Add, edit, or remove IPSec filters
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
To add, edit, or remove IPSec filters
Create a console containing IP Security Policies. Or, open a saved console file containing IP Security Policies.
Double-click the policy that you want to modify.
Double-click the rule that contains the IP filter list you want to modify.
On the IP Filter List tab, double-click the IP filter list that contains the IPSec filter you want to modify.
In the IP Filter List dialog box, do one of the following:
To add a filter, click Add.
To modify an existing filter, select the filter that you want to modify, and then click Edit.
To remove an existing filter, select the filter that you want to remove, and then click Remove.
If you are adding or editing a filter, in IP Filter Properties, the Addresses tab, and then select the Source Address:
Select To secure packets from My IP Address
All IP addresses on the computer for which you are configuring this filter.
Any IP Address
Any computer.
A Specific DNS Name
The Domain Name System (DNS) name that you specify in Host name. The DNS name is resolved to its IP addresses, and then filters are automatically created for the resolved IP addresses. This option is only available when creating new filters.
A Specific IP Address
The IP address that you specify in IP Address.
A Specific IP Subnet
The IP subnet, as defined by the IP address that you specify in IP Address and the subnet mask that you specify in Subnet Mask.
DNS Servers <dynamic>
The DNS server(s) for the computer for which you are configuring this filter. Changes in DNS server addresses are automatically detected, and the filter is updated as needed.
WINS Servers <dynamic>
The WINS server(s) for the computer for which you are configuring this filter. Changes in WINS server addresses are automatically detected, and the filter is updated as needed.
DHCP Server <dynamic>
The DHCP server for the computer for which you are configuring this filter. Changes in DHCP server addresses are automatically detected, and the filter is updated as needed.
Default Gateway <dynamic>
The default gateway for the computer for which you are configuring this filter. Changes in default gateway server addresses are automatically detected, and the filter is updated as needed.
Click Destination Address, and repeat step 6 for the destination address.
Select the appropriate Mirrored setting:
To Do this Automatically create two filters based on the filter settings, one for traffic to the destination and one for traffic from the destination
Select the Mirrored check box.
Create a single filter based on the filter settings
Clear the Mirrored check box.
Create a filter for an IPSec tunnel
Clear the Mirrored check box. For IPSec tunnels, you must create two filter lists: one list describes the traffic to be sent through the tunnel (outbound traffic) and another describes the traffic to be received through the tunnel (inbound). Then, create two rules that use the inbound and outbound filter lists in your policy.
On the Description tab, in Description, type a description for this filter (for example, specify to what computers and traffic types it applies).
If you require additional IP filtering by a specific protocol or port number, on the Protocol tab, configure advanced filter settings.
Caution
Filters are the most important part of IPSec policy for a computer which is protected by IPSec. If you do not specify the proper filters in either client or server policies, or if the IP addresses change before the policy's filters are updated, security might not be provided.
When adding a new static IP address to a protected computer:
Modify the IPSec policy filters on all clients and servers that make security requests to the protected computer. Ensure that those clients have updated their policy before adding the new address.
Inspect the policy being used on the protected computer. If the filters specify static IP addresses for local connections, after adding the new IP address to the interface, edit and save the new filter list to include the new static IP address. My IP Address filters will be automatically updated when the new static IP address is added.
If the protected computer is a Web server and your clients use a proxy server, make sure that communications over all network paths are secured by IPSec:
Between the Web server and all clients that directly connect
Between the Web server and the proxy server
Between the proxy server and all clients of the proxy server
The following filter is internally defined to permit (not secure) Internet Key Exchange (IKE) traffic:
Source Address = Any
Destination Address = Any
Protocol = UDP
Source port = 500
Destination port = 500
Important
- In the Windows Server™ 2003 family, IPSec provides new source and destination address options for defining filters. In addition, the default behavior for traffic exemptions has changed. If you require previously exempted traffic types, you must create filters to permit this traffic. For instructions on how to configure permit filters for previously exempted traffic types and information about other IPSec special considerations, see Related Topics.
Notes
To manage Active Directory-based IPSec policies, you must be a member of the Domain Admins group in Active Directory, or you must have been delegated the appropriate authority. To manage local or remote IPSec policies for a computer, you must be a member of the Administrators group on the local or remote computer. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. For more information, see Default local groups and Default groups.
To create a console containing IP Security Policies, start the IP Security Policies snap-in. To open a saved console file, open MMC. For more information, see Related Topics.
To configure IP protocol, TCP port, or UDP port settings for a filter, see Related Topics.
For IPSec tunnel rules, only address-based filters are supported. Protocol-specific and port-specific filters are not supported. Tunnel filters should not be mirrored.
Filters are applied in the order of most-specific filters first. Filters are not applied in the order in which they appear in the list.
If an outbound packet does not match any filter, it is sent unsecured.
If an inbound packet does not match any filter, it is permitted.
If an IKE security request is received, the source IP address of the request is used to find a matching filter. The security action and tunnel setting that is associated with that filter determines the IKE response.
The A specific DNS Name option is used when creating filters to create IP address-based filters by resolving a DNS name to its IP addresses. The use of a computer name is for the one-time resolution of DNS names to IP addresses when creating the filter. The computer name is not used after the filters are created.
All filters used in tunnel rules are matched first, before end-to-end transport filters are matched.
Information about functional differences
- Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.
See Also
Concepts
Special IPSec considerations
Start the IP Security Policy Management snap-in
Open MMC
Configure advanced IPSec filter settings
Filter list
Working with MMC console files
Virtual private networking with IPSec