25

this should be a really simple one:

In Advanced Windows Firewall on Windows Server 2008+, Properties > Advanced, what does "Edge Traversal" mean?

I Googled it, of course, and was unable to come up with a concrete answer, and I was especially shocked to see the following on Thomas Schinder's blog:

The Edge traversal option is an interesting one, because it’s not documented very well. Here’s what the Help file says:

“Edge traversal This indicates whether edge traversal is enabled (Yes) or disabled (No). When edge traversal is enabled, the application, service, or port to which the rule applies is globally addressable and accessible from outside a network address translation (NAT) or edge device.”

What do you think this might mean? We can make services available across a NAT device by using port forwarding on the NAT device in front of the server. Could this have something to do with IPsec? Could it have something to do with NAT-T? Could it be that the Help file writer for this feature didn’t know either, and made something up that represented a tautology?

I don’t know what this does, but if I find out, I’ll make sure to include this information in my blog.

I appreciate his honesty, but if this guy doesn't know, who does?!

We're having difficulty connecting to a VPN as soon the machine is on the other side of a router, and I was wondering if this might help? So I'm pretty keen to hear a proper description of what "Edge Traversal" does!

Django Reinhardt
  • 2,256
  • 3
  • 38
  • 55
  • Get this...not allowing edge traversal on my dhcp rule broke dhcp. Seems that microsoft may be trying to classify dhcp frames from dhcp helper gear as encapsulated. Quite a stretch. –  Aug 03 '11 at 19:54

4 Answers4

15

It looks like this Microsoft patent filing from earlier this year might tell you what you want to know.

From what I can gather, this flag allows firewall rules to apply to traffic that has been encapsulated by, for example, an IPv6 to IPv4 tunnel originating outside the border of the network. As patents often are, this one is written in such a generic manner as to apply to any different type of tunneling protocol, from what I can tell.

The payload of this encapsulated traffic would be opaque to the any firewall at the network on the other end of the tunnel. Presumably, these encapsulated packets would be passed through unfiltered to the internal host where the other end of the tunnel terminated. That host would receive the traffic, pass it through its own firewall, decapsulate the traffic (if allowed by its own firewall), and pass the decapsulated packets back its firewall. When the packet travels thru the firewall the second time (after decapsulation), it has an "this packet traversed the network edge" bit set such that only rules with the "edge traversal" bit also set will apply to the packet.

Figure 4 of that patent application appears to describe the process graphically, and the "Detailed Descriptions" section beginning on page 7 describes the process in painfully specific detail.

This basically permits a host-based firewall to have different rules for traffic that came in via a tunnel thru the local network's firewall, as opposed to traffic that was just sent unencapsulated by a tunnel directly through the local network's firewall.

I wonder if the iptables "mark" functionality would be prior art to this patent? It certainly seems like it does a very similiar thing, albeit in an even more generic fashion (since you can write user-land code to "mark" packets for virtually any reason if you want to ).

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • So "enabling" Edge Traversal would allow those packets sent unencapsulated through the firewall? If so, I'm amazed that it's set to Deny by default... surely most packets are sent that way? (Or am I totally wrong in my understanding here?) – Django Reinhardt Dec 01 '09 at 20:35
  • 6
    @Django: Edge traversal isn't about denying / accepting packets. A packet that arrived via a tunnel terminating on the host would be considered having arrived via edge traversal by that host. When that packet is decapsulated from its tunneling protocol the decapsulated packet will be run thru the firewall rules and the packet will only be checked against the rules that have their edge traversal bit set. – Evan Anderson Dec 02 '09 at 16:39
  • I interpret that as if a rule is applied to a decapsulated packet, and that rule has the edge traversal bit set to allow, then the decapsulated packet is allowed, if the edge traversal bit is set to block, then the decapsulated packet is blocked. Something weird might happen if there are 2 rules each which can match against the decapsulated packet, but they differ on allowing decapsulated packets. Figure 3 on the patent is what made the most sense! – CMCDragonkai Feb 03 '17 at 05:41
4

An older post, but still worth adding to. It seems that in Windows Server 2012, this item simply means "allow packets from other subnets". At least that is the behavior I have observed. We have two offices connected with an IPSec VPN. The VPN connects the two routers, so as far as the Windows computers are concerned, it's simply traffic between two different private subnets. With the setting "Block Edge Traversal" Windows will not allow connections from the other subnet.

Kevin Keane
  • 41
  • 1
  • 2
    This is not my experience in hands-on testing of this setting, and in fact there are articles that dispute this interpretation. http://blog.boson.com/bid/95501/MS-Windows-Tips-and-Tricks-2-8-2-Windows-Firewall-Part-2 – Cameron Oct 14 '16 at 20:55
3

Edge traversal occurs whenever you have a tunnel interface that goes to a less secure network, which is tunneled over another interface that is attached to a more secure network. This means that the host is bypassing (tunneling over) one of the security boundaries set up by the local network administrator. For example, with any tunnel to the Internet over a physical interface attached to the corporate network, you have “edge traversal”.

In Windows 7, Microsoft’s built-in NAT traversal technology, Teredo, can be configured to work through the firewall using rules that make use of Edge Traversal. In principle, 3rd party NAT traversing tunneling technologies could do so as well.

Amit Tiwari
  • 31
  • 1
  • 2
    Note that if the tunnel terminates on an external device instead of the Windows host, the Windows firewall may not see an edge traversal. In our case with Cisco SSL VPN and a path like client--Internet--VPN Device--corporate net--Windows host, a "Block edge traversal" setting does NOT block TCP traffic that's otherwise allowed. – Paul Jul 09 '12 at 15:00
1

The Edge Traversal option controls whether unsolicited traffic from Teredo (and maybe other tunneling software) is allowed. The documentation for IPV6_PROTECTION_LEVEL socket option explains this: https://docs.microsoft.com/en-us/windows/win32/winsock/ipv6-protection-level

abcd
  • 11
  • 1