Window Server 2008

Windows Firewall with Advanced Security is an advanced interface for IT professionals to use to configure both Windows Firewall and Internet Protocol security (IPsec) settings for the computers on their networks. Windows Firewall with Advanced Security is not for home users or for users that are not familiar with advanced firewall or IPsec technologies.

Note:

This topic describes the documentation currently available for Windows Firewall with Advanced Security in Windows Vista® and Windows Server® 2008. Additional documentation is in development, so check back periodically to see what has been added.

Your feedback is valuable. Please send your comments and suggestions to “Windows Vista and Windows Server 2008 Feedback” at vistafb@microsoft.com, with a subject of “Feedback on IPsec and Firewall Documentation”.

Installed Help

Installed Help is available when you open any of the following Microsoft Management Consoles (MMCs), and then press F1: Windows Firewall with Advanced Security, IP Security Policies, and IP Security Monitor. The installed Help provides information about how to use and configure Windows Firewall with Advanced Security and IPsec.

Windows Firewall with Advanced Security Help

The Authfw.chm file is installed with Windows Vista and Windows Server 2008. It is displayed when you open the Windows Firewall with Advanced Security MMC snap-in and press F1. The contents of this Help file are also available on the Web at http://go.microsoft.com/fwlink/?linkid=108253.

Creating and Using IPsec Policies

The Ipsecpolicy.chm file is installed with Windows Vista and Windows Server 2008. It is displayed when you open the IP Security Policies MMC snap-in and press F1. The contents of this Help file are also available on the Web at http://go.microsoft.com/fwlink/?linkid=108254.

Note:

Monitoring IPsec

The Ipsecmonitor.chm file is installed with Windows Vista and Windows Server 2008. It is displayed when you IP Security Monitor MMC snap-in and press F1. The contents of this help file are also available on the Web at http://go.microsoft.com/fwlink/?linkid=108255.

Note:

Product Evaluation

Product Evaluation documents are designed to help you learn about the technology and some of the ways the technology is commonly used.

Getting Started with Windows Firewall with Advanced Security

Windows Server 2008 Technical Library: http://go.microsoft.com/fwlink/?LinkId=64343

Although typical end-user configuration of Windows Firewall still takes place through the Windows Firewall program in Control Panel, advanced configuration now takes place in the Microsoft Management Control (MMC) snap-in named Windows Firewall with Advanced Security. The inclusion of this snap-in not only provides an advanced interface for configuring Windows Firewall locally but also for configuring Windows Firewall on remote computers by using Group Policy. Firewall settings are now integrated with Internet Protocol security (IPsec) settings, allowing for some synergy: the firewall can now allow traffic based on whether the traffic is secured by IPsec.

Introduction to Server and Domain Isolation with Microsoft Windows

Windows Server 2008 Technical Library: http://go.microsoft.com/fwlink/?LinkId=64344 By using the Windows operating systems, you can mitigate some of the risks associated with unauthorized and potentially unfriendly access to your network and its resources by creating an isolated network. By using Active Directory® Domain Services and Group Policy settings, you can isolate both your domain and servers that store sensitive data, thus limiting access to only authenticated and authorized users.

Server Isolation with Microsoft Windows Explained

Windows Server 2008 Technical Library: http://go.microsoft.com/fwlink/?LinkId=94793

This white paper provides a detailed overview of server isolation. It explains how server isolation protects isolated servers and the benefits of deploying server isolation. It also provides a brief overview of how to deploy server isolation.

Domain Isolation with Microsoft Windows Explained

Windows Server 2008 Technical Library: http://go.microsoft.com/fwlink/?LinkId=94632

This white paper provides a detailed overview of domain isolation. It explains how domain isolation protects domain member computers and the benefits of deploying domain isolation. It also provides a brief overview of how to deploy domain isolation.

Design and Deployment

Step-by-Step Guide to Deploying Policies for Windows Firewall with Advanced Security

Microsoft Download Center: http://go.microsoft.com/fwlink/?LinkID=102503

Windows Server 2008 Technical Library: http://go.microsoft.com/fwlink/?linkid=96318

This step-by-step guide illustrates how to deploy Active Directory® Group Policy objects (GPOs) to configure Windows Firewall with Advanced Security in Windows Vista® and Windows Server® 2008. You get hands-on experience in a lab environment using Group Policy Management tools to create and edit GPOs that implement typical firewall settings. You also configure GPOs to implement common server and domain isolation scenarios.

Troubleshooting

Troubleshooting documentation is designed to help you solve problems that arise when you try to deploy, manage, or use the technology.

