It’s your turn: what improvements would you like in Windows Firewall and IPsec?

Yes, the ink is barely dry on the boxes for Windows Vista and we're already planning the next version of Windows. And no, I have no clue what it'll be called. But that isn't a decision I get to make, oh well...

The folks responsible for the firewall and IPsec are actively seeking ideas and suggestions for improvements in the next version. Some areas up for consideration include:

  • The configuration and management UI (the new advanced snap-in, not the control panel)

  • Deployment

  • Diagnostics and troubleshooting

  • Interoperability

  • New scenarios and features

  • Documentation and help

  • Anything else you can think of

Actually, we aren't limiting this to the next Windows. If there are major deployment blocking problems that you have now -- bugs, performance hits, whatever -- let me know now. We can consider some ideas for Vista SP1 and Longhorn Server.

Thanks! Looking forward to your thoughts.

Comments (19)

  1. stevenl says:

    ok… I have not seen the Vista firewall, but I’d like to see "The Big Red Button" (TBRB).  TBRB would be a "panic" button to immediately institute new firewall rules across a domain.  Yeah, I know that there is probably a firewall at the gateway, but many networks are hard on the outside, but soft and tasty on the inside.  So if a worm or other nasty gets in, the only thing to stop it is the windows firewall.  If I had TBRB, I could write a new rule and distribute the changes to the domain before there is too much damage.

    Hope that makes sense…

  2. Alex Holst says:

    How about stealing the syntax and features from OpenBSD’s pf?

  3. Ray Avila says:

    Turn the ISA "firewall client" into a real firewall as well. Let me assign different rules to groups. Let me push rules. Give it enough guts so I can enable it on gigabit server interfaces and use it as a host-based firewall to protect my servers. Give it a "monitor only" mode and a way of aggregating what it sees into rules so I don’t break too much when I implement a rule. Give it real automatic change control features so I can look up who even breathed on the management console to satisfy my SarBox audits.

    Etc. 🙂

  4. James kahn says:

    For troubleshooting – I’d like to see a visual traffic grapher built in to Windows that shows traffic flow, type of traffic, source and destination.  What Windows (and a lot of third party firewall products) is missing is instant visual display of what is happening over the network at a current point in time, visually. This could show what’s hitting in the computer, what’s being denied and what’s being allowed through.

  5. Something like OpenBSD pf and the new ipsecctl/ipsec.conf simplicity will rock. I’m tired to deal with bad and bloated ipsec/vpn client with lots of bad behaviour and a GUI designer by CEO son.

  6. Rocko says:

    I would like to see a feature, that allows me, to block access for a program for Incoming AND outcoming traffic.

    It wouldn’t be bad too, if I could define ports which should be blocked for incoming traffic.

  7. zerlene says:

    I can’t keep my windows FIREWALL ON? It keeps disconnecting? WHAT is causing this?

  8. jerry says:

    There should be predefined settings for voip, messengers, games, torrents, games, …

  9. scalo says:

    An application authorized by UAC is able to add/remove/destroy all rules from the Windows Vista Firewall without any additional user’s consent (example: when you install an application).

    I would like having an extra UAC warning in order to protect the Firewall rules.

  10. Christian says:

    I would like an interactive mode. Every new Program which sends a ping out should be blocked until i decide to allow or not. (ok, i can add rules at the snapin but thats not comfortable enough 🙂

    Many greetings!

  11. RAB says:

    That there was a standard way to make services (ms)applications to speak static ip (not like the dword name is sometimes TCP/IP Port and sometimes – Assignment ex). How about a GUI where you pushed a button with make this service(/process) IP static, delivered also with a CMD tool and as an option for GP-editing.

    If you can’t make this then at least make a way that an application can talk through the firewall without an continous listening process.

    And also an advisory not to use the wizard in 2003 sp1, who makes a complete mess out of any firewall 😉

    How about an alerter who told you when somebody tried to poison you arp cache?

    Or an IPSEC way to speak with your DNS server?

    For IPSEC, a nice way to roll out FIPS compliant certificates for unix-computers (sorry to put the load on you, our Oracle people just don’t care… ).

  12. Joe says:

    I’d like to see a user-friendly editable configuration file for the firewall. OpenBSD’s PF firewall is a firewall done right. It’s syntax is very easy to understand and it is a secure firewall. Also, I second one of the posters who mentioned OpenBSD’s ipsec work. It really is the best out their. It’s user friendly, it’s secure, and it’s technically correct.

  13. carl says:


    an user-friendly editable configuration file for a firewall is impossible due the syntax that it can’t be user-friendly! Windows Vista Firewall is fully configurable and powerful by the advanced GUI. The true is that OpenBSD and linux firewall are obsolete!!! nowadays nobody wants to manage rules using an editable text file!!!

