Error message when you try to import a Windows Firewall with Advanced Security firewall policy that was exported from Windows 7 or from Windows Server 2008 R2 to Windows Vista or to Windows Server 2008

Article translations Article translations
Article ID: 974576 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

On a computer that is running Windows 7 or Windows Server 2008 R2, you export a Windows Firewall with Advanced Security firewall policy. On a computer that is running Windows Vista or Windows Server 2008, you try to import the firewall policy by using Windows Firewall with Advanced Security. However, you receive the following error message:
Policy import failed
Error Code: 87
Error message: The parameter is incorrect.
If you try to remotely import the firewall policy to a computer that is running Windows Vista or Windows Server 2008, you receive the following error message:
Policy import failed
Error Code: 1745
Error message: The procedure number is out of range.

CAUSE

This problem occurs because Windows Vista and Windows Server 2008 cannot correctly interpret the following security policy settings that are introduced for Windows 7 or for Windows Server 2008 R2:
  • Global IPSec DHCP exemption
  • Main mode rules

WORKAROUND

To work around this problem, before you export the firewall policy, exclude DHCP from the list of IPSec global default exemptions on the computer that is running Windows 7 or Windows Server 2008 R2. To do this, follow these steps:
Note This workaround is illustrated by using the netsh advfirewall command line. This workaround cannot be performed through the Windows Firewall with Advanced Security MMC snap-in.
  1. Start an elevated command prompt, and then start the netsh advfirewall command-line tool. To do this follow these steps:
    1. Click Start
      Collapse this imageExpand this image
      Start button
      , click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
    2. Type the following command, and then press ENTER:
      netsh
    3. Type the following command, and then press ENTER:
      advfirewall
  2. Use the set store command to set the policy store to match the store from which the firewall policy export occurs, such as local, local Group Policy object, or domain Group Policy object. The following example shows how to set the store to point to the local policy store from the netsh advfirewall prompt:
    set store local
    For more information about how to target other Group Policy objects, visit the following Microsoft Web site:
    http://technet.microsoft.com/en-us/library/cc771920(WS.10).aspx#BKMK_set_3
  3. Save a backup copy of the firewall policy. To do this, type the following command at the netsh advfirewall prompt, and then press ENTER:
    export "c:\backup.wfw"
  4. View the existing Global default exemptions. To do this, follow these steps:
    1. Type the following command at the netsh advfirewall prompt, and then press ENTER:
      show global IPSec
    2. Note the DefaultExemeptions line of the results. The following is an example of the results.
      StrongCRLCheck                        0:Disabled
      SAIdleTimeMin                         5min
      DefaultExemptions                     NeighborDiscovery,DHCP
      IPsecThroughNAT                       Never
      AuthzUserGrp                          None
      AuthzComputerGrp                      None
      Ok.
      
  5. Reset the default global exemptions to exclude DHCP. To do this, type the following command at the netsh advfirewall prompt, and then press ENTER:
    set global IPSec defaultexemptions <DefaultExemptions excluding DHCP>
    In this example, type the following command:
    set global IPSec defaultexemptions NeighborDiscovery
  6. Delete any existing main mode rules. To do this, type the following command at the netsh advfirewall prompt, and then press ENTER:
    mainmode delete rule name=all
  7. Re-export the firewall policy. To do this, type the following command at the netsh advfirewall prompt, and then press ENTER:
    export "c:\newpolicy.wfw"
  8. Restore the firewall policy by importing the backup copy of the firewall policy file that you created in step 3. To do this, type the following command at the netsh advfirewall prompt, and then press ENTER:
    import "c:\backup.wfw"
  9. Copy the newpolicy.wfw file that you created in step 8 to the computer that is running Windows Vista or Windows Server 2008, and then import the firewall policy file.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Properties

Article ID: 974576 - Last Review: August 21, 2009 - Revision: 1.0
APPLIES TO
  • Windows 7 Enterprise
  • Windows 7 Home Basic
  • Windows 7 Home Premium
  • Windows 7 Professional
  • Windows 7 Starter
  • Windows 7 Ultimate
Keywords: 
kbexpertiseinter kbtshoot kbsurveynew kbprb KB974576

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com