Information Technology Reference
In-Depth Information
local- or domain-configured IPSec policy or through a persistent IPSec policy configured via
netsh
(see Recipe 7-17).
See Also
Recipe 7-16 for configuring boot mode exemptions
Recipe 7-17 for configuring a persistent IPSec policy
Microsoft TechNet: “Creating, Modifying, and Assigning IPSec Policies” (
http://
www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/
4f05f853-2eed-4ff8-b16f-e6228c050a6b.mspx
)
7-16. Configuring Boot Mode Exemptions
Problem
You want to configure exemptions for IPSec startup protection. If you've configured the IPSec
driver to start up using blocking mode, this will still allow access to administrative or other
troubleshooting utilities.
Solution
The following command will configure the IPSec startup mode to blocking, and will configure
an exception for inbound connections on TCP port 3389 for remote administration through
Remote Desktop:
> netsh ipsec dynamic set config bootmode value = block
> netsh ipsec dynamic set config bootexemptions value=TCP:0:3389:Inbound
How It Works
If you configure the IPSec startup mode to block (see Recipe 7-15), all IP traffic will be dropped
by the local computer until an IPSec policy is applied. This provides for a high level of security,
but if an issue arises with the policy being applied, you can inadvertently cut off all communi-
cations with the computer in question. To guard against this, you can configure exemptions to
the computer's startup protection using
netsh
.
The format for boot mode exemptions is as follows:
ProtocolType
:
SourcePort
:
DestinationPort
:
TrafficDirection
Use
0
to indicate a source or destination port of
“all.” So to configure a boot mode exemp-
tion that allows inbound connections to port 3389, use the following:
> netsh ipsec dynamic set config bootexemptions value=tcp:0:3389:inbound
For a boot mode exemption to allow outbound connections to TCP port 1433, use the
following:
> netsh ipsec dynamic set config bootexemptions value=tcp:0:1433:outbound
