Choosing a Connection Security Rule Type

Applies To: Windows Server 2008

Choosing a connection security rule type

You can use the New Connection Security Rule wizard to create rules for the way in which Windows Firewall with Advanced Security authenticates the computers and users that match the rule criteria. Windows Firewall with Advanced Security uses Internet Protocol security (IPsec) to protect traffic using the settings in these rules.

IPsec also provides authentication, data integrity, and data privacy (encryption) according to the profile defaults configured on the IPsec Settings tab of the Windows Firewall with Advanced Security Properties dialog box.


Connection security rules determine only how authentication takes place for allowed connections; they do not allow a connection. However, if you configure the connection security rule to require authentication, the rule will deny the connection if authentication fails. To allow a connection, you must create an inbound or outbound firewall rule.

The wizard provides four predefined types of rules. You can also create a custom rule that you can configure to suit your security needs.


As a best practice, give connection security rules a unique name. Unique names makes management using the netsh commands much easier.


An isolation rule restricts connections based on authentication criteria that you define. For example, you can use this rule type to isolate computers in your domain from computers outside your domain, such as computers on the Internet or another domain.

Authentication exemption

You can use this rule type to exempt specific computers or a group or range of IP addresses (computers) from being required to authenticate themselves, regardless of other connection security rules. This rule type is commonly used to grant access to infrastructure computers that this computer must communicate with before authentications can be performed. It is also used for other computers that cannot use the form of authentication you configured for this policy and profile.

Infrastructure computers, such as Active Directory domain controllers, certification authorities (CAs), or DHCP servers, might be allowed to communicate with this computer before authentication can be performed.

To create an authentication exemption rule, you only need to specify the computers or a group or range of IP addresses (computers) and give the rule a name and description (optional).


Although the computers are exempt from authentication, they might still be blocked by the firewall unless a firewall rule is created to allow them to connect.


Use this rule type to authenticate the communications between two specific computers, between two groups of computers, between two subnets, or between a specific computer and a group of computers or a subnet. You might use this rule to authenticate the traffic between a database server and a business-layer computer, or between an infrastructure computer and another server.


Use this rule type to secure communications traveling between two peer computers through tunnel endpoints, such as virtual private networking (VPN) or IPsec Layer Two Tunneling Protocol (L2TP) tunnels.


Use this rule type to create a rule that requires special settings.

Additional references

Connection Security Rules