This was previously posted to Platform Network, but I have removed it there, since I did not receive replies:
Hello,
I am aware that I can either use an IPsec policy, or the newer Windows Firewall with Advanced SEcurity Connection Security Rules to create an IPsec transport between endpoints.
However, I do not understand how to create a policy that allows a range of ports, specifically to create a transport for the DCE/RPC dynamic port allocation pool. I receive the following error when attempting to assign a range to the Windows Firewall with Advanced Security policy:
--------------------------- Windows Firewall with Advanced Security --------------------------- An error occurred while adding the rule. Error: The parameter is incorrect Status: A semantic error because port range is used when the connection security rule is not an exemption rule --------------------------- OK ---------------------------
How do I create an IPsec policy to encompass a port range?
From a test I performed a long time ago, I attempted to create an IPsec filter list with the block action (on Vista actually) with a large quantity of IPs. It quickly became clear that the IPsec filter was totally inefficient and utilized way too much CPU to make it a viable alternative for other solutions. Is this why port ranges are only allowed for exemptions?
Due to the overhead of using IPsec (using iperf, I saw ~20% hit in throughput), I'd like to exclude as much as possible.
Otherwise, what solutions are there to "tunnel" the dynamic RPC port range through a port? I wish to avoid minimizing the dynamic RPC port range (so the ranges will be two: 1025-5000, 49152-65535).
Note that I simply want to enable the local firewall on a variety of servers. These servers will not be exposed directly on the Internet.
Thanks,
Matt