Use the settings on this tab of the Connection Security Rule Properties dialog box to specify the computers that can participate in connections protected by this connection security rule. The connection security rule applies to communications between any computer in Endpoint 1 and any computer in Endpoint 2. If the local computer has an IP address that is included in one of the endpoint definitions, then it can send and receive network packets through this connection to computers that are listed as part of the other endpoint. An endpoint can consist of a single computer or a group of computers, defined by an IP address, an IP subnet address, an IP address range, or a predefined set of computers identified by role: default gateway, WINS servers, DHCP servers, DNS servers, or local subnet. The local subnet is the collection of all computers available to this computer, except for any public IP addresses (interfaces). This includes both local area network (LAN) and wireless addresses.

The following figure shows the components that you can configure by using this tab.

To get to this tab
  1. In the Windows Firewall with Advanced Security MMC snap-in, click Connection Security Rules.

  2. Right-click the rule you want to modify, and then click Properties.

  3. Click the Computers tab.

Endpoint 1

Endpoint 1 is the collection of computers at the local end of the tunnel that must be able to send data to and receive data from the computers that are part of Endpoint 2. Click Add to add an individual IP address, an IP subnet address, an IP address range, or a predefined set of computers by using the IP Address dialog box. To change an entry in the list, select the item, and then click Edit. To remove an entry, select the item, and then click Remove.

If you created this rule by using the Client-to-Gateway tunnel rule type, then Endpoint 1 is set to Any IP address. If you created this rule by using the Gateway-to-Client tunnel rule type, then Endpoint 1 consists of the IP addresses of the computers on the private network behind the local tunnel endpoint (the gateway).

Any IP address

Select this option to specify that Endpoint 1 includes any computer that needs to communicate with a computer that is in Endpoint 2. Any network traffic to or from a computer in Endpoint 2 matches this rule and is subject to its authentication requirements.

These IP addresses

Select this option to specify the IP addresses of the computers that make up Endpoint 1. Click Add or Edit to display the IP Address dialog box where you can create or change your entries.

Endpoint 2

Endpoint 2 is the collection of computers at the remote end of the tunnel that must be able to send and receive data from the computers that are part of Endpoint 1. Click Add to add an individual IP address, an IP subnet address, an IP address range, or a predefined set of computers by using the IP Address dialog box. To change an entry in the list, select the item, and then click Edit. To remove an entry, select the item, and then click Remove.

If you created this rule by using the Client-to-Gateway tunnel rule type, then Endpoint 2 consists of the IP addresses of the computers on the private network behind the remote tunnel endpoint (the gateway). If you created this rule by using the Gateway-to-Client tunnel rule type, then Endpoint 2 is set to Any IP address.

Any IP address

Select this option to specify that Endpoint 2 includes any computer that needs to communicate with a computer in Endpoint 1. Any network traffic to or from a computer in Endpoint 1 matches this rule and is subject to its authentication requirements.

These IP addresses

Select this option to specify the IP addresses of the computers that make up Endpoint 2. Click Add or Edit to display the IP Address dialog box where you can create or change your entries.

Additional references


Table Of Contents