Windows Firewall with Advanced Security and IPsec
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
Windows Firewall with Advanced Security is an advanced interface for IT professionals to use to configure both Windows Firewall and Internet Protocol security (IPsec) settings for the computers on their networks. Windows Firewall with Advanced Security is not for home users or for users who are not familiar with advanced firewall or IPsec technologies.
Note
Home users should use the Windows Firewall program in Control Panel instead. To start the Windows Firewall program, click Start, click Control Panel, click Security, and then click Windows Firewall. Help for using the Windows Firewall program can be found either by pressing the F1 key while viewing the main Windows Firewall page or by clicking the links on the Windows Firewall dialog boxes.
This topic describes the documentation currently available for Windows Firewall with Advanced Security in Windows Vista®, Windows Server® 2008, Windows® 7, and Windows Server® 2008 R2. Additional documentation is in development, so check back periodically to see what has been added.
Your feedback is valuable and welcome! Please send your comments and suggestions to Windows Firewall with Advanced Security Documentation Feedback ([email protected]). The author of this guide will review your comments and use them to improve this documentation. Your e-mail address will not be saved or used for any other purposes.
Product Evaluation
What's New in Windows Firewall with Advanced Security
This document identifies new Windows Firewall with Advanced Security features introduced in Windows 7 and Windows Server 2008 R2, as well as features that were introduced with Windows Vista and Windows Server 2008.
Introduction to Windows Firewall with Advanced Security
Windows Firewall with Advanced Security is a stateful, host-based firewall that blocks incoming and outgoing connections according to the rules configured by an administrator.
Introduction to Server and Domain Isolation
You can mitigate some of the risks associated with unauthorized and potentially malicious access to your network and its resources by creating an isolated network. By using Active Directory® Domain Services (AD DS) and Group Policy settings, you can isolate both your domain and servers that store sensitive data, thus limiting access to only authenticated and authorized users.
Server Isolation with Microsoft Windows Explained
This topic provides a detailed overview of server isolation. It explains how server isolation protects isolated servers and the benefits of deploying server isolation. It also provides a brief overview of how to deploy server isolation.
Domain Isolation with Microsoft Windows Explained
This white paper provides a detailed overview of domain isolation. It explains how domain isolation protects domain member computers and the benefits of deploying domain isolation. It also provides a brief overview of how to deploy domain isolation.
Getting Started
Getting Started documents are designed to help you get the technology up and running in the minimum amount of time.
Windows Firewall with Advanced Security Learning Roadmap
If you are new to Windows Firewall with Advanced Security, this topic can help you identify what you need to learn to fully understand and use all of the features available in Windows Firewall with Advanced Security. It includes prerequisite topics that cover a variety of networking fundamentals. You must understand the prerequisite topics first, because the topics for Windows Firewall with Advanced Security build upon them and assume an understanding of them. Afterwards, you can begin learning about Windows Firewall with Advanced Security by reading the documents in the Level 100, 200, and 300 sections.
Windows Firewall with Advanced Security Getting Started Guide
Although typical end-user configuration of Windows Firewall still takes place through the Windows Firewall program in Control Panel, advanced configuration now takes place in the Microsoft Management Control (MMC) snap-in named Windows Firewall with Advanced Security. This snap-in not only provides an advanced interface for configuring Windows Firewall locally, but also for configuring Windows Firewall on remote computers by using Group Policy. Firewall settings are now integrated with IPsec settings, allowing for some synergy: Windows Firewall can now allow traffic based on whether it is secured by IPsec.
Windows Firewall and IPsec Policy Deployment Step-by-Step Guide
This step-by-step guide describes how to deploy Group Policy objects (GPOs) to configure Windows Firewall with Advanced Security in Windows® 7, Windows Vista®, Windows Server® 2008 R2, and Windows Server® 2008. You get hands-on experience in a lab environment using Group Policy Management tools to create and edit GPOs that implement typical firewall settings. You also configure GPOs to implement common server and domain isolation scenarios. This document is also available as a Word .doc file in the Microsoft Download Center at Windows Firewall with Advanced Security Step-by-Step Guide - Deploying Firewall Policies (https://go.microsoft.com/fwlink/?LinkID=102503).
Planning and Architecture
Windows Firewall with Advanced Security Design Guide
This guide helps you design Windows Firewall with Advanced Security settings and rules that meet your goals for network security. Use this guide with the Windows Firewall with Advanced Security Deployment Guide during your planning stages. The Windows Firewall with Advanced Security Design Guide answers the "what," "why," and "when" questions before you work on the "how" questions answered in the Windows Firewall with Advanced Security Deployment Guide. This document is also available combined with the Deployment Guide as a Word .doc file in the Microsoft Download Center at Windows Firewall with Advanced Security Design and Deployment Guide (https://go.microsoft.com/fwlink/?LinkID=114659).
