of policy configuration options where each entry contains:

  • GlobalOptionType: This identifies the global option type. The global option types supported by this protocol are defined by the data type FW_GLOBAL_CONFIG (section 2.2.42).

  • GlobalOptionValue: This contains the current value for this global option type. See FW_GLOBAL_CONFIG (section 2.2.42) for details about the data type used to represent each global option type.

ProfileConfiguration: A table of policy configuration options that apply to a single profile where each entry contains:

  • ProfileOptionType: This identifies the profile option type. The profile option types supported by this protocol are defined by the data type FW_PROFILE_CONFIG (section 2.2.38).

  • ProfileOptionValue: This contains the current value for this profile option type. See FW_PROFILE_CONFIG (section 2.2.38) for details about the data type used to represent each profile option type.

ProfileConfigurationTable: This is a table of the ProfileConfiguration objects for each profile type, where each entry contains:

  • ProfileType: This identifies the profile to which the configuration applies. The profile types supported by this protocol are defined by the data type FW_PROFILE_TYPE (section 2.2.2). This table only contains entries for the domain, private, and public profiles.

  • ProfileConfiguration: This contains the configuration options for that profile.

FirewallRule: This describes a firewall rule, which is defined in this protocol by the data type FW_RULE (section 2.2.37).

FirewallRules: A set of FirewallRule objects.

AuthenticationSet: This describes an authentication set, which is defined in this protocol by the data type FW_AUTH_SET (section 2.2.65). This object contains two additional properties:

  • IsAuthPrimary: A Boolean value indicating that this is a primary set. The Phase 1 and Phase 2 primary authentication sets are identified by well-known set IDs as specified in section 2.2.65. Note that the value of this property can always be derived from the set ID; it is described separately solely for convenience.

    Primary authentication sets differ from other authentication sets in that they are guaranteed to exist in the GroupPolicyRSoPStore and the LocalStore. If the administrator does not explicitly add the primary sets, the server initializes them to default values. See section 3.1.3 for details.

    Although this protocol imposes no limitations on how administrators use the primary authentication sets, the intent is to decouple management of authentication settings from management of connection security and main mode rules. In this model, most rules do not use unique authentication sets, but instead reference the primary sets.

  • IsAuthConfigured: A Boolean value indicating that this set was configured by an administrator rather than initialized to hard-coded values. This property MUST be ignored if IsAuthPrimary is false.

AuthenticationSets: A set of AuthenticationSet objects.

CryptoSet: This describes a crypto set, which is defined in this protocol by the data type FW_CRYPTO_SET (section 2.2.74). This object contains two additional properties:

  • IsCryptoPrimary: A Boolean value indicating that this is a primary set. The Phase 1 and Phase 2 primary crypto sets are identified by well-known set IDs as specified in section 2.2.74. Note that the value of this property can always be derived from the set ID; it is described separately solely for convenience.

    Primary crypto sets differ from other crypto sets in that they are guaranteed to exist in the GroupPolicyRSoPStore and the LocalStore. If the administrator does not explicitly add the primary sets, the server initializes them to default values. See section 3.1.3 for details.

    Although this protocol imposes no limitations on how administrators use the primary crypto sets, the intent is to decouple management of crypto settings from management of connection security rules. In this model, most rules do not use unique crypto sets, but instead reference the primary sets.

  • IsCryptoConfigured: A Boolean value indicating this set was configured by an administrator rather than initialized to default values by the server. This property MUST be ignored if IsCryptoPrimary is false.

CryptoSets: A set of CryptoSet objects.

ConnectionSecurityRule: This describes a connection security rule, which is defined in this protocol by the data type FW_CS_RULE (section 2.2.55). A ConnectionSecurityRule contains references to AuthenticationSet and CryptoSet objects in the store.

ConnectionSecurityRules: A set of ConnectionSecurityRule objects.

MainModeRule: A main mode rule, which is defined in this protocol by the data type FW_MM_RULE (section 2.2.85). A MainModeRule contains a reference to an AuthenticationSet in the store.

MainModeRules: A set of MainModeRule objects.

PolicyStore: This represents a collection of policy settings. A PolicyStore contains a single instance of each of the following objects:

  • GlobalConfiguration

  • ProfileConfigurationTable

  • FirewallRules

  • AuthenticationSets

  • CryptoSets

  • ConnectionSecurityRules

  • MainModeRules

PolicyStoreConnection: This represents a client connection to a PolicyStore. It maintains the association between the RPC connection and the PolicyStore being managed. It contains the following fields:

  • StoreType: The type of store being managed, which is defined in this protocol by the data type FW_STORE_TYPE (section 2.2.1). This value MUST be FW_STORE_TYPE_GP_RSOP, FW_STORE_TYPE_LOCAL, FW_STORE_TYPE_DYNAMIC, or FW_STORE_TYPE_DEFAULTS.

  • BinaryVersion: An unsigned integer representing the binary version of the RPC interface used by the client. This value MUST be a valid Protocol Version (see section 2.2.42).

PortInUse: This represents an Internet Protocol transport layer port that is currently in use by an endpoint on the local computer. It contains the following fields:<28>

  • AddressFamily: The address family of the endpoint. This MUST be IPv4 or IPv6.

