Windows 7 / Networking

---

Understanding Connection Security Rules

Connection security rules specify how and when Windows Firewall with Advanced Security uses IPsec to protect traffic passing between the local computer and other computers on the network. Connection security rules force two peer computers to authenticate before a connection can be established between them. Connection security rules can also ensure that communications between the computers is secure by encrypting all traffic passed between them. Connection security rules are typically used in the following types of scenarios:

• Server isolation Server isolation involves configuring connection security rules on a server so that connection attempts from other computers on the network must be authenticated (and optionally, encrypted) before the server accepts these connection attempts. For example, a back-end database server might be configured to accept only authenticated connections from a front-end Web application server. For more information on how server isolation works and how to implement it, see http://technet.microsoft.com/en-us/network/bb545651.aspx. See also the Step-by-Step Guide: Deploying Windows Firewall and IPsec Policies at http://technet.microsoft.com/en-us/library/cc732400.aspx for a walkthrough of how to implement a basic server isolation scenario.
• Domain isolation Domain isolation involves configuring connection security rules on both clients and servers so that domain members accept only authenticated (and optionally, encrypted) connection attempts from other domain members. By default, connection attempts from non-domain members are not accepted, but you can configure exception rules that allow unauthenticated connections from specific non-domain members. For more information on how domain isolation works and how to implement it, see http://technet.microsoft.com/en-us/network/bb545651.aspx. See also the Step-by-Step Guide: Deploying Windows Firewall and IPsec Policies at http://technet.microsoft.com/en-us/library/cc732400.aspx for a walkthrough of how to implement a basic domain isolation scenario.
• Network Access Protection Network Access Protection (NAP) is a technology available in Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 that enforces health requirements by monitoring and assessing the health of client computers when they try to connect or communicate on a network. Client computers that are found to be out of compliance with the health policy can then be provided with restricted network access until their configuration has been updated and brought into compliance with policy. Windows Firewall with Advanced Security can be used as part of a NAP implementation by creating connection security rules that require computer certificates for authentication. Specifically, client computers that are determined to be in compliance with health policy are provisioned with the computer certificate needed to authenticate. For more information on how NAP works and how to implement it, see http://www.microsoft.com/nap/.
• DirectAccess DirectAccess is a new feature of Windows 7 and Windows Server 2008 R2 that provides users with the experience of being seamlessly connected to their corporate network any time they have Internet access. Using DirectAccess, users can securely access internal resources such as e-mail servers and intranet sites without the need of first establishing a VPN connection with their corporate network. DirectAccess uses IPv6 together with IPsec tunnels to establish secure, bidirectional communications between the client computer and the corporate network over the public Internet. DirectAccess also seamlessly integrates with server and domain isolation scenarios and NAP implementations enabling enterprises to create comprehensive end-to-end security, access, and health requirement solutions. For more information on how DirectAccess works and how to implement it, see http://www.microsoft.com/directaccess/.