Share via

Hands-on exercises for Module 7: IPv6 and Network Security

  • Article

These hands-on exercises are designed for Module 7: IPv6 and Network Security of the Microsoft IPv6 course from the Microsoft Virtual Academy. They demonstrate the following:

  • How Windows Firewall rules can be used to enable or disable specific types of unsolicited inbound traffic.
  • How Connection Security Rules can be used to protect traffic between two endpoints.

These hands-on exercises assume that you have built the following IPv6 test lab based on the Hands-on exercises for Module 6: DNS with IPv6 article.

 

This procedure demonstrates Windows Firewall rules.

  1. From the Hyper-V manager, connect to APP1, and then sign in with the CORP\User1 account.
  2. From the Hyper-V Manager, change CLIENT1's network adapter to use the Corpnet virtual switch.
  3. From the Hyper-V manager, connect to CLIENT1, and then sign in with the CORP\User1 account.  At the Windows PowerShell command prompt on CLIENT1, runipconfig /renew until you get an IPv4 address that starts with "10.0.0".
  4. From CLIENT1, run the ping app1 -6 command (the -6 parameter forces the Ping.exe tool to use IPv6). This should be successful.
  5. From APP1, click Start, type Windows Firewall, and then click the Windows Firewall with Advanced Security icon.
  6. In the tree pane, click Inbound Rules.
  7. In the contents pane, find the File and Printer Sharing (Echo Request - ICMPv6-In) rule in the File and Printer Sharing group. This rule controls whether the Windows Firewall allows incoming ICMPv6 Echo Request messages, which the Ping.exe tool sends to test connectivity. Notice that the File and Printer Sharing (Echo Request - ICMPv6-In) rule is enabled.
  8. Right-click the File and Printer Sharing (Echo Request - ICMPv6-In) rule, and then click Disable Rule.
  9. From CLIENT1, run the ping app1 -6 command again. It now fails. This is expected behavior because the rule that allows unsolicited incoming ICMPv6 Echo Request messages is now disabled. In this state, the Windows Firewall drops unsolicited incoming ICMPv6 Echo Request messages.
  10. From APP1, right-click the File and Printer Sharing (Echo Request - ICMPv6-In) rule, and then click Enable Rule.
  11. From CLIENT1, run the ping app1 -6 command again. It now succeeds.

In this next procedure, you configure and demonstrate connection security rules to protect the IPv6 traffic sent between DC1 and APP1.

  1. From the Hyper-V manager, connect to DC1 and log in using the CORP\User1 account.
  2. On DC1, open a Windows PowerShell command prompt and run the ipconfig command. Write the value of the IPv6 Address field here: _________________________________________________
  3. From APP1, run the ipconfig command. Write the value of the IPv6 Address field here: _________________________________________________
  4. On DC1, click Start, and then type \app1\files. You should see a Files folder. Double-click the Example.txt file and see its contents.
  5. Click Start, type Windows Firewall, and then click the Windows Firewall with Advanced Security icon.
  6. In the tree pane, click Connection Security Rules. Notice that there are no rules listed.
  7. In the tree pane, open Monitoring > Security Associations, and then click both Main Mode and Quick Mode. Notice that there are no main mode or quick mode IPsec security associations listed.
  8. Close the Example.txt and Files windows.
  9. In the tree pane, right-click Connection Security Rules, and then click New Rule.
  10. On the Rule Type page, click Server-to-server, and then click Next.
  11. On the Endpoints page, in Which computers are in Endpoint 1?, click These IP addresses, and then click Add.
  12. In IP Address, in This IP address or subnet, type DC1's IPv6 address from step 2, and then click OK.
  13. On the Endpoints page, in Which computers are in Endpoint 2?, click These IP addresses, and then click Add.
  14. In IP Address, in This IP address or subnet, type APP1's IPv6 address from step 3, and then click OK.
  15. On the Endpoints page, click Next.
  16. On the Requirements page, click Next.
  17. On the Authentication Method page, click Advanced, and then click Customize.
  18. In Customize Advanced Authentication Methods, in First authentication, click Add.
  19. In Add First Authentication Method, click OK.
  20. In Customize Advanced Authentication Methods, click OK.
  21. On the Authentication Method page, click Next.
  22. On the Profile page, click Next.
  23. On the Name page, type DC1 to APP1 in Name, and then click Finish.
  24. On APP1, in the tree pane of Windows Firewall with Advanced Security, right-click Connection Security Rules, and then click New Rule.
  25. On the Rule Type page, click Server-to-server, and then click Next.
  26. On the Endpoints page, in Which computers are in Endpoint 1?, click These IP addresses, and then click Add.
  27. In IP Address, in This IP address or subnet, type APP1's IPv6 address from step 3, and then click OK.
  28. On the Endpoints page, in Which computers are in Endpoint 2?, click These IP addresses, and then click Add.
  29. In IP Address, in This IP address or subnet, type DC1's IPv6 address from step 2, and then click OK.
  30. On the Endpoints page, click Next.
  31. On the Requirements page, click Next.
  32. On the Authentication Method page, click Advanced, and then click Customize.
  33. In Customize Advanced Authentication Methods, in First authentication, click Add.
  34. In Add First Authentication Method, click OK.
  35. In Customize Advanced Authentication Methods, click OK.
  36. On the Authentication Method page, click Next.
  37. On the Profile page, click Next.
  38. On the Name page, type APP1 to DC1 in Name, and then click Finish.
  39. On DC1, click Start, and then type \app1\files. You should see the Files folder. Double-click the Example.txt file and see its contents.
  40. In the tree pane of Windows Firewall with Advanced Security, open Monitoring > Security Associations, and then click both Main Mode and Quick Mode. Notice that there is a main mode or quick mode security association listed. This shows that the IPv6 traffic between DC1 and APP1 for accessing the Files shared folder is subject to a Connection Security Rule and has resulted in IPsec security associations to protect the traffic. If you do not see main mode or quick mode security associations, double-check the IPv6 addresses for DC1 and APP1 in the Connection Security Rules configured on DC1 and APP1.
  41. In the tree pane of Windows Firewall with Advanced Security, click Connection Security Rules. Right-click the DC1 to APP1 rule, and then click Disable Rule.
  42. On APP1, In the tree pane of Windows Firewall with Advanced Security, click Connection Security Rules. Right-click the APP1 to DC1 rule, and then click Disable Rule.

To continue your hands-on learning about IPv6, see Convert the IPv6 test lab to IPv6-only.