  14. kevn says:

    The current firewall in Vista is ok for Vista, but the merging of IPSec and Firewall in Longhorn server is horrible.

    1) Instead of inbound and outbound views, just break it down into what you are really dealing with – services, apps and ports. When I want to see what my services are configured for thats what I want to see SERVICES. Same with apps and ports (having an all in one might also be useful, or some cool query building/filtering)

    2) kill the wizard- or at least give the option to skip it and go right to the config (like ipsec in 2000/2003). I shouldnt even have to ask for this one.

    3) show firewall and ipsec settings for services on the service property page

    4) have a direct way to view and edit firewall/ipsec settings from task manager – either bring up a property page or have a column that indicates allowed, blocked or secured. A block all from the task manager would be nice, as would an allow-all-temp for trouble shooting (and show the results with out having to look for them in some offbeat location)

    5) current help in the wizard is very confusing – I know what I need/want to do, but reading the wizard help confuses me- it just seems that its a one size fits all approach that doesnt fit any size. the wizard can be cut to two or three pages – who, what, how (can any one explain the page where it lists the services (the one after the preseta)) I just dont get what its trying to accomplish there.

    6) emphasize domain groups over ip addresses for isolation policies – why bother with ip address? dont you loose the best advantage?

    7) design the UI around the idea of authentication – thats really what its all about here! design services and apps with this in mind. "This app is allowed to authenticate to: ", "This app trusts: " — so much nicer and it really gets the number of property pages down

    8) if its really intended that only a few Connection Secuirty policies need to be creadted, then just find a way to remove this form the basic UI – If someone needs a more complicated policy let them configure it, but really this is the biggest disconnect – wont most people just need to set the "default" and go with that?

    9) make the mmc 10x faster! Its way to slow

    10 The entire process is much easier in 2003- all I really wanted was a more customizable UI for ipsec – bigger windows that remeber there size and columns mostly. thats all I really wanted.

    11 A Domain Controller preset!

    I’m just saying…

  15. ZSJ says:

    I’ve seen this in the listings above, but I believe it’s something that really needs to be there.  I’d like to see what’s getting through – in or out.  What is the source:  application and IP address with DNS lookup  – if possible.   What would really be nice would be to select the URLs that you want or need in IE.  Everything else is  This may not be possible with all the ads out there.

  16. florian says:

    I would consider the following as a useful:

    – allow Firewall policies/exceptions based on user groups / user roles (Windows Vista brings this cool same feature with Local Group Policies that can be assigned to Administrators / Non-administrators).

    – bring the ISA Firewall client into the Windows Firewall on the client machines.

    – given the Network Location Awareness feature in Vista, it’d be nice if one could set Firewall rules/exceptions depending on WHERE the computer (mobile computer!) actually is located.

  17. David Soussan says:

    Take a page from other firewall vendors on how to configure them. As a reseller, I sell Sonicwalls, not ISA. Why?

    Look at how to get the two interoperating. Details at:

    3 pages (P. 2->4) on configuring the Sonicwall side.

    19 pages (p. 7-25) for the ISA server side.

    Do them both; count the settings, mouse clicks, keys, or whatever. Similar hoops with IPSec, and I can point to those examples if you haven’t already seen them. Maybe ISA 2006 is better? Don’t know; haven’t looked into it.

    Too many moving parts and settings for the same functionality means more ways to not do it right and more things to debug.

    Just my $0.02.

    BTW: You’ve done some great recorded webcasts!

  18. jrp says:

    I have just been struggling to get Mobile 5.0, Vista and XP L2TP/IPSec clients to talk to a Cisco IOS-based router.

    For some reason, this is v poorly (ie, not at all) documented; the cisco site has various scenarios related to Windows 2000, which has a different client.  This makes a difference when connecting from behind NAT, it seems.

    Simple things, like what encryption settings should be used (3DES+DH group2+SHA1, say) seem to need a protocol analyser (or cisco log) to uncover.  Moreover, Microsoft don’t seem to support DH5 and Cisco don’t support DH14, so you end up with DH2.  And you also end up with 3DES because the only AES options that Microsfot offer come with DH higher than 2.  The diagnostics offered by the MS VPN client are poor.  Messags liek "Error 789" are logged, which you then have to look up.  (Thank god for google.) This is 70s and 80s style programming.

    I use the cisco as an endpoint because you can’t use/shouldn’t a Windows Server behind NAT as a VPN endpoint.  Why not?

    The Vista troubleshooting client looks whizzy but does not seem to do much.  For example, it did not uncover the MTU size limit problem that prevented packets from getting through that it should be possible to check using ping, if you know what you’re doing (which I did not at the time.)

    Yes, VPN is complex, but it is made more resource-intensive to set up by the absence of documentation and poor diagnostics.

Skip to main content