  • TransportProtocol: The transport protocol used by the endpoint. This MUST be TCP or UDP.

  • PortNumber: The port number used by the transport protocol. This MUST be an integer in the range of 1 to 65535 inclusive.

  • IsDynamicRPC: A Boolean value indicating that the port is in use by an RPC server, and that the port was randomly selected at runtime.

  • IsRPCEndpointMapper: A Boolean value indicating that the port is in use by the RPC endpoint mapper.

  • IsTeredo: A Boolean value indicating that the port is in use by Teredo.

  • IsIPTLSIn: A Boolean value indicating that the port is in use for inbound IP-TLS connections.

  • IsIPTLSOut: A Boolean value indicating that the port is in use for outbound IP-TLS connections.

  • IsDHCPClient: A Boolean value indicating that the port is in use by the DHCP client.

  • IsPlayToDiscovery: A Boolean value indicating that the port is in use by PlayTo.

  • IsMDNS: A Boolean value indicating that the port is in use by Multicast DNS.

  • IsCortanaOut: A Boolean value indicating that the port is in use by Cortana.

  • IsProximalTCPCDP: A Boolean value indicating that the port is in use for proximal TCP Connected Device Platform Service (CDPSvc).

  • NATTraversalRequested: A Boolean value indicating that the application that created the endpoint is designed to take advantage of IPv6 NAT traversal capabilities (Teredo, for example).

PortsInUse: A set of PortInUse objects. The contents of the PortsInUse collection are determined solely through the AddPortInUse (section 3.1.6.1) and DeletePortInUse (section 3.1.6.2) abstract interfaces.

TrustTuple: This describes Internet Protocol transport layer traffic that is currently being sent or received by an endpoint on the local computer. It contains the following fields:

  • AddressFamily: The address family of the traffic. This MUST be IPv4 or IPv6.

  • TransportProtocol: The transport protocol used by the traffic. This MUST be TCP or UDP.

  • LocalAddress: The local IPv4 or IPv6 address of the traffic.

  • RemoteAddress: The remote IPv4 or IPv6 address of the traffic.

  • LocalPortNumber: The local port number used by the transport protocol. This MUST be an integer in the range of 1 to 65535 inclusive.

  • RemotePortNumber: The remote port number used by the transport protocol. This MUST be an integer in the range of 1 to 65535 inclusive.

  • IsProximity: A Boolean value indicating that the remote endpoint is located in close physical proximity to the local computer.

  • IsProximitySharing: A Boolean value indicating that the traffic is used to share data with a remote endpoint located in close physical proximity to the local computer.

  • IsWFDPrint: A Boolean value indicating that the traffic is used to send data to a printer over Wi-Fi Direct.

  • IsWFDDisplay: A Boolean value indicating that the traffic is used to mirror or extend the local computer screen with a display device over Wi-Fi Direct.

  • IsWFDDevices: A Boolean value indicating that the traffic is used to send data to a device over Wi-Fi Direct.

  • IsWFDMaUsbWirelessDocking: A Boolean value indicating that the traffic is used to send data in Media Agnostic USB for Wireless Docking scenarios.

  • IsUpnP-Secure-Sockets-with-Teredo: A Boolean value indicating that the traffic is temporarily used by the device to perform UPnP Port mapping operations with the Internet Gateway Device (IGD), for the purpose of improving Teredo operations.

  • IsWFDCDPSvc: A Boolean value indicating that the traffic is used to send data by the Wi-Fi Direct in the Connected Devices Platform scenarios.

TrustTuples: A set of TrustTuple objects. The contents of the TrustTuples collection are determined solely through the AddTrustTuple (section 3.1.6.7) and DeleteTrustTuple (section 3.1.6.8) abstract interfaces.

MSFASPServer: This represents the state maintained by a server that implements this protocol. It contains multiple instances of PolicyStore. These instances are identified by the data type FW_STORE_TYPE (section 2.2.1). The server maintains the following objects:

  • GroupPolicyRSoPStore: An instance of PolicyStore corresponding to FW_STORE_TYPE_GP_RSOP. The state of this object MUST be maintained in persistent storage.

  • LocalStore: An instance of PolicyStore corresponding to FW_STORE_TYPE_LOCAL. The state of this object MUST be maintained in persistent storage.

  • DynamicStore: An instance of PolicyStore corresponding to FW_STORE_TYPE_DYNAMIC.

  • DefaultsStore: An instance of PolicyStore corresponding to FW_STORE_TYPE_DEFAULTS. The state of this object MUST be maintained in persistent storage. The name DefaultsStore was chosen to maintain consistent naming between the ADM and the data types and operations defined in this protocol. However, this element is not used to store default settings in the traditional sense. Instead, it is used to store a known good configuration for the LocalStore. The administrator can explicitly revert the LocalStore to these settings by invoking RRPC_FWRestoreDefaults (section 3.1.4.3). Otherwise, the contents of this store are ignored.

  • PortsInUse: This represents the set of all PortInUse objects managed by the server. Elements are added and deleted from this set through the abstract interfaces AddPortInUse and DeletePortInUse.

  • TrustTuples: This represents the set of all TrustTuple objects managed by the server. Elements are added and deleted from this set through the abstract interfaces AddTrustTuple and DeleteTrustTuple.