IPSec policy configurations on Windows Server 2008 systems

Windows XP, Server 2003, and 2000 use the same basic interface for implementing IPSec policies. Windows Server 2008 does these configurations in the Windows Firewall with Advanced Security snap-in (WF.msc), which is a big change from the simple port allow rules that were used in previous versions. Windows Firewall has mixed adoption levels, but now the port-level configuration is brought into the same configuration as Windows Firewall and more steps are required for simple port driven rules.

This sample configuration is to configure a port rule to allow a specific port, 7329 inbound, to a specific Web service running locally. From the Windows Firewall and Advanced Security console, select the Inbound rules section, then select New Rule in the right side bar as shown in Figure A:

Figure A

Wizard step1

From this wizard, a port or ports (TCP and UDP) can be selected to have one of three behaviors applied. The configured ports can be either allowed without consideration, allowed if secured in another IPSec configuration, or denied without consideration. Figure B below shows this configuration part of the wizard:

Figure B


Once configured, there are three additional application levels that can be selected for this profile: this configuration can be applied to the network protocol stack when the system is connected to the Windows domain, to a private network, or to a public network. At that point, the rule is shown with the other inbound rules that are defaults from the Windows configuration, as in Figure C:

Figure C

New rule present

From this you can see that the interface for the IPSec configuration is quite different than the 2003, 2000, and XP predecessors. However, some additional metrics such as public network, domain, or private network, as well as inbound and outbound are able to be configured in this new interface.