Configure the IPsec Gateway Server

Updated: July 22, 2010

Applies To: Windows Server 2008 R2

In this procedure, you configure the Internet Protocol security (IPsec) gateway server to act only as the IPsec tunnel endpoint and Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router and modify Group Policy settings for the new dual-server configuration.

Before performing this procedure, you should have determined the public IPv6 address that is assigned to the intra-server subnet interface on the IPsec gateway server (PublicIpv6AddressOfIPsecGWServerSubnetInterface). For more information, see Configure the Intra-Server Subnet.

To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify IPv6 and Group Policy settings. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To configure the IPsec gateway server

  1. On the IPsec gateway server, start a command prompt as an administrator.

  2. In the Command Prompt window, type the netsh interface ipv6 show interfaces command.

    This command lists the interfaces and their interface indexes.

  3. In the Command Prompt window, type the following commands:

    netsh interface ipv6 set teredo default

    netsh interface ipv6 set interface TeredoInterfaceIndex forwarding=disabled

    netsh interface 6to4 set state default

    netsh interface ipv6 set interface 6to4InterfaceIndex forwarding=disabled

    netsh interface ipv6 set interface IPHTTPSInterface forwarding=disabled advertise=disabled

    netsh interface httpstunnel add interface state=default

  4. On a domain controller, start a command prompt as an administrator.

  5. From the Command Prompt window, type the following commands

    netsh advfirewall set store gpo=”DomainName\DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}"

    **netsh advfirewall consec set rule name=”DirectAccess Policy-ClientToCorp” new remotetunnelendpoint=**PublicIpv6AddressOfIPsecGWServerSubnetInterface

    **netsh advfirewall consec set rule name=”DirectAccess Policy-ClientToDnsDc” new remotetunnelendpoint=**PublicIpv6AddressOfIPsecGWServerSubnetInterface

    **netsh advfirewall consec set rule name=”DirectAccess Policy-ClientToMgmt” new remotetunnelendpoint=**PublicIpv6AddressOfIPsecGWServerSubnetInterface

    netsh advfirewall set store gpo=”DomainName\DirectAccess Policy-{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300}"

    **netsh advfirewall consec set rule name=”DirectAccess Policy-DaServerToMgmt” new localtunnelendpoint=**PublicIpv6AddressOfIPsecGWServerSubnetInterface

    **netsh advfirewall consec set rule name=”DirectAccess Policy-DaServerToCorp” new localtunnelendpoint=**PublicIpv6AddressOfIPsecGWServerSubnetInterface

    **netsh advfirewall consec set rule name=”DirectAccess Policy-DaServerToDnsDc” new localtunnelendpoint=**PublicIpv6AddressOfIPsecGWServerSubnetInterface

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.