Microsoft KB Archive/313190

= How to use IPSec IP filter lists in Windows 2000 =

Article ID: 313190

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q313190



IN THIS TASK
SUMMARY
 * How to Create an IPSec Filter List
 * How to Create an IPSec Policy That Is Based on the Filter List



SUMMARY
You can secure network communications on Windows 2000-based computers if you use Internet protocol security (IPSec). IPSec is applied to communications based on IPSec policies. You can use IPSec policies to determine when you should use IPSec secure communications between computers. You can also use IPSec policies to control the packets that are allowed into and out of a computer's network interface.

IPSec policies are based on two elements:
 * IP filter lists

-and-
 * IP filter actions

An Internet protocol (IP) filter list is a list of protocols and folders. For example, you can create a filter list entry that allows all computers to gain access to TCP port 80 on the local interface. Another entry in the same filter list might allow access to TCP port 25 on the local interface, and a third filter list entry might allow access to User Datagram Protocol (UDP) port 53 on the local interface.

If a packet that arrives on the computer interface has a matching entry on the filter list, IPSec Policy Agent applies a filter action that you assign to the filter list. For example, if you assign a Block filter action to the above filter list. When you do this, any packet that is destined for TCP port 80, TCP port 25, or UDP port 53 is blocked. However, if you assign a Permit filter action to the above filter list, the packets that are destined for TCP port 80, TCP port 25, or UDP port 53 is allowed.

You can use IPSec filter lists and filter actions as an effective method of access control on all interfaces. Note that IPSec policies are applied to all interfaces on a multiple-homed computer. There is no procedure that you can use to allow selective application of IPSec policies to a particular interface.

Windows 2000 includes the following two default IP filter lists:
 * All ICMP traffic

-and-
 * All IP traffic

There are three default filter actions:
 * Permit

-and-
 * Request Security (Optional)

-and-
 * Require Security

back to the top

How to Create an IPSec Filter List
To create an IPSec filter list that applies to both inbound TCP port 80 and TCP port 25:
 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy.
 * 2) Click to expand Security Settings.
 * 3) Right-click IP Security Policies in the left pane, and then click Manage IP filter.
 * 4) Click the Manage IP Filter Lists tab in the Manage IP filter lists and filter actions dialog box, and then click Add.
 * 5) Type Inbound TCP 80 and 25 in the Name box, and then type Allows inbound traffic to TCP ports 80 and 25 in the Description box.
 * 6) Click to clear the Use Add Wizard check box, and then click Add to add a new filter list entry.
 * 7) Click the Addressing tab.
 * 8) Click Any IP Address in the Source address box.
 * 9) Click My IP Address in the Destination addressbox. This configuration indicates that the filter will be applied to inbound packets.
 * 10) Click to clear the Mirrored check box.
 * 11) Click the Protocol Tab.
 * 12) Click TCP in the Select a protocol type box.
 * 13) Click From any port, and then click To this port.
 * 14) In the To this port box, type 80.
 * 15) Click Apply, and then click OK.
 * 16) Click Add in the IP Filter List dialog box.
 * 17) Click the Addressing tab.
 * 18) Click Any IP Address in the Source address box.
 * 19) Click My IP Address in the Destination address box. This configuration indicates that the filter will be applied to inbound packets.
 * 20) Click to select the Mirrored check box. When you do this, a filter with the opposite source and destination IP address is created.
 * 21) Click the Protocol tab.
 * 22) Click TCP in the Select a protocol type box.
 * 23) Click From any port, and then click To this port.
 * 24) Type 25 in the To this port box.
 * 25) Click Apply, and then click OK.
 * 26) Click Close in the IP Filter List dialog box.

back to the top

How to Create an IPSec Policy That Is Based on the Filter List
To create an IPSec policy that is based on the filter list:
 * 1) Right-click IP Security Policies in the left pane, and then click Create IP Security Policy.
 * 2) In the Welcome to the IP Security Policy Wizard, click Next.
 * 3) In the IP Security Policy Name dialog box, type Permit Inbound TCP 80 and 25 in the Name box, and then click Next.
 * 4) Click to clear the Activate the default response rule check box, and then click Next.
 * 5) In the Completing the IP Security Policy Wizard dialog box, click to select the Edit properties check box if it is not already selected, and then click Finish.
 * 6) Click the Rules tab.
 * 7) Click to clear the Use Add Wizard check box, and then click Add.
 * 8) Click the IP Filter List tab.
 * 9) Click Option that is to the left of Inbound TCP 80 and 25 IP Filter List.
 * 10) Click the Filter Action tab.
 * 11) Click Option that is to the left of Permit.
 * 12) Click Apply, and then click OK.
 * 13) The Inbound TCP 80 and 25 Filter List check box is selected. Click Close.

The IPSec policy checks for packets that are destined for TCP port 80 and TCP port 25 on the local interface, and then matches those packets to the Permit filter action, which allows the packets through the interface.

NOTE: If you assign this policy, all traffic is allowed because there is no Deny rule that prevents other traffic. If you want to only allow traffic that you specified in the above policy, you must create a Deny rule that denies all traffic.

back to the top

