HelpCache/Microsoft.Windows.Firewall.Commands.dll-help.xml
<?xml version = "1.0" encoding = "utf-8" ?>
<helpItems schema="maml"> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>Get-DAPolicyChange</command:name><maml:description><maml:para>Gets a list of IP addresses that need to be added and deleted to an IPsec rule based on the differences detected between the IP addresses for the existing rule and the IP addresses derived from the input parameters, and creates a Windows PowerShell® script (.ps1) that updates the IPsec rule in the appropriate policy stores.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>Get</command:verb><command:noun>DAPolicyChange</command:noun><dev:version /></command:details><maml:description><maml:para>The Get-DAPolicyChange cmdlet returns the detected differences between the IP addresses (remote and local addresses) of an existing IPsec rule, and the IP addresses derived by the input parameters. This cmdlet also creates a Windows PowerShell® script (.ps1) that updates the IPsec rule end points with the retrieved IP addresses. The created script contains instances of the Update-NetIPsecRule cmdlet, that adds or deletes IP addresses to or from IPsec rules.</maml:para><maml:para>This cmdlet is used to keep the IPsec policies for client and server refreshed in DirectAccess (DA) deployments in a double tunnel model. The DA first tunnel policy is defined by IP addresses that are derived from domain names and servers. A list of IP addresses is retrieved based on the derived values from the Domains or Servers parameter. This cmdlet outputs DeltaCollection objects that contain the following: the actual list of address changes detected, whether to add or delete the change in IP addresses, and a list of fully qualified domain names (FQDNs) that did not resolve. If there are multiple rules that match the same name, then this cmdlet fails with an error.</maml:para><maml:para>Running the output script for this cmdlet (located at PSLocation) resolves the IP addresses for the DA first tunnel and updates the Group Policy Objects (GPOs) appropriately. The DNS server specified in the DnsServers parameter will be used to resolve the domain name and server names.</maml:para><maml:para>By generating a Windows PowerShell script, this cmdlet allows administrators to have greater control over policy synchronization. The Sync-NetIPsecRule cmdlet also detects the IP address changes, but immediately updates the rules instead of returning the deviations and a .ps1 script.</maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>Get-DAPolicyChange</maml:name><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1" aliases=""><maml:name>Servers</maml:name><maml:description><maml:para>Specifies a list of server IP addresses that will be used to derive IP address differences.</maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Domains</maml:name><maml:description><maml:para>Specifies the domains from which the deltas in IP addresses are derived. The list is specified by an array of fully qualified domain names (FQDN).</maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="3" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name to match the differences in IP addresses of the IPsec rule.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="4" aliases=""><maml:name>PolicyStore</maml:name><maml:description><maml:para>Specifies the policy store from which to retrieve the rules to be retrieved. A policy store is a container for firewall and IPsec policy. The acceptable values for this parameter are: -- PersistentStore: Sometimes called static rules, this store contains the persistent policy for the local computer. This policy is not from GPOs, and has been created manually or programmatically (during application installation) on the computer. Rules created in this store are attached to the ActiveStore and activated on the computer immediately. -- ActiveStore: This store contains the currently active policy, which is the sum of all policy stores that apply to the computer. This is the resultant set of policy (RSOP) for the local computer (the sum of all GPOs that apply to the computer), and the local stores (the PersistentStore, the static Windows service hardening (WSH), and the configurable WSH). ---- GPOs are also policy stores. Computer GPOs can be specified as follows. ------ –PolicyStore hostname. ---- Active Directory GPOs can be specified as follows. ------ –PolicyStore domain.fqdn.com\GPO_Friendly_Name. ------ Such as the following. -------- -PolicyStore localhost -------- -PolicyStore corp.contoso.com\FirewallPolicy ---- Active Directory GPOs can be created using the New-GPO cmdlet or the Group Policy Management Console. -- RSOP: This read-only store contains the sum of all GPOs applied to the local computer. -- SystemDefaults: This read-only store contains the default state of firewall rules that ship with Windows Server® 2012. -- StaticServiceStore: This read-only store contains all the service restrictions that ship with Windows. Optional and product-dependent features are considered part of Windows Server 2012 for the purposes of WFAS. -- ConfigurableServiceStore: This read-write store contains all the service restrictions that are added for third-party services. In addition, network isolation rules that are created for Windows Store application containers will appear in this policy store. The default value is PersistentStore. Note: The Set-NetIPsecRule cmdlet cannot be used to add an object to a policy store. An object can only be added to a policy store at creation time with the Copy-NetIPsecRule cmdlet or with the New-NetIPsecRule cmdlet. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="5" aliases=""><maml:name>PSLocation</maml:name><maml:description><maml:para>Specifies the path for the newly created Windows PowerShell script (.ps1) file. This parameter supports standard Windows PowerShell path syntax. This parameter must contain a rooted path, such as C:\users\User1\WPS_Script.ps1.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="6" aliases=""><maml:name>EndpointType</maml:name><maml:description><maml:para>Specifies that the local or remote endpoint should be modified by adding or removing the IP address differences. The acceptable values for this parameter are: Endpoint1 or Endpoint2. Endpoint1 corresponds to the local address and Endpoint2 corresponds to the remote address for any IPsec rule.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="7" aliases=""><maml:name>DnsServers</maml:name><maml:description><maml:para>Specifies a list of DNS server IP addresses that will be used for name resolution used to determine IP address differences. This parameter accepts one or more DNS server IP addresses. If this parameter is not specified, then this cmdlet uses the default DNS servers.</maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="3" aliases=""><maml:name>DisplayName</maml:name><maml:description><maml:para>Specifies the display name to match the differences in IP addresses of the IPsec rule.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="7" aliases=""><maml:name>DnsServers</maml:name><maml:description><maml:para>Specifies a list of DNS server IP addresses that will be used for name resolution used to determine IP address differences. This parameter accepts one or more DNS server IP addresses. If this parameter is not specified, then this cmdlet uses the default DNS servers.</maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Domains</maml:name><maml:description><maml:para>Specifies the domains from which the deltas in IP addresses are derived. The list is specified by an array of fully qualified domain names (FQDN).</maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="6" aliases=""><maml:name>EndpointType</maml:name><maml:description><maml:para>Specifies that the local or remote endpoint should be modified by adding or removing the IP address differences. The acceptable values for this parameter are: Endpoint1 or Endpoint2. Endpoint1 corresponds to the local address and Endpoint2 corresponds to the remote address for any IPsec rule.