Windows Firewall with Advanced Security - Diagnostics and Troubleshooting Tools

Windows Server 2008 Technical Library: http://go.microsoft.com/fwlink/?LinkId=64382

This article describes how Windows Firewall with Advanced Security works, describes the common troubleshooting situations, and specifies which tools you can use for troubleshooting.

Windows Firewall with Advanced Security Event Messages

Windows Server 2008 Technical Library: http://go.microsoft.com/fwlink/?LinkId=96306

These pages describe some of the Event Log messages that can be generated by Windows Firewall with Advanced Security. Each event message is explained along with probable causes, and includes recommended steps to resolve the problem the message represents.

Other Information

Documentation for previous versions of Windows

•	More information about the Windows Firewall available in previous versions of Windows can be found at http://go.microsoft.com/fwlink/?linkid=95393.
•	More information about IPsec available in previous versions of Windows can be found at http://go.microsoft.com/fwlink/?linkid=95394.
•	More information about using IPsec for Server and Domain Isolation in previous versions of Windows can be found at http://go.microsoft.com/fwlink/?linkid=95395.

Network shell (netsh) is a command-line utility that allows you to configure and display the status of various network communications server roles and components after they are installed on computers running Windows Server® 2008.

Some client technologies, such as Network Access Protection (NAP) client and Dynamic Host Configuration Protocol (DHCP) client, also provide netsh commands that allow you to configure client computers running Windows Vista®.

In most cases, netsh commands provide the same functionality that is available when using the Microsoft Management Console (MMC) snap-in for each server role or component. For example, you can configure Network Policy Server (NPS) by using either the NPS MMC snap-in or the netsh commands in the netsh nps context.

In addition, there are netsh commands for network technologies, such as for IPv6, network bridge, and remote procedure call (RPC), that are not available in Windows as an MMC snap-in.

Network Shell (Netsh) Technical Reference

The Netsh Technical Reference provides a comprehensive netsh command reference, including syntax, parameters, and examples for netsh commands. You can use the Netsh Technical Reference to build scripts and batch files by using netsh commands for local or remote management of network technologies on computers running Windows Server 2008.

Content availability

This content is not yet available.

Windows Server 2008 Foundation Network Guide and Companion Guides

The Windows Server® 2008 Foundation Network Guide provides instructions for planning and deploying the components required for a fully functioning network and a new Active Directory® domain in a new forest.

Companion guides are also available to help you add new network functionality and features to the network you deployed with the Foundation Network Guide.

Windows Server 2008 Foundation Network Guide

Using this guide, you can deploy computers configured with the following Windows server components:

•	The Active Directory Domain Services (AD DS) server role
•	The Domain Name System (DNS) server role
•	The Dynamic Host Configuration Protocol (DHCP) server role
•	The Network Policy Server (NPS) role service of the Network Policy and Access Services server role
•	The Windows Internet Name Service (WINS) feature
•	TCP/IP connections on individual servers

Content availability

This content is available for download at the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=105231) and in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=106252).

Foundation Network Companion Guide: Deploying Server Certificates

This companion guide to the Foundation Network Guide provides instructions for deploying server certificates with Active Directory Certificate Services (AD CS) and autoenrolling server certificates to computers running Network Policy Server (NPS) and the Routing and Remote Access service.

You can use server certificates to allow client computers to authenticate servers running NPS and Routing and Remote Access when you deploy the following authentication methods for network access authentication:

•	Extensible Authentication Protocol with Transport Layer Security (EAP-TLS). This authentication method also requires the deployment of user and client computer certificates.
•	Protected EAP with TLS (PEAP-TLS). This authentication method also requires the deployment of user and client computer certificates.
•	PEAP with Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2). This authentication method does not require the deployment of user and client computer certificates.

Guide requirements

To successfully deploy the technologies in this guide, you must first deploy the technologies in the Windows Server 2008 Foundation Network Guide.

For EAP-TLS or PEAP-TLS, you can deploy user and client computer certificates with the Foundation Network Companion Guide: Deploying User and Client Computer Certificates.

Content availability

This content is available for download at the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=108259) and in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=108258).

Foundation Network Companion Guide: Deploying Computer and User Certificates

This companion guide to the Foundation Network Guide provides instructions for deploying client computer and user certificates with AD CS. When you deploy EAP-TLS or PEAP-TLS, certificates are required for the authentication of servers, clients, and users during network connection attempts through network access servers, such as 802.1X authenticating switches and wireless access points, virtual private network (VPN) servers, and computers running Windows Server® 2008 and Terminal Services Gateway (TS Gateway).

Guide requirements

To successfully deploy the technologies in this guide, you must first deploy the technologies in the Windows Server 2008 Foundation Network Guide and the Foundation Network Companion Guide: Deploying Server Certificates.

Content availability

This content is not yet available.