When you select Allow the connection if it is secure in a firewall rule, you are specifying that the network packets must be protected by Internet Protocol security (IPsec) or the packet does not match the rule. If you click Customize next to that option, you can configure these options that allow you to specify the type of IPsec protection that is required.

You must select one of the first three options described below. The last option, Override block rules, can be selected independently of the other options.

To get to this dialog box

Allow the connection if it is authenticated and integrity-protected

This is the default option. Use this option to require that all matching network packets use both IPsec authentication and integrity algorithms as defined in a separate connection security rule. If a network packet matching all other criteria is neither authenticated nor protected with an integrity algorithm, then it does not match this rule and is blocked.

Note

This setting is supported when applied to computers running Windows Vista or later versions of Windows.

Require the connection to be encrypted

Use this option to require that all matching network packets use data encryption as defined in a separate connection security rule. If a network packet matching all other criteria is not encrypted, then it does not match this rule and is blocked. When this option is enabled, Windows Firewall with Advanced Security uses the settings on the Customize Data Protection Settings dialog box.

Allow the computers to dynamically negotiate encryption

This option is available for inbound rules only. Use this option to allow the network connection, after authentication succeeds, to send and receive unencrypted network traffic while the encryption algorithms are negotiated.

Security Note

While encryption is being negotiated, the network traffic is sent as clear text. Do not specify this option if the network traffic sent over the connection during this period is too sensitive for plain text transmission.

Allow the connection to use null encapsulation

Use this option to require that all matching network packets use IPsec authentication, but do not require integrity or encryption protection. We recommend that you use this option only when you have network equipment or software that is not compatible with either the Encapsulating Security Payload (ESP) or Authentication Header (AH) integrity protocols.

Note

This setting is supported when applied to computers running Windows 7 or Windows Server 2008 R2. It does not apply to computers running earlier versions of Windows.

Override block rules

Use this option to allow network packets that match this firewall rule to override any block firewall rules. This option is referred to as authenticated bypass. Normally, rules that explicitly block connections have priority over rules that allow connections. If you use this option, the connection is allowed even if another rule would block the connection. You are effectively stating that network traffic that matches this rule is allowed because it is authenticated as coming from an authorized and trusted user or computer.

This option is typically used to allow trusted programs, such as network vulnerability scanners and other networking tools, to run without restrictions. Although a typical firewall configuration does and should block network traffic from such devices, you can create a rule that identifies authorized computers. The Override block rules option allows traffic from these authorized computers only. If you do not use this option, any block firewall rules that match the same firewall rule criteria will take precedence, and the connections will be blocked.

If you select this option, you must specify at least one computer or computer group for authorization on the Computers page of the New Firewall Rule wizard or the Computers tab of the Firewall Rule Properties dialog box.

Note

If you configure the firewall operational state to Block all connections on the Windows Firewall with Advanced Security Properties dialog box, then all network traffic is blocked even if this option is set.

See Also