Use the settings on this wizard page to specify how authentication is applied to inbound and outbound connections that match this connection security rule. If you request authentication, then the connection is allowed even if authentication fails. If you require authentication, then the connection is dropped if authentication fails.

Use the Authentication Method page of the wizard to configure the credentials used for authentication.

Some of the following options appear only when you are configuring certain rule types.

To get to this wizard page
  1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule.

  2. Click Next until you reach the Requirements page.

Request authentication for inbound and outbound connections

Select this option to specify that all inbound and outbound traffic is authenticated if possible, but that the connection is allowed if authentication fails. This option is typically used in either a low-security environment or an environment with computers that must be able to connect, but cannot perform the types of authentication available with Windows Firewall with Advanced Security. In a server and domain isolation environment, this option is typically used for computers that are in the boundary zone.

Require authentication for inbound connections and request authentication for outbound connections

Select this option to require that all inbound traffic is authenticated. If inbound traffic fails authentication, then the connection is blocked. Outbound traffic is authenticated if possible, but the traffic is allowed if authentication fails. This option is used most in IT environments in which the computers that must be able to connect can perform the types of authentication available with Windows Firewall with Advanced Security. In a server and domain isolation environment, this option is typically used for client computers that are part of the main isolation zone in the domain.

Require authentication for inbound and outbound connections

Use this option to require that all inbound and outbound traffic is authenticated. If any network traffic fails authentication, then it is blocked. This option is typically used in higher-security IT environments where traffic flow must be secured and controlled and where the computers that must be able to connect can perform the types of authentication available with Windows Firewall with Advanced Security. In a server and domain isolation environment, this option is typically used for servers in the main isolation zone in the domain.

Require authentication for inbound connections. Do not establish tunnels for outbound connections

Use this option when creating a tunnel mode rule on a computer that serves as a tunnel endpoint for remote clients, to specify that the tunnel only applies to inbound network traffic from the clients. The server can make outbound connections that are not affected by this rule.

Note

This option appears only when you select Tunnel on the Rule Type page and either Custom configuration or Gateway-to-client on the Tunnel Type page.

Do not authenticate

Use this option to create an authentication exemption rule for connections to computers that do not require Internet Protocol security (IPsec) protection.

Note

This option appears when you select Custom on the Rule Type page or when you select Tunnel on the Rule Type page, and then select either Custom or Client-to-gateway on the Tunnel Type page.

How to change these settings

After you create the connection security rule, you can change these settings in the Connection Security Rule Properties dialog box. This dialog box opens when you double-click a rule in Connection Security Rules. To change the authentication requirements for this rule, click the Authentication tab.

Additional references


Table Of Contents