Information Technology Reference
In-Depth Information
How It Works
By default, the Windows Firewall will allow Internet Key Exchange (IKE) packets to pass
through the firewall on UDP ports 500 and 4500. You have the additional option to allow
all
IPSec-protected traffic to bypass the Windows Firewall. To configure this, you can use the
Allow Authenticated IPSec Bypass Group Policy setting to allow incoming, unsolicited IPSec
traffic to bypass the Windows Firewall.
In order for this feature to work effectively, you need to specify which computers should be
allowed to communicate this way. You'll do this in the Group Policy setting listed in Table 3-25
by listing a Security Descriptor Definition Language (SDDL) string that contains a list of the
computers or groups of computers that should be exempt from the Windows Firewall blocking
rules. An SDDL string is formatted as follows:
O:DAG:DAD:(A;;RCGW;;;
<SID>
)
In this syntax,
<SID>
refers to the Security Identifier (SID) of the computer or group of
computers to which this policy should apply.
You can obtain the SID of an object within Active Directory by using the getsid.exe utility
from Windows Support Tools. To obtain the SID for a group of computers called
DOMAINPCS
, for
example, you would use the following syntax:
getsid \\
<domain_controller>
DOMAINPCS \\
<domain_controller>
DOMAINPCS
Getsid will return a numeric SID that looks something like this:
S-1-5-21-3475798998-36396922571-9412747344-3157
You would then enter the following SDDL string into Group Policy in the
Define IPSec
Peers to be exempted from firewall policy
text box:
O:DAG:DAD:(A;;RCGW;;; S-1-5-21-3475798998-36396922571-9412747344-3157)
To enter multiple computers or groups of computers, use a single SDDL string with the
following syntax:
O:DAG:DAD:(A;;RCGW;;;
<SID1>
) (A;;RCGW;;;
<SID2>
) (A;;RCGW;;;
<SID3>
)...
■
Caution
If you configure an SDDL in Group Policy and subsequently disable the Allow Authenticated
IPSec Bypass setting, the SDDL will be deleted.
See Also
Microsoft TechNet: “Help: Allow IPSec Traffic to Bypass Windows Firewall” (
http://
www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/
c7dd775d-00e9-4957-beba-3d82f1d829ad.mspx
)
