Authenticated Firewall Bypass

Authenticated bypass enables you to create rules for Windows Firewall with Advanced Security that block incoming traffic unless it is from a specified trusted computer or user. For example, an administrator might want to deploy firewall rules to computers on the network that do not have any subnet, IP address, or port-level exceptions. However, the administrator might also want to use an enterprise management and security program to scan and update those same computers. To reconcile these conflicting goals, the administrator can create and deploy connection security and firewall rules that require computer-based Kerberos version 5 authentication. With these rules and settings in place, the administrator can deploy Windows Firewall with no exceptions, but the scanning server can access all required ports on the clients. The use of authenticated bypass in this scenario eliminates the need for port-level exceptions.

There are two methods for configuring authenticated bypass rules: All authenticated IP traffic from approved computers bypasses Windows Firewall. This method uses connection security rules that specify computer-based authentication and a list of computers or groups of computers whose network traffic can bypass the firewall. This method is supported on computers that are running Windows® XP with Service Pack 2 (SP2) or later. Traffic that matches a firewall rule that uses the Allow connection if it is secure setting bypasses Windows Firewall. The rule can filter the traffic by IP address, port, or protocol. This method is supported on Windows Vista® or Windows Server® 2008.

To allow network traffic protected by IPsec through Windows Firewall by using the Windows Firewall with Advanced Security MMC snap-in Open the Windows Firewall with Advanced Security MMC snap-in. In the navigation pane, right-click Inbound Rules, and then select New rule. In the New Inbound Rule Wizard, configure the Rule Type, Program, Protocol and Ports, and Scope, according to the type of network traffic you want to allow to bypass the firewall. On the Action page, select Allow the connection if it is secure, select Override block rules, and then click Next. On the Users and Computers wizard page, select Only allow connections from these computers, click Add, and then select the computer or computer groups that you want to allow to bypass the firewall rules on this computer. Select Only allow connections from these users, click Add, and then select the user or user groups that you want to allow to bypass the firewall rules on this computer. NoteThis option works only if the computers support user-based authentication. User-based authentication is supported in Windows Vista and Windows Server 2008. Following the remaining steps in the wizard.

New Page