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="4" aliases=""><maml:name>PolicyStore</maml:name><maml:description><maml:para>Specifies the policy store from which to retrieve the rules to be retrieved. A policy store is a container for firewall and IPsec policy. The acceptable values for this parameter are: -- PersistentStore: Sometimes called static rules, this store contains the persistent policy for the local computer. This policy is not from GPOs, and has been created manually or programmatically (during application installation) on the computer. Rules created in this store are attached to the ActiveStore and activated on the computer immediately. -- ActiveStore: This store contains the currently active policy, which is the sum of all policy stores that apply to the computer. This is the resultant set of policy (RSOP) for the local computer (the sum of all GPOs that apply to the computer), and the local stores (the PersistentStore, the static Windows service hardening (WSH), and the configurable WSH). ---- GPOs are also policy stores. Computer GPOs can be specified as follows. ------ –PolicyStore hostname. ---- Active Directory GPOs can be specified as follows. ------ –PolicyStore domain.fqdn.com\GPO_Friendly_Name. ------ Such as the following. -------- -PolicyStore localhost -------- -PolicyStore corp.contoso.com\FirewallPolicy ---- Active Directory GPOs can be created using the New-GPO cmdlet or the Group Policy Management Console. -- RSOP: This read-only store contains the sum of all GPOs applied to the local computer. -- SystemDefaults: This read-only store contains the default state of firewall rules that ship with Windows Server® 2012. -- StaticServiceStore: This read-only store contains all the service restrictions that ship with Windows. Optional and product-dependent features are considered part of Windows Server 2012 for the purposes of WFAS. -- ConfigurableServiceStore: This read-write store contains all the service restrictions that are added for third-party services. In addition, network isolation rules that are created for Windows Store application containers will appear in this policy store. The default value is PersistentStore. Note: The Set-NetIPsecRule cmdlet cannot be used to add an object to a policy store. An object can only be added to a policy store at creation time with the Copy-NetIPsecRule cmdlet or with the New-NetIPsecRule cmdlet. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="5" aliases=""><maml:name>PSLocation</maml:name><maml:description><maml:para>Specifies the path for the newly created Windows PowerShell script (.ps1) file. This parameter supports standard Windows PowerShell path syntax. This parameter must contain a rooted path, such as C:\users\User1\WPS_Script.ps1.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1" aliases=""><maml:name>Servers</maml:name><maml:description><maml:para>Specifies a list of server IP addresses that will be used to derive IP address differences.</maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para></maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.Management.Infrastructure.CimInstance#root\StandardCimv2\DeltaCollection[]</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>The Microsoft.Management.Infrastructure.CimInstance object is a wrapper class that displays Windows Management Instrumentation (WMI) objects. The path after the pound sign (#) provides the namespace and class name for the underlying WMI object.</maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title>EXAMPLE 1</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>PS C:\>Get-DAPolicyChange -DisplayName "TunnelPolicy1" -EndpointType Endpoint1 -PSLocation "C:\Update.ps1" -Servers "server1.corp.contoso.com", "server2.corp.contoso.com", "server3.corp.contoso.com" IPsec Rule name : TunnelPolicy1 Action : Add IPv6addresses : 2001:4829:3243::100:1 : 2001:4829:3243::100:1 GPO : contoso\DAClientPolicy IPsec Rule name : TunnelPolicy1 Action : Delete IPv6addresses : 2001:4829:3243::100:3 : 2001:4829:3243::100:4 GPO : contoso\DAClientPolicy FQDN’s that did not resolve into IP address: server1.corp.contoso.com server3.corp.contoso.com </dev:code><dev:remarks><maml:para>This example gets the list of IP addresses that need to be added and deleted to an IPsec rule based on the differences detected between the existing rule IP addresses and the IP addresses derived from the input parameters and returns a .ps1 file that updates the local end point for the rule.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title>EXAMPLE 2</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code> PS C:\>$serverPolicyStore = domain.contoso.com/server_GPO PS C:\>$serverRuleDisplayName = "Any-Traffic-Win8DA-Rule" PS C:\>$domains = "corp.contoso.com", "corp.contoso2.com" PS C:\>$servers = "server2.corp.contoso.com" PS C:\>$primaryDns64 = 1.2.2.1 PS C:\>Get-DAPolicyChange -PolicyStore $serverPolicyStore -DisplayName $serverRuleDisplayName -EndpointType Endpoint1 -Domains $domains -Servers $servers -DNSServers $primaryDns64 -AddressType IPv6 –PSLocation C:\Users\Administrator\Documents\PSscripts\dapolicychange.ps1 </dev:code><dev:remarks><maml:para>This example gets the list of IP addresses that need to be added and deleted to an IPsec rule based on the differences detected between the existing rule IP addresses and the IP addresses derived from the input parameters and returns a .ps1 file that updates the end points.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/?LinkId=232917</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Sync-NetIPsecRule</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>Update-NetIPsecRule</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>New-NetIPsecAuthProposal</command:name><maml:description><maml:para>Creates a main mode authentication proposal that specifies a suite of authentication protocols to offer in IPsec main mode negotiations with other computers.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>New</command:verb><command:noun>NetIPsecAuthProposal</command:noun><dev:version /></command:details><maml:description><maml:para>The New-NetIPsecAuthProposal cmdlet creates a single authentication proposal to be used in IPsec main mode negotiations. An authentication proposal describes a single authentication method that the computer would accept as valid proof of the identity of the peer. This cmdlet is also used to authenticate the identity of the local user, so that a peer computer would accept the proof.</maml:para><maml:para>Multiple network IPsec authentication proposal fields are grouped into a single network IPsec phase 1 authentication set or network IPsec phase 2 authentication set. Each set is a list of proposals in order of preference. A phase 1 authentication is generally used for computer authentication, and a phase 2 authentication is used for user authentication or computer health certification. See the New-NetIPsecPhase1AuthSet and New-NetIPsecPhase2AuthSet cmdlets for more information. The authentication method, such as Kerberos v5, Certificate, or pre-shared key authentication, is provided by a network IPsec authentication proposal, specified through a network IPsec phase 1 authentication set, is required for a successful main mode security association. See the Get-NetIPsecMainModeSA and Get-NetIPsecQuickModeSA cmdlets for more information.</maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>New-NetIPsecAuthProposal</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>User</maml:name><maml:description><maml:para>Specifies that the computer should authenticate as the user account, rather than the computer. This parameter is valid with NLTM, Kerberos, Cert, or Proxy. </maml:para></maml:description></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="3" aliases=""><maml:name>Cert</maml:name><maml:description><maml:para>Specifies that certificate authentication is used. The Authority and AuthorityType parameters specify the certification authentication methods.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AccountMapping</maml:name><maml:description><maml:para>Specifies the enabled state for the IPsec certificate-to-account mapping. In certificate-to-account mapping, the Internet Key Exchange (IKE) and AuthIP protocols associate, or map, a user or computer certificate to a user or computer account in an Active Directory (AD) domain or forest, and then retrieves an access token, which includes the list of user security groups. This process ensures that the certificate offered by the IPsec peer corresponds to an active user or computer account in the domain, and that the certificate is one that should be used by that user or computer.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthorityType</maml:name><maml:description><maml:para>Specifies that certificates issued by intermediate CAs should be accepted. This parameter is used for certificate authentication. The acceptable values for this parameter are: : Root or Intermediate. The default value is Root. Note: This parameter is supported in Windows Server® 2012. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">CertificateAuthorityType</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ExcludeCAName</maml:name><maml:description><maml:para>Specifies that CA names are excluded. This can only be specified for phase 1 authentications.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="EKUs"><maml:name>ExtendedKeyUsage</maml:name><maml:description><maml:para>Specifies list of object identifiers (OIDs) that would be used on the extended key usage (EKU) field of a certificate. When a CA issues a certificate, then the EKU specifies the intended purposes of the certificate. For instance, there are specific OIDs for client-server communications as well as secure email and code signing. An IPsec certificate can be selected or validated by EKU OID. There is a limit of 100 EKUs. This parameter is supported in Windows Server 2012. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>FollowRenewal</maml:name><maml:description><maml:para>Specifies that certificate signing is automatically renewed. When the certificate is auto-renewed, the IPsec policy will not need to be updated. This parameter only works for authentication methods that define a thumb print with the Thumbprint parameter. This parameter only works, and is appropriate, for certificate selection methods. The default value is False. Note: This parameter is supported in Windows Server 2012. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SelectionCriteria</maml:name><maml:description><maml:para>Specifies that the current certificate authentication proposal should be used to select the certificate as offering to remote peers. When using certificate criteria, exactly one proposal for selection and exactly one proposal for validation are needed. A single proposal can be used for both. If this parameter or the ValidationCriteria parameter is not specified, then the proposal is used for both. This parameter is supported in Windows Server 2012. The default value is False. Note: If both this parameter and the ValidationCriteria parameter are set to False, then the configuration is not valid and both flags in a new phase 1 authentication set or phase 2 authentication are set to True. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Signing</maml:name><maml:description><maml:para>Specifies the certificate signing algorithm to accept. The acceptable values for this parameter are: RSA, ECDSA256, or ECDSA384. The default value is RSA.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">CertificateSigningAlgorithm</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SubjectName</maml:name><maml:description><maml:para>Determines, if it is not null, how the certificate should be validated. A certification authority (CA) could put any string value into the Subject Name or Alternative Subject Name fields on a certificate, so there are no format requirements for this parameter. However, depending on the value of SubjectNameType, there are some general formats that are usually followed. Examine the certificates issued by the CA to find the exact formatting to use. If the SubjectNameType parameter is: - None: The Subject Name field on a certificate must be null. - DomainName: The Subject Name field on a certificate should generally take the format of a FQDN. The Alternative Subject Name field will be examined. - UserPrincipalName: The Subject Name field on a certificate should generally take the format of an service principal name (SPN). The Alternative Subject Name field will be examined. - EmailAddress: An email address, like username@contoso.com. The Alternative Subject Name field on a certificate will be examined. - CN, OU, O, DC: The values from an X.509 strong name. These will be parsed from the Subject Name field on a certificate. Note: This parameter is supported in Windows Server 2012. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SubjectNameType</maml:name><maml:description><maml:para>Determines how the SubjectName field should be interpreted. The acceptable values for this parameter are: None, DomainName, UserPrincipalName, EmailAddress, CN, OU, O, or DC. Note: This parameter is supported in Windows Server 2012. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">CertificateSubjectType</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Thumbprint</maml:name><maml:description><maml:para>Specifies the thumbprint hashing to use for certification criteria. This is primarily intended for interoperability server-to-server authentication. This parameter cannot be combined with the FollowRenewal parameter. Note: This parameter is supported in Windows Server 2012. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ValidationCriteria</maml:name><maml:description><maml:para>For use with certificate criteria. Specifies that the current certificate auth proposal should be used to validate the certificate given by the remote peer. When using certificate criteria, exactly one proposal for selection and exactly one proposal for validation are needed. A single proposal can be used for both. If this parameter or the SelectionCriteria parameter is not specified, then the proposal is used for both. This parameter is supported in Windows Server 2012. The default value is False. Note: If both this parameter and the SelectionCriteria parameter are set to False, then the configuration is not valid and both flags in a new phase 1 authentication set or phase 2 authentication are set to True. </maml:para></maml:description></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Authority</maml:name><maml:description><maml:para>Specifies, for certificate authentication, the strong name, or X.509 string, of the Certification Authority (CA) that has issued the client certificates. This parameter is used for certificate authentication.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>New-NetIPsecAuthProposal</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Machine</maml:name><maml:description><maml:para>Specifies that the computer principal should be authenticated rather than the user.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="3" aliases=""><maml:name>Health</maml:name><maml:description><maml:para>Specifies that the certificate is a health certificate. For phase 2 authentications, if the authentication method is only valid for computer certificates.</maml:para></maml:description></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="4" aliases=""><maml:name>Cert</maml:name><maml:description><maml:para>Specifies that certificate authentication is used. The Authority and AuthorityType parameters specify the certification authentication methods.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AccountMapping</maml:name><maml:description><maml:para>Specifies the enabled state for the IPsec certificate-to-account mapping. In certificate-to-account mapping, the Internet Key Exchange (IKE) and AuthIP protocols associate, or map, a user or computer certificate to a user or computer account in an Active Directory (AD) domain or forest, and then retrieves an access token, which includes the list of user security groups. This process ensures that the certificate offered by the IPsec peer corresponds to an active user or computer account in the domain, and that the certificate is one that should be used by that user or computer.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthorityType</maml:name><maml:description><maml:para>Specifies that certificates issued by intermediate CAs should be accepted. This parameter is used for certificate authentication. The acceptable values for this parameter are: : Root or Intermediate. The default value is Root. Note: This parameter is supported in Windows Server® 2012. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">CertificateAuthorityType</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ExcludeCAName</maml:name><maml:description><maml:para>Specifies that CA names are excluded. This can only be specified for phase 1 authentications.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="EKUs"><maml:name>ExtendedKeyUsage</maml:name><maml:description><maml:para>Specifies list of object identifiers (OIDs) that would be used on the extended key usage (EKU) field of a certificate. When a CA issues a certificate, then the EKU specifies the intended purposes of the certificate. For instance, there are specific OIDs for client-server communications as well as secure email and code signing. An IPsec certificate can be selected or validated by EKU OID. There is a limit of 100 EKUs. This parameter is supported in Windows Server 2012. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>FollowRenewal</maml:name><maml:description><maml:para>Specifies that certificate signing is automatically renewed. When the certificate is auto-renewed, the IPsec policy will not need to be updated. This parameter only works for authentication methods that define a thumb print with the Thumbprint parameter. This parameter only works, and is appropriate, for certificate selection methods. The default value is False. Note: This parameter is supported in Windows Server 2012. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SelectionCriteria</maml:name><maml:description><maml:para>Specifies that the current certificate authentication proposal should be used to select the certificate as offering to remote peers. When using certificate criteria, exactly one proposal for selection and exactly one proposal for validation are needed. A single proposal can be used for both. If this parameter or the ValidationCriteria parameter is not specified, then the proposal is used for both. This parameter is supported in Windows Server 2012. The default value is False. Note: If both this parameter and the ValidationCriteria parameter are set to False, then the configuration is not valid and both flags in a new phase 1 authentication set or phase 2 authentication are set to True. </maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Signing</maml:name><maml:description><maml:para>Specifies the certificate signing algorithm to accept. The acceptable values for this parameter are: RSA, ECDSA256, or ECDSA384. The default value is RSA.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">CertificateSigningAlgorithm</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SubjectName</maml:name><maml:description><maml:para>Determines, if it is not null, how the certificate should be validated. A certification authority (CA) could put any string value into the Subject Name or Alternative Subject Name fields on a certificate, so there are no format requirements for this parameter. However, depending on the value of SubjectNameType, there are some general formats that are usually followed. Examine the certificates issued by the CA to find the exact formatting to use. If the SubjectNameType parameter is: - None: The Subject Name field on a certificate must be null. - DomainName: The Subject Name field on a certificate should generally take the format of a FQDN. The Alternative Subject Name field will be examined. - UserPrincipalName: The Subject Name field on a certificate should generally take the format of an service principal name (SPN). The Alternative Subject Name field will be examined. - EmailAddress: An email address, like username@contoso.com. The Alternative Subject Name field on a certificate will be examined. - CN, OU, O, DC: The values from an X.509 strong name. These will be parsed from the Subject Name field on a certificate. Note: This parameter is supported in Windows Server 2012. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SubjectNameType</maml:name><maml:description><maml:para>Determines how the SubjectName field should be interpreted. The acceptable values for this parameter are: None, DomainName, UserPrincipalName, EmailAddress, CN, OU, O, or DC. Note: This parameter is supported in Windows Server 2012. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">CertificateSubjectType</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Thumbprint</maml:name><maml:description><maml:para>Specifies the thumbprint hashing to use for certification criteria. This is primarily intended for interoperability server-to-server authentication. This parameter cannot be combined with the FollowRenewal parameter. Note: This parameter is supported in Windows Server 2012. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ValidationCriteria</maml:name><maml:description><maml:para>For use with certificate criteria. Specifies that the current certificate auth proposal should be used to validate the certificate given by the remote peer. When using certificate criteria, exactly one proposal for selection and exactly one proposal for validation are needed. A single proposal can be used for both. If this parameter or the SelectionCriteria parameter is not specified, then the proposal is used for both. This parameter is supported in Windows Server 2012. The default value is False. Note: If both this parameter and the SelectionCriteria parameter are set to False, then the configuration is not valid and both flags in a new phase 1 authentication set or phase 2 authentication are set to True. </maml:para></maml:description></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Authority</maml:name><maml:description><maml:para>Specifies, for certificate authentication, the strong name, or X.509 string, of the Certification Authority (CA) that has issued the client certificates. This parameter is used for certificate authentication.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>New-NetIPsecAuthProposal</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Anonymous</maml:name><maml:description><maml:para>Specifies anonymous authentication. Anonymous authentication means no authentication is performed. This method does not require identity to authenticate. It is equal to no authentication. This provides end-to-end security between hosts, but does not provide any authentication or authorization for which users and computers can connect. This method can be used for both phase 1 and phase 2 authentication.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>New-NetIPsecAuthProposal</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>User</maml:name><maml:description><maml:para>Specifies that the computer should authenticate as the user account, rather than the computer. This parameter is valid with NLTM, Kerberos, Cert, or Proxy. </maml:para></maml:description></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="3" aliases=""><maml:name>Kerberos</maml:name><maml:description><maml:para>Specifies that Kerberos is used. This method authenticates the identity of user or computer accounts by using <maml:navigationLink><maml:linkText>Kerberos Protocol Extensions</maml:linkText><maml:uri></maml:uri></maml:navigationLink>.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Proxy</maml:name><maml:description><maml:para>Specifies the fully qualified domain name (FQDN) of the Kerberos proxy to use when authenticating from a remote network. Note: This parameter is supported in Windows Server 2012. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>New-NetIPsecAuthProposal</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Machine</maml:name><maml:description><maml:para>Specifies that the computer principal should be authenticated rather than the user.</maml:para></maml:description></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="3" aliases=""><maml:name>Kerberos</maml:name><maml:description><maml:para>Specifies that Kerberos is used. This method authenticates the identity of user or computer accounts by using <maml:navigationLink><maml:linkText>Kerberos Protocol Extensions</maml:linkText><maml:uri></maml:uri></maml:navigationLink>.</maml:para></maml:description></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Proxy</maml:name><maml:description><maml:para>Specifies the fully qualified domain name (FQDN) of the Kerberos proxy to use when authenticating from a remote network. Note: This parameter is supported in Windows Server 2012. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>New-NetIPsecAuthProposal</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Machine</maml:name><maml:description><maml:para>Specifies that the computer principal should be authenticated rather than the user.</maml:para></maml:description></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="3" aliases=""><maml:name>Ntlm</maml:name><maml:description><maml:para>Specifies that NTLM authentication is used.</maml:para></maml:description></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>New-NetIPsecAuthProposal</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Machine</maml:name><maml:description><maml:para>Specifies that the computer principal should be authenticated rather than the user.</maml:para></maml:description></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="3" aliases="PSK"><maml:name>PreSharedKey</maml:name><maml:description><maml:para>Specifies that the given pre-shared key is used for authentication. The use of a pre-shared key is strongly discouraged, and is provided for interoperability and for conformance to IPsec standards. The pre-shared key is stored in plain text. The use of a more secure authentication method is strongly recommended. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue></command:parameter></command:syntaxItem><command:syntaxItem><maml:name>New-NetIPsecAuthProposal</maml:name><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>User</maml:name><maml:description><maml:para>Specifies that the computer should authenticate as the user account, rather than the computer. This parameter is valid with NLTM, Kerberos, Cert, or Proxy. </maml:para></maml:description></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="3" aliases=""><maml:name>Ntlm</maml:name><maml:description><maml:para>Specifies that NTLM authentication is used.</maml:para></maml:description></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AccountMapping</maml:name><maml:description><maml:para>Specifies the enabled state for the IPsec certificate-to-account mapping. In certificate-to-account mapping, the Internet Key Exchange (IKE) and AuthIP protocols associate, or map, a user or computer certificate to a user or computer account in an Active Directory (AD) domain or forest, and then retrieves an access token, which includes the list of user security groups. This process ensures that the certificate offered by the IPsec peer corresponds to an active user or computer account in the domain, and that the certificate is one that should be used by that user or computer.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Anonymous</maml:name><maml:description><maml:para>Specifies anonymous authentication. Anonymous authentication means no authentication is performed. This method does not require identity to authenticate. It is equal to no authentication. This provides end-to-end security between hosts, but does not provide any authentication or authorization for which users and computers can connect. This method can be used for both phase 1 and phase 2 authentication.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Authority</maml:name><maml:description><maml:para>Specifies, for certificate authentication, the strong name, or X.509 string, of the Certification Authority (CA) that has issued the client certificates. This parameter is used for certificate authentication.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AuthorityType</maml:name><maml:description><maml:para>Specifies that certificates issued by intermediate CAs should be accepted. This parameter is used for certificate authentication. The acceptable values for this parameter are: : Root or Intermediate. The default value is Root. Note: This parameter is supported in Windows Server® 2012. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">CertificateAuthorityType</command:parameterValue><dev:type><maml:name>CertificateAuthorityType</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="3" aliases=""><maml:name>Cert</maml:name><maml:description><maml:para>Specifies that certificate authentication is used. The Authority and AuthorityType parameters specify the certification authentication methods.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ExcludeCAName</maml:name><maml:description><maml:para>Specifies that CA names are excluded. This can only be specified for phase 1 authentications.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named" aliases="EKUs"><maml:name>ExtendedKeyUsage</maml:name><maml:description><maml:para>Specifies list of object identifiers (OIDs) that would be used on the extended key usage (EKU) field of a certificate. When a CA issues a certificate, then the EKU specifies the intended purposes of the certificate. For instance, there are specific OIDs for client-server communications as well as secure email and code signing. An IPsec certificate can be selected or validated by EKU OID. There is a limit of 100 EKUs. This parameter is supported in Windows Server 2012. </maml:para></maml:description><command:parameterValue required="true" variableLength="true">String[]</command:parameterValue><dev:type><maml:name>String[]</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>FollowRenewal</maml:name><maml:description><maml:para>Specifies that certificate signing is automatically renewed. When the certificate is auto-renewed, the IPsec policy will not need to be updated. This parameter only works for authentication methods that define a thumb print with the Thumbprint parameter. This parameter only works, and is appropriate, for certificate selection methods. The default value is False. Note: This parameter is supported in Windows Server 2012. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="3" aliases=""><maml:name>Health</maml:name><maml:description><maml:para>Specifies that the certificate is a health certificate. For phase 2 authentications, if the authentication method is only valid for computer certificates.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="3" aliases=""><maml:name>Kerberos</maml:name><maml:description><maml:para>Specifies that Kerberos is used. This method authenticates the identity of user or computer accounts by using <maml:navigationLink><maml:linkText>Kerberos Protocol Extensions</maml:linkText><maml:uri></maml:uri></maml:navigationLink>.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>Machine</maml:name><maml:description><maml:para>Specifies that the computer principal should be authenticated rather than the user.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="3" aliases=""><maml:name>Ntlm</maml:name><maml:description><maml:para>Specifies that NTLM authentication is used.</maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="3" aliases="PSK"><maml:name>PreSharedKey</maml:name><maml:description><maml:para>Specifies that the given pre-shared key is used for authentication. The use of a pre-shared key is strongly discouraged, and is provided for interoperability and for conformance to IPsec standards. The pre-shared key is stored in plain text. The use of a more secure authentication method is strongly recommended. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Proxy</maml:name><maml:description><maml:para>Specifies the fully qualified domain name (FQDN) of the Kerberos proxy to use when authenticating from a remote network. Note: This parameter is supported in Windows Server 2012. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SelectionCriteria</maml:name><maml:description><maml:para>Specifies that the current certificate authentication proposal should be used to select the certificate as offering to remote peers. When using certificate criteria, exactly one proposal for selection and exactly one proposal for validation are needed. A single proposal can be used for both. If this parameter or the ValidationCriteria parameter is not specified, then the proposal is used for both. This parameter is supported in Windows Server 2012. The default value is False. Note: If both this parameter and the ValidationCriteria parameter are set to False, then the configuration is not valid and both flags in a new phase 1 authentication set or phase 2 authentication are set to True. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Signing</maml:name><maml:description><maml:para>Specifies the certificate signing algorithm to accept. The acceptable values for this parameter are: RSA, ECDSA256, or ECDSA384. The default value is RSA.</maml:para></maml:description><command:parameterValue required="true" variableLength="false">CertificateSigningAlgorithm</command:parameterValue><dev:type><maml:name>CertificateSigningAlgorithm</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SubjectName</maml:name><maml:description><maml:para>Determines, if it is not null, how the certificate should be validated. A certification authority (CA) could put any string value into the Subject Name or Alternative Subject Name fields on a certificate, so there are no format requirements for this parameter. However, depending on the value of SubjectNameType, there are some general formats that are usually followed. Examine the certificates issued by the CA to find the exact formatting to use. If the SubjectNameType parameter is: - None: The Subject Name field on a certificate must be null. - DomainName: The Subject Name field on a certificate should generally take the format of a FQDN. The Alternative Subject Name field will be examined. - UserPrincipalName: The Subject Name field on a certificate should generally take the format of an service principal name (SPN). The Alternative Subject Name field will be examined. - EmailAddress: An email address, like username@contoso.com. The Alternative Subject Name field on a certificate will be examined. - CN, OU, O, DC: The values from an X.509 strong name. These will be parsed from the Subject Name field on a certificate. Note: This parameter is supported in Windows Server 2012. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>SubjectNameType</maml:name><maml:description><maml:para>Determines how the SubjectName field should be interpreted. The acceptable values for this parameter are: None, DomainName, UserPrincipalName, EmailAddress, CN, OU, O, or DC. Note: This parameter is supported in Windows Server 2012. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">CertificateSubjectType</command:parameterValue><dev:type><maml:name>CertificateSubjectType</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Thumbprint</maml:name><maml:description><maml:para>Specifies the thumbprint hashing to use for certification criteria. This is primarily intended for interoperability server-to-server authentication. This parameter cannot be combined with the FollowRenewal parameter. Note: This parameter is supported in Windows Server 2012. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">String</command:parameterValue><dev:type><maml:name>String</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="2" aliases=""><maml:name>User</maml:name><maml:description><maml:para>Specifies that the computer should authenticate as the user account, rather than the computer. This parameter is valid with NLTM, Kerberos, Cert, or Proxy. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ValidationCriteria</maml:name><maml:description><maml:para>For use with certificate criteria. Specifies that the current certificate auth proposal should be used to validate the certificate given by the remote peer. When using certificate criteria, exactly one proposal for selection and exactly one proposal for validation are needed. A single proposal can be used for both. If this parameter or the SelectionCriteria parameter is not specified, then the proposal is used for both. This parameter is supported in Windows Server 2012. The default value is False. Note: If both this parameter and the SelectionCriteria parameter are set to False, then the configuration is not valid and both flags in a new phase 1 authentication set or phase 2 authentication are set to True. </maml:para></maml:description><command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue><dev:type><maml:name>SwitchParameter</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para></maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.Management.Infrastructure.CimInstance#root\StandardCimv2\MSFT_NetIKEBasicAuthProposal</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>The Microsoft.Management.Infrastructure.CimInstance object is a wrapper class that displays Windows Management Instrumentation (WMI) objects. The path after the pound sign (#) provides the namespace and class name for the underlying WMI object.</maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title>EXAMPLE 1</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code> PS C:\>$cert1Proposal = New-NetIPsecAuthProposal -Machine –Cert -Authority "C=US,O=MSFT,CN=ꞌMicrosoft Root Authorityꞌ" -AuthorityType Root PS C:\>$cert2Proposal = New-NetIPsecAuthProposal –Machine –Cert -Authority "C=US,O=MYORG,CN='My Organizations Root Certificate'" -AuthorityType Root PS C:\>$certAuthSet = New-NetIPsecPhase1AuthSet –DisplayName "Computer Certificate Auth Set" -Proposal $cert1Proposal,$cert2Proposal PS C:\>New-NetIPSecRule -DisplayName "Authenticate with Certificates Rule" -InboundSecurity Require -OutboundSecurity Request -Phase2AuthSet $certAuthSet.Name </dev:code><dev:remarks><maml:para>This example creates a rule that requires that incoming connections are authenticated by using either of two computer certificates. The computer also requests authentication for outbound connections, but allows an outbound connection if authentication is not successful. </maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title>EXAMPLE 2</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code> PS C:\>$mkerbauthprop = New-NetIPsecAuthProposal -Machine -Kerberos PS C:\>$mntlmauthprop = New-NetIPsecAuthProposal -Machine -NTLM PS C:\>$p1Auth = New-NetIPsecPhase1AuthSet -DisplayName "First Machine Auth" -Proposal $mkerbauthprop,$mntlmauthprop PS C:\>$ukerbauthprop = New-NetIPsecAuthProposal -User –Kerberos PS C:\>$unentlmauthprop = New-NetIPsecAuthProposal -User –NTLM PS C:\>$anonyauthprop = New-NetIPsecAuthProposal –Anonymous PS C:\>$p2Auth = New-NetIPsecPhase2AuthSet -DisplayName "Second User Auth" –Proposal $ukerbauthprop,$unentlmauthprop,$anonyauthprop PS C:\>New-NetIPSecRule -DisplayName "Authenticate Both Computer and User" -InboundSecurity Require -OutboundSecurity Require -Phase1AuthSet $p1Auth.Name -Phase2AuthSet $p2Auth.Name </dev:code><dev:remarks><maml:para>This example creates a rule that requires a first, or computer, authentication and attempts an optional second, or user, authentication.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/?LinkId=287915</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>Get-NetIPsecMainModeSA</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-NetIPsecPhase1AuthSet</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-NetIPsecPhase2AuthSet</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-NetIPSecRule</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>New-NetIPsecMainModeCryptoProposal</command:name><maml:description><maml:para>Creates a main mode cryptographic proposal that specifies a suite of cryptographic protocols to offer in IPsec main mode negotiations with other computers.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>New</command:verb><command:noun>NetIPsecMainModeCryptoProposal</command:noun><dev:version /></command:details><maml:description><maml:para>The New-NetIPsecMainModeCryptoProposal cmdlet creates a single cryptographic proposal to be used in main mode negotiations.</maml:para><maml:para>A NetIPsecMainModeCryptoProposal object provides three of the mandatory four parameters for the negotiation of a main mode security association (SA): The encryption algorithm is provided in the Encryption parameter, the hashing algorithm in the Hash parameter, and the Diffie-Hellman (DH) key exchange group to be used for the base keying material in the KeyExchange parameter. The remaining parameter; the authentication method, such as Kerberos v5, certificate, or pre-shared key authentication, is given through NetIPsecPhase1AuthSet and NetIPsecPhase2AuthSet objects.</maml:para><maml:para>Multiple NetIPsecMainModeCryptoProposal fields are grouped into a single NetIPsecMainModeCryptoSet object. The main mode exchange will use the first proposal that the responder has in common with the sender. A NetIPsecPhase1AuthSet object and a NetIPsecMainModeCryptoSet object get associated to a NetIPsecMainModeRule object to provide all the necessary SA parameters for customized main mode negotiations.</maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>New-NetIPsecMainModeCryptoProposal</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Encryption</maml:name><maml:description><maml:para>Specifies the encryption algorithm to use for IPsec main mode security association negotiations. The block size of the encryption and hashing algorithms must be the same. The acceptable values for this parameter are: None, DES, DES3, AES128, AES192, AES256, AESGCM128, AESGCM192, or AESGCM256. None implies Null Encryption per the RFC standard. The default value is AES256. Note: Neither GCM, for encryption, nor GMAC, for hashing, are supported in main mode. These are quick mode only. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">EncryptionAlgorithm</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Hash</maml:name><maml:description><maml:para>Specifies the hashing function to use for IPsec main mode security association negotiations. The block size of the encryption and hashing algorithms should be the same. The acceptable values for this parameter are: None, MD5, SHA1, SHA256, SHA384, AESGMAC128, AESGMAC192, or AESGMAC256. The default value is SHA384. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">HashAlgorithm</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>KeyExchange</maml:name><maml:description><maml:para>Specifies the Diffie-Hellman group to use for IPsec main mode security association negotiations. The acceptable values for this parameter are: None, DH1, DH2, DH14, DH19, DH20, or DH24. The default value is None. Note: SameAsMainMode is only valid for proposals added to quick mode cryptographic sets with PerfectForwardSecrecyGroup (PFS) specified using SameAsMainMode. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">DiffieHellmanGroup</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Encryption</maml:name><maml:description><maml:para>Specifies the encryption algorithm to use for IPsec main mode security association negotiations. The block size of the encryption and hashing algorithms must be the same. The acceptable values for this parameter are: None, DES, DES3, AES128, AES192, AES256, AESGCM128, AESGCM192, or AESGCM256. None implies Null Encryption per the RFC standard. The default value is AES256. Note: Neither GCM, for encryption, nor GMAC, for hashing, are supported in main mode. These are quick mode only. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">EncryptionAlgorithm</command:parameterValue><dev:type><maml:name>EncryptionAlgorithm</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Hash</maml:name><maml:description><maml:para>Specifies the hashing function to use for IPsec main mode security association negotiations. The block size of the encryption and hashing algorithms should be the same. The acceptable values for this parameter are: None, MD5, SHA1, SHA256, SHA384, AESGMAC128, AESGMAC192, or AESGMAC256. The default value is SHA384. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">HashAlgorithm</command:parameterValue><dev:type><maml:name>HashAlgorithm</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>KeyExchange</maml:name><maml:description><maml:para>Specifies the Diffie-Hellman group to use for IPsec main mode security association negotiations. The acceptable values for this parameter are: None, DH1, DH2, DH14, DH19, DH20, or DH24. The default value is None. Note: SameAsMainMode is only valid for proposals added to quick mode cryptographic sets with PerfectForwardSecrecyGroup (PFS) specified using SameAsMainMode. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">DiffieHellmanGroup</command:parameterValue><dev:type><maml:name>DiffieHellmanGroup</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para></maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.Management.Infrastructure.CimInstance#root\StandardCimv2\NetIPsecMainModeCryptoProposal</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>The Microsoft.Management.Infrastructure.CimInstance object is a wrapper class that displays Windows Management Instrumentation (WMI) objects. The path after the pound sign (#) provides the namespace and class name for the underlying WMI object.</maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title>EXAMPLE 1</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code> PS C:\>$proposal1 = (New-NetIPsecMainModeCryptoProposal -Encryption DES3 -Hash MD5 -KeyExchange DH1) PS C:\>$proposal2 = (New-NetIPsecMainModeCryptoProposal -Encryption AES192 -Hash MD5 -KeyExchange DH14) PS C:\>$proposal3 = (New-NetIPsecMainModeCryptoProposal -Encryption DES3 -Hash MD5 -KeyExchange DH19) PS C:\>$mMCryptoSet= (New-NetIPsecMainModeCryptoSet -DisplayName "Main Mode Crypto Set" -Proposal $proposal1,$proposal2,$proposal3) This cmdlet shows an alternative method of accomplishing the previous steps. PS C:\>$mMCryptoSet = New-NetIPsecMainModeCryptoSet -DisplayName "Main Mode Crypto Set" -Proposal (New-NetIPsecMainModeCryptoProposal -Encryption DES3 -Hash MD5 -KeyExchange DH1),(New-NetIPsecMainModeCryptoProposal -Encryption AES192 -Hash MD5 -KeyExchange DH14),(New-NetIPsecMainModeCryptoProposal -Encryption DES3 -Hash MD5 -KeyExchange DH19) PS C:\>New-NetIPsecMainModeRule -DisplayName "Main Mode Rule" -MainModeCryptoSet $mMCryptoSet.Name </dev:code><dev:remarks><maml:para>This example creates a main mode rule linked to a cryptographic set that contains three cryptographic proposals.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/?LinkId=288041</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>New-NetIPsecMainModeRule</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-NetIPsecMainModeCryptoSet</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"><command:details><command:name>New-NetIPsecQuickModeCryptoProposal</command:name><maml:description><maml:para>Creates a quick mode cryptographic proposal that specifies a suite of cryptographic protocols to offer in IPsec quick mode negotiations with other computers.</maml:para></maml:description><maml:copyright><maml:para /></maml:copyright><command:verb>New</command:verb><command:noun>NetIPsecQuickModeCryptoProposal</command:noun><dev:version /></command:details><maml:description><maml:para>The New-NetIPsecQuickModeCryptoProposal cmdlet creates a single cryptographic proposal to be used in quick mode negotiations. </maml:para><maml:para>A NetIPsecQuickModeCryptoProposal object provides the necessary security parameters for the negotiation of a quick mode security association (SA). The IPsec protocol, either AH or ESP, is provide in the Encapsulation parameter, the hashing algorithm for data integrity and authentication in the AHHash and ESPHash parameters, and the algorithm for encryption, if requested, in the Encryption parameter.</maml:para><maml:para>Multiple NetIPsecQuickModeCryptoProposal fields are grouped into a single NetIPsecQuickModeCryptoSet object. The quick mode exchange will use the first proposal that the peers have in common. A NetIPsecPhase2AuthSet object and a NetIPsecMainModeCryptoSet object get associated to a NetIPsecRule object to provide all the necessary SA parameters for customized quick mode negotiations.</maml:para></maml:description><command:syntax><command:syntaxItem><maml:name>New-NetIPsecQuickModeCryptoProposal</maml:name><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AHHash</maml:name><maml:description><maml:para>Specifies the proposed hash algorithm for data integrity and authentication. The acceptable values for this parameter are: None, MD5, SHA1, SHA256, AESGMAC128. AESGMAC192, or AESGMAC256. The default value is None. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">HashAlgorithm</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Encapsulation</maml:name><maml:description><maml:para>Specifies the IPsec protocol method. The acceptable values for this parameter are: None, AH, AH,ESP, or ESP. AH (authentication header) and ESP (encapsulating security payload) can both be specified or None can be specified. -- AH,ESP: Supported in all platforms. -- None: Supported in Windows Server® 2008 R2 and Windows Server® 2012. -- AH: Supported in Windows Server 2008 R2 and Windows Server 2012. The default value is None. Note: AH is not supported with the transport mode IKEv2 keying module. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">IPsecEncapsulation</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Encryption</maml:name><maml:description><maml:para>Specifies the value for a main or quick mode cryptographic proposal. The acceptable values for this parameter are: None, DES, DES3, AES128, AES192, AES256, AESGCM128, AESGCM192, or AESGCM256. Note: GCM encryption is not supported in phase 1 authentication for Windows Server 2008 R2 and Windows Server 2012. AESGCM128, AESGCM192, and AESGCM256 are not supported for IPsec main mode security association negotiations. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">EncryptionAlgorithm</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ESPHash</maml:name><maml:description><maml:para>Specifies the proposed hashing algorithm for data confidentiality and authentication. The acceptable values for this parameter are: None, MD5, SHA1, SHA256, AESGMAC128. AESGMAC192, or AESGMAC256. If the Encapsulation parameter is specified as AH is used, then the acceptable values for this parameter are: AESGMAC128, AESGMAC192, AESGMAC256, MD5, SHA1, or SHA256. If the Encapsulation parameter is specified as ESP or AH,ESP, then the acceptable values for this parameter are: AESGMAC128, AESGMAC192, AESGMAC256, MD5, SHA1, or SHA256. The default value is None. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">HashAlgorithm</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>MaxKiloBytes</maml:name><maml:description><maml:para>Specifies the maximum lifetime, in kilobytes, that the IKE message sender proposes for a security association to be considered valid after it has been created. The acceptable values for this parameter are: 20480 through 2147483647. -- A non-zero value specifies the desired lifetime, in kilobytes. The default value is 100000. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">UInt64</command:parameterValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>MaxMinutes</maml:name><maml:description><maml:para>Specifies the number of minutes established for a quick mode security association before it expires and must be renegotiated. The acceptable values for this parameter are: 5 to 2879. -- A non-zero value specifies the desired minute lifetime. The default value is 60 (minutes). </maml:para></maml:description><command:parameterValue required="true" variableLength="false">UInt64</command:parameterValue></command:parameter></command:syntaxItem></command:syntax><command:parameters><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>AHHash</maml:name><maml:description><maml:para>Specifies the proposed hash algorithm for data integrity and authentication. The acceptable values for this parameter are: None, MD5, SHA1, SHA256, AESGMAC128. AESGMAC192, or AESGMAC256. The default value is None. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">HashAlgorithm</command:parameterValue><dev:type><maml:name>HashAlgorithm</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Encapsulation</maml:name><maml:description><maml:para>Specifies the IPsec protocol method. The acceptable values for this parameter are: None, AH, AH,ESP, or ESP. AH (authentication header) and ESP (encapsulating security payload) can both be specified or None can be specified. -- AH,ESP: Supported in all platforms. -- None: Supported in Windows Server® 2008 R2 and Windows Server® 2012. -- AH: Supported in Windows Server 2008 R2 and Windows Server 2012. The default value is None. Note: AH is not supported with the transport mode IKEv2 keying module. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">IPsecEncapsulation</command:parameterValue><dev:type><maml:name>IPsecEncapsulation</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>Encryption</maml:name><maml:description><maml:para>Specifies the value for a main or quick mode cryptographic proposal. The acceptable values for this parameter are: None, DES, DES3, AES128, AES192, AES256, AESGCM128, AESGCM192, or AESGCM256. Note: GCM encryption is not supported in phase 1 authentication for Windows Server 2008 R2 and Windows Server 2012. AESGCM128, AESGCM192, and AESGCM256 are not supported for IPsec main mode security association negotiations. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">EncryptionAlgorithm</command:parameterValue><dev:type><maml:name>EncryptionAlgorithm</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>ESPHash</maml:name><maml:description><maml:para>Specifies the proposed hashing algorithm for data confidentiality and authentication. The acceptable values for this parameter are: None, MD5, SHA1, SHA256, AESGMAC128. AESGMAC192, or AESGMAC256. If the Encapsulation parameter is specified as AH is used, then the acceptable values for this parameter are: AESGMAC128, AESGMAC192, AESGMAC256, MD5, SHA1, or SHA256. If the Encapsulation parameter is specified as ESP or AH,ESP, then the acceptable values for this parameter are: AESGMAC128, AESGMAC192, AESGMAC256, MD5, SHA1, or SHA256. The default value is None. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">HashAlgorithm</command:parameterValue><dev:type><maml:name>HashAlgorithm</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>MaxKiloBytes</maml:name><maml:description><maml:para>Specifies the maximum lifetime, in kilobytes, that the IKE message sender proposes for a security association to be considered valid after it has been created. The acceptable values for this parameter are: 20480 through 2147483647. -- A non-zero value specifies the desired lifetime, in kilobytes. The default value is 100000. </maml:para></maml:description><command:parameterValue required="true" variableLength="false">UInt64</command:parameterValue><dev:type><maml:name>UInt64</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter><command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""><maml:name>MaxMinutes</maml:name><maml:description><maml:para>Specifies the number of minutes established for a quick mode security association before it expires and must be renegotiated. The acceptable values for this parameter are: 5 to 2879. -- A non-zero value specifies the desired minute lifetime. The default value is 60 (minutes). </maml:para></maml:description><command:parameterValue required="true" variableLength="false">UInt64</command:parameterValue><dev:type><maml:name>UInt64</maml:name><maml:uri /></dev:type><dev:defaultValue></dev:defaultValue></command:parameter></command:parameters><command:inputTypes><command:inputType><dev:type><maml:name>None</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para></maml:para></maml:description></command:inputType></command:inputTypes><command:returnValues><command:returnValue><dev:type><maml:name>Microsoft.Management.Infrastructure.CimInstance#root\StandardCimv2\MSFT_NetIKEQMCryptoProposal</maml:name><maml:uri></maml:uri><maml:description><maml:para /></maml:description></dev:type><maml:description><maml:para>The Microsoft.Management.Infrastructure.CimInstance object is a wrapper class that displays Windows Management Instrumentation (WMI) objects. The path after the pound sign (#) provides the namespace and class name for the underlying WMI object.</maml:para></maml:description></command:returnValue></command:returnValues><command:terminatingErrors /><command:nonTerminatingErrors /><command:examples><command:example><maml:title>EXAMPLE 1</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code> PS C:\>$QMProposal = New-NetIPsecQuickModeCryptoProposal -Encapsulation ESP -ESPHash SHA1 -Encryption AES128 PS C:\>$QMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName "esp:sha1-des3" -Proposal $QMProposal PS C:\>New-NetIPSecRule -DisplayName "Tunnel from HQ to Dallas Branch" -Mode Tunnel -LocalAddress 192.168.0.0/16 -RemoteAddress 192.157.0.0/16 -LocalTunnelEndpoint 1.1.1.1 -RemoteTunnelEndpoint 2.2.2.2 -InboundSecurity Require -OutboundSecurity Require -QuickModeCryptoSet $QMCryptoSet.Name </dev:code><dev:remarks><maml:para>This example creates an IPsec tunnel that routes traffic from a private network (192.168.0.0/16) through an interface on the local computer (1.1.1.1) attached to a public network to a second computer through its public interface (2.2.2.2) to another private network (192.157.0.0/16). All traffic through the tunnel is integrity checked using ESP and SHA1, and encrypted using ESP and AES128.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example><command:example><maml:title>EXAMPLE 2</maml:title><maml:introduction><maml:para></maml:para></maml:introduction><dev:code>This cmdlet illustrates how to include both AH and ESP protocols in a single suite. PS C:\>$AHandESPQM = New-NetIPsecQuickModeCryptoProposal -Encapsulation AH,ESP -AHHash SHA1 -ESPHash SHA1 -Encryption DES3 This cmdlet illustrates how to specify the use of the AH protocol only. PS C:\>$AHQM = New-NetIPsecQuickModeCryptoProposal -Encapsulation AH -AHHash SHA1 -ESPHash None -Encryption None This cmdlet illustrates how to specify the use of the ESP protocol only, and uses the None keyword to specify not to include an encryption option, also known as "ESP null encryption". PS C:\>$ESPQM = New-NetIPsecQuickModeCryptoProposal -Encapsulation ESP -ESPHash SHA1 -Encryption None This cmdlet illustrates how to use the None keyword to specify that ESP is used with an encryption protocol, but with no integrity protocol. This cmdlet also illustrates how to set a custom SA timeout using both time and data amount values. PS C:\>$ESPnoAHQM = New-NetIPsecQuickModeCryptoProposal -Encapsulation ESP -ESPHash None -Encryption AES256 -MaxKiloBytes 50000 -MaxMinutes 30 PS C:\>$QMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName "Custom Quick Mode" -Proposal $AHandESPQM,$AHQM,$ESPQM,$ESPnoAHQM PS C:\>New-NetIPsecRule -DisplayName "Domain Isolation Rule" -InboundSecurity Require Request -OutboundSecurity Request -QuickModeCryptoSet $QMCryptoSet.Name </dev:code><dev:remarks><maml:para>This example creates a domain isolation rule, but uses a custom quick mode proposal that includes multiple quick mode suites, separated by commas.</maml:para></dev:remarks><command:commandLines><command:commandLine><command:commandText /></command:commandLine></command:commandLines></command:example></command:examples><maml:relatedLinks><maml:navigationLink><maml:linkText>Online Version:</maml:linkText><maml:uri>http://go.microsoft.com/fwlink/?LinkId=288119</maml:uri></maml:navigationLink><maml:navigationLink><maml:linkText>New-NetIPsecMainModeCryptoSet</maml:linkText><maml:uri /></maml:navigationLink><maml:navigationLink><maml:linkText>New-NetIPsecRule</maml:linkText><maml:uri /></maml:navigationLink></maml:relatedLinks></command:command> </helpItems> |