WFAS is a host-type firewall built in windows server 2008. In the previous windows 2003 system, the Internet Connection Firewall (ICF) was used. By default, the firewall was disabled and some other reasons did not receive much attention. In the windows server 2008 operating system, many new functions are added to enable firewall functions to better complete tasks, the biggest difference between WFAS and earlier firewalls is that the IPSec function is added to it to verify and encrypt network communication.
Introduction to new WFAS Functions
Start by default and set automatically
WFAS in windows server 2008, including vista, is enabled by default. In this way, the built-in firewall in windows server will be changed, and the incorrect view of ICF will be changed. The built-in firewall is ineffective. The automatic configuration function is another powerful function. Different windows server 2008 instances have to undertake different tasks, whether it is a web server or a file server, WFAS automatically sets the firewall rules to be enabled Based on the roles and functions enabled on windows server 2008.
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'style = "border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" image "border =" 0 "alt =" image "height =" 672 "src =" http://www.bkjia.com/uploads/allimg/131227/09191I455-0.png "/>
For example, I just installed the AD Domain Controller role on the windows server 2008 operating system. Let's take a look at our WFAS, and there will be more firewall rules for domain controllers in the inbound rules.
Complete operation interface
When talking about microsoft products, we can't help but mention the improvement of the operation interface. As microsoft products continue to develop, we feel that network managers are constantly reducing the burden. To put it bluntly, In the past windows Firewall, it was illegal to provide complete functions. When the environment is complex, there are not so many firewall options for you to set. WFAS does not have such a problem. You can set WFAS through the firewall console. However, if it cannot be met, you can also run the MMC and netsh commands, set group policies.
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'style = "border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" image "border =" 0 "alt =" image "height =" 580 "src =" http://www.bkjia.com/uploads/allimg/131227/09191K604-1.png "/>
Manage WFAS through the MMC console)
Detailed rule settings
In the previous feature, we mentioned that it can better adapt to complex environments and also be reflected in firewall rules.
WFAS makes great adjustments to firewall rules, which are divided into inbound rules and combat rules. By default, all inbound rules are organized back until they are set, by default, the rules are open. That is to say, the local program can communicate with the network at will, but in turn it won't work unless the rules are changed.
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'style = "border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" image "border =" 0 "alt =" image "height =" 772 "src =" http://www.bkjia.com/uploads/allimg/131227/09191H2A-2.png "/>
Is the option for WFAS to create a rule, not only through the port, but also through the program, pre-defined, custom methods to Set firewall rules, the benefits of these methods will be discovered after our management personnel test and use them.
IPSec
At the beginning of this article, we have mentioned that WFAS and IPSec are integrated together to avoid the conflict between windows Firewall's storm screening function and IPSec, in addition, the firewall provides communication verification and network communication encryption functions.
Block rules for circle coverage that can be changed)
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'style = "border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" image "border =" 0 "alt =" image "height =" 248 "src =" http://www.bkjia.com/uploads/allimg/131227/09191LL2-3.png "/>
Ps: the painting is ugly. On the left is the traditional windows Firewall, and on the right is WFAS. In traditional windows firewalls, the setting of blocking rules determines whether a function is implemented. However, this circle only has two sides: Enable and disable, and there are no more options. In WFAS, there is also a variable-sized circle in the circle of the block rule, as small as not, as large as equal to the large circle. That is to say, by setting the circle, you can create access rules on the blocking rules, that is, exceptions.
For example:
We usually disable the Remote Desktop function. When the administrator needs to train the server for management and enable the Remote Desktop function, everyone on the network can do this as long as he knows the account and password. In WFAS, you can use a group of rules, which are owned by one organization and allowed by one. You can overwrite a small part of the block to control firewall rules more effectively.
NLA
The so-called NLA is the Network Location Awareness (Network Location Awareness ). Before looking at what new features this feature brings to WFAS, let's take a look.
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'style = "border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" image "border =" 0 "alt =" image "height =" 484 "src =" http://www.bkjia.com/uploads/allimg/131227/09191G037-4.png "/>
In the configuration file, you can find the following options: domain, private, and public.
Domain: used when the computer is a domain member and all network interfaces can be authenticated with DC
PRIVATE: The domain configuration file is not applied. You can specify it as a private configuration file.
Public: other
The NLA function is added to WFAS to apply different network rules by identifying different network locations. Make the use of WFAS more flexible.
Full support for IPv6
The above are some new features of WFAS. When we actually use WFAS, we will find that