Deployment
Windows Firewall with Advanced Security Deployment Guide
This guide helps you deploy the design that you created by using the Windows Firewall with Advanced Security Design Guide. It includes checklists and procedures that answer the “how” questions to go along with the “what,” “when,” and “why” questions you answered in the Windows Firewall with Advanced Security Design Guide. This document is also available combined with the Design Guide as a Word .doc file in the Microsoft Download Center at Windows Firewall with Advanced Security Design and Deployment Guide (https://go.microsoft.com/fwlink/?LinkID=114659).
Operations
Operations content provides procedures that help you in performing the day-to-day tasks that keep your implementation running smoothly.
How to Configure Windows Firewall for a Passive Mode FTP Server
This article shows you how to create authenticated bypass rules to allow network traffic from trusted computers and users into a computer that would normally be blocked by Windows Firewall.
How to Enable Authenticated Firewall Bypass
This article shows you how to configure firewall rules on an FTP server that allow it to operate in “passive” FTP mode.
Technical Reference
How Windows Firewall with Advanced Security Works
This article contains an explanation of how Windows Firewall with Advanced Security performs its assigned tasks.
IPsec Algorithms and Methods Supported in Windows
This article contains tables that show which IPsec key exchange algorithms, integrity algorithms, encryption algorithms, and authentications methods are supported in each version of the Windows operating system.
Improving Network Performance by Using IPsec Task Offload
This article describes the performance benefits of using a network adapter that contains a dedicated cryptographic processor to offload IPsec computational work from the main processor.
Stealth Mode in Windows Firewall with Advanced Security
This article describes how Windows Firewall with Advanced Security helps to protect your computer by preventing network scanners from discovering information about the network services hosted on the computer.
Netsh Commands for Windows Firewall with Advanced Security
This command-line reference describes how to configure IPsec and Windows Firewall in Windows Vista and later versions of Windows by using the netsh command line tool.
Netsh Commands for IPsec Denial of Service Protection
This command-line reference describes how to configure a computer running Windows Server 2008 R2 to help protect it from denial-of-service attacks. It permits only IPsec-protected IPv6 network traffic, and is configured by using the netsh command line tool.
Netsh Commands for Windows Firewall
This command-line reference describes how to configure Windows Firewall on computers that are running Windows XP and Windows Server 2003 by using the netsh command line tool.
Netsh Commands for Internet Protocol Security (IPsec)
This command-line reference describes how to configure IPsec on computers that are running Windows XP and Windows Server 2003 by using the netsh command line tool.
Troubleshooting
Troubleshooting documentation helps you solve problems that arise when you try to deploy, manage, or use Windows Firewall with Advanced Security.
Windows Firewall with Advanced Security Troubleshooting Guide: Diagnostics and Tools
This article describes common troubleshooting situations and tools you can use for troubleshooting.
Windows Firewall with Advanced Security Event Messages (https://go.microsoft.com/fwlink/?LinkId=96306)
These pages describe some of the Event Log messages that can be generated by Windows Firewall with Advanced Security. Each event message is accompanied by probable causes and recommended resolution steps.
Enable IPsec and Windows Firewall Audit Events
Most of the event messages for Windows Firewall with Advanced security are generated by Windows only when you enable them. This document describes how to enable and disable the events.
Installed Help
Installed Help is available when you open any of the following Microsoft Management Consoles (MMCs), and then press F1: Windows Firewall with Advanced Security, IP Security Policies, and IP Security Monitor. The installed Help provides information about how to use and configure Windows Firewall with Advanced Security and IPsec.
Windows Firewall with Advanced Security (for Windows Vista and Windows Server 2008)
Windows Firewall with Advanced Security (for Windows 7 and Windows Server 2008 R2)
The Authfw.chm file is installed with Windows. It is displayed when you open the Windows Firewall with Advanced Security MMC snap-in and press F1.
Creating and Using IPsec Policies
The Ipsecpolicy.chm file is installed with Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. It is displayed when you open the IP Security Policies MMC snap-in and press F1.
Note
The IP Security Policies snap-in is designed for use with earlier versions of Windows and is provided for backward compatibility. Although it can be used to create IPsec policies that can be applied to computers running Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, this snap-in does not support the new security algorithms and other new features available in those newer versions of Windows. To create IPsec polices that use these new algorithms and features, use the Windows Firewall with Advanced Security snap-in.
-
The Ipsecmonitor.chm file is installed with Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. It is displayed when you open the IP Security Monitor MMC snap-in and press F1.
Note
The IP Security Monitor snap-in is designed for use with IPsec policies created by the IP Security Policy Management MMC snap-in. It is designed for earlier versions of Windows and is provided for backward compatibility. This snap-in does not support the new security algorithms and other new features available in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. To monitor IPsec when using these new algorithms, use the Monitoring node in the Windows Firewall with Advanced Security snap-in.
Other Information
Windows Firewall and IPsec documentation for earlier versions of Windows
More information about Windows Firewall in earlier versions of Windows can be found at Windows Firewall (https://go.microsoft.com/fwlink/?linkid=95393).
More information about IPsec in earlier versions of Windows can be found at IPsec (https://go.microsoft.com/fwlink/?linkid=95394).
More information about using IPsec for server and domain isolation in earlier versions of Windows can be found at Server and Domain Isolation (https://go.microsoft.com/fwlink/?linkid=95395).