Windows Advanced Firewall – adding Authorized Computers breaks rule

ipsecwindows 7windows-firewallwindows-server-2008

How can adding a 'only allow connections to these computers' setting in an an otherwise working IPSec rule break connectivity?

Background:

I'm setting up a basic set of client rules that restrict outbound SMB access to only go to certain servers. Assume starting from a blacklist and needing to whitelist the desired communication.

The server side is set up and functioning as it should without any problems what so ever. Set up was configured using the legacy IPSec interface server side and with the windows advanced firewall client side.

First authentication is set to Kerberos (Computer) or computer certificate. Both sides use 'request inbound and outbound' for their authentication mode.

Both sides use a 'request ipsec' model as there may be non IPSec traffic passing to other devices.

The Windows Advanced Firewall rule on the client functions perfectly until I define the 'only allow connections to these computers' option.

A wireshark capture shows ISAKMP and ESP traffic and I'm seeing main mode and quick mode associations in the security association list.

EDIT:

Per the MS documentation I've enabled the following logging to debug my connection issue.

auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable
auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable
auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable
auditpol /set /subcategory:"IPsec Main Mode" /success:enable /failure:enable
auditpol /set /subcategory:"IPsec Quick Mode" /success:enable /failure:enable
auditpol /set /subcategory:"IPsec Extended Mode" /success:enable /failure:enable

This only indicates the given service – I tried both SMB and RDP – being blocked. I'm not seeing any other blocked traffic.

EDIT:

It looks like there is absolutely no traffic being passed to the server in question when I enable the SMB or RDP rule. Wireshark shows nothing. Looks like there was a case like this a couple years ago here but no resolution.

It appears that the Windows Filtering Platform is incorrectly blocking this traffic when it should be allowing it.

The Windows Filtering Platform has blocked a connection.

Application Information:
Process ID:     2468
Application Name:   \device\harddiskvolume1\windows\system32\mstsc.exe

Network Information:
Direction:      Outbound
Source Address:     192.168.20.54
Source Port:        49332
Destination Address:    192.168.100.50
Destination Port:       3389
Protocol:       6

Best Answer

just a few suggestions/questions for you (I have this same type of rule configuration working in my environment, so i'm curious to understand why it's not working)...

1) You mentioned that the client is using Windows Firewall with Advanced Security IPsec policy, but the server side is using legacy IPsec. Is the server running an older version of Windows or what was the reason for the legacy IPsec policy config? I'm not saying that this shouldn't work (as your trying to do machine auth, not user auth), but it may complicate things. Can the server also be configured with advanced security policy? Could you try against a server with advanced policy and Kerberos v5 computer auth to see what happens?

2) For your scenario to work, the IPsec connection MUST use a Kerberos V5 authentication (certificate authentications will not work!). You mentioned that your policy could allow certificate connections, so you might want to check your main mode security associations and ensure that they are really being established using Kerberos and not cert.

3) There are a few different ways to configure the 'only allow connections to these computers' setting on a firewall rule. The default requires your IPsec connection to be authenticated and integrity protected...whereas other settings allow you to ensure that it is also encrypted or that it is null encap (only authenticated, not integrity protected). If your client/server are Windows 7+ then you might want to try the null encapsulation option to see if that helps narrow the problem.

4) I'd usually recommend logs from WFP capture (netsh wfp capture start) to debug firewall dropped traffic, as that shows you the exact filter which dropped traffic. In this case though, the logs probably wont be very interesting as it's likely the default outbound block filter which is preventing your connection, due to the fact that you didn't match the secure allow rule (for some reason). The logs will show the connection being dropped, but won't explain why you didn't match the allow rule. Perhaps it's worth a try though... http://technet.microsoft.com/en-us/library/ff428146(v=ws.10).aspx

Related Solutions

Windows firewall blocks nearly all traffic after reboot

The registry changes outlined below have allowed the half dozen or so of my servers that it has been applied to so far boot without issues. While I'm not yet 100% sure that this is a solution - it was about 50/50 if a server would come up cleanly it does appear to have helped tremendously. Half a dozen servers with 3+ reboots each are acting normally.

Name: ChainUrlRetrievalTimeoutMilliseconds
Location: HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
Type: REG_DWORD
Decreasing the amount of time to allow CRL retrieval can significantly improve performance when internet access is poor or non-existent. Setting the value to 200 (milliseconds) may be a reasonable timeout.


Name: ChainRevAccumulativeUrlRetrievalTimeoutMilliseconds
Location: HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
Type: REG_DWORD
Decreasing the amount of time to allow all CRL retrievals can significantly improve performance when internet access is poor or non-existent. Setting the value to 500 (milliseconds) may be a reasonable timeout.

Background, why I think this is a fix

Several servers in our environment were exhibiting problems when rebooting having services come up. These services were mostly related to .NET in one fashion or another. They all came up with 7009 events. Some of the services on our problematic firewall servers also show this event id. Although a 7009 never came up for the firewall or base filtering service a timeout during the loading process - especially since it does sometimes load cleanly - seemed like a likely culprit.

These registry settings came from a technet blog, Configuring Exchange Servers Without Internet Access.

Windows 2008 R2 IPsec encryption in tunnel mode, hosts in same subnet

After a lot of investigation, and a support case with Microsoft, I have found an answer.

The trick is: don't create any Inbound or Outbound Rules for encryption. Only create a Connection Security Rule (for the tunnel). Then, set the IPsec defaults for the firewall to encrypt every IPsec-enabled connection.

Do the following on each end of the tunnel:

Create a Connection Security Rule:
- Endpoint 1: (local IP address), eg 172.16.11.20
- Endpoint 2: (remote IP address), eg 172.16.11.30
- Protocol: Any
- Authentication: Require inbound and outbound, Computer (Kerberos V5)
- IPsec tunnel:
  - Exempt IPsec protected connections
  - Local tunnel endpoint: Any
  - Remote tunnel endpoint: (remote IP address), eg 172.16.11.30
Force all IPsec connections to encrypt:
1. Open the main firewall properties (right click Windows Firewall with Advanced Security > Properties…)
2. In the IPsec Settings tab, under IPsec defaults, click Customize…
3. Under Data protection (Quick Mode), select Advanced, then click Customize…
4. Check the box for Require encryption for all connection security rules that use these settings.
5. Adjust any other settings (eg you may want to remove 3DES as a protocol), then OK your way out.

If you've previously created any Inbound/Outbound Rules for encryption, disable or delete them.

This works well. Its only disadvantage is that it forces encryption on every IPsec connection; you can no longer have a mix of encrypted and integrity-protected-only connections.

How do you know the traffic is really tunnelled (ie ESP is carrying IP payload instead of, eg, TCP)? You can verify this with the old IPsec MMC (IP Security Policy Management, or secpol.msc).

On one server, create a tunnel using the above instructions for WFAS.
On another server, create a tunnel using the "old" IPsec MMC.
These two should communicate without any trouble.
If you switch the "old" IPsec policy to transport mode (ie remove the tunnel), the connection will break. That is how you can tell the WFAS connection is really tunnelling.

Best Answer

Related Solutions

Windows firewall blocks nearly all traffic after reboot

Windows 2008 R2 IPsec encryption in tunnel mode, hosts in same subnet

Related Topic