Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Error message when you try to import a Windows Firewall with Advanced Security firewall policy that was exported from Windows 7 or from Windows Server 2008 R2 to Windows Vista or to Windows Server 2008

Error message when you try to import a Windows Firewall with Advanced Security firewall policy that was exported from Windows 7 or from Windows Server 2008 R2 to Windows Vista or to Windows Server 2008

Symptoms

On a computer that is running Windows 7 or Windows Server 2008 R2, you export a Windows Firewall with Advanced Security firewall policy. On a computer that is running Windows Vista or Windows Server 2008, you try to import the firewall policy by using Windows Firewall with Advanced Security. However, you receive the following error message:
Policy import failed

Error Code: 87

Error message: The parameter is incorrect.
If you try to remotely import the firewall policy to a computer that is running Windows Vista or Windows Server 2008, you receive the following error message:

Policy import failed

Error Code: 1745

Error message: The procedure number is out of range.

↑ Back to the top

Cause

This problem occurs because Windows Vista and Windows Server 2008 cannot correctly interpret the following security policy settings that are introduced for Windows 7 or for Windows Server 2008 R2:
  • Global IPSec DHCP exemption
  • Main mode rules

↑ Back to the top

Workaround

To work around this problem, before you export the firewall policy, exclude DHCP from the list of IPSec global default exemptions on the computer that is running Windows 7 or Windows Server 2008 R2. To do this, follow these steps:
Note This workaround is illustrated by using the netsh advfirewall command line. This workaround cannot be performed through the Windows Firewall with Advanced Security MMC snap-in.
  1. Start an elevated command prompt, and then start the netsh advfirewall command-line tool. To do this follow these steps:
    1. Click StartStart button , click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
    2. Type the following command, and then press ENTER:
      netsh
    3. Type the following command, and then press ENTER:
      advfirewall
  2. Use the set store command to set the policy store to match the store from which the firewall policy export occurs, such as local, local Group Policy object, or domain Group Policy object. The following example shows how to set the store to point to the local policy store from the netsh advfirewall prompt:
    set store local
    For more information about how to target other Group Policy objects, visit the following Microsoft Web site:
    http://technet.microsoft.com/en-us/library/cc771920(WS.10).aspx#BKMK_set_3
  3. Save a backup copy of the firewall policy. To do this, type the following command at the netsh advfirewall prompt, and then press ENTER:
    export "c:\backup.wfw"
  4. View the existing Global default exemptions. To do this, follow these steps:
    1. Type the following command at the netsh advfirewall prompt, and then press ENTER:
      show global IPSec
    2. Note the DefaultExemeptions line of the results. The following is an example of the results. 
      StrongCRLCheck                        0:Disabled
      SAIdleTimeMin                         5min
      DefaultExemptions                     NeighborDiscovery,DHCP
      IPsecThroughNAT                       Never
      AuthzUserGrp                          None
      AuthzComputerGrp                      None
      Ok.
  5. Reset the default global exemptions to exclude DHCP. To do this, type the following command at the netsh advfirewall prompt, and then press ENTER:
    set global IPSec defaultexemptions <DefaultExemptions excluding DHCP>
    In this example, type the following command:
    set global IPSec defaultexemptions NeighborDiscovery
  6. Delete any existing main mode rules. To do this, type the following command at the netsh advfirewall prompt, and then press ENTER:
    mainmode delete rule name=all
  7. Re-export the firewall policy. To do this, type the following command at the netsh advfirewall prompt, and then press ENTER:
    export "c:\newpolicy.wfw"
  8. Restore the firewall policy by importing the backup copy of the firewall policy file that you created in step 3. To do this, type the following command at the netsh advfirewall prompt, and then press ENTER:
    import "c:\backup.wfw"
  9. Copy the newpolicy.wfw file that you created in step 8 to the computer that is running Windows Vista or Windows Server 2008, and then import the firewall policy file.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

Keywords: kbexpertiseinter, kbtshoot, kbsurveynew, kbprb, kb

↑ Back to the top

Article Info
Article ID : 974576
Revision : 3
Created on : 4/21/2018
Published on : 4/21/2018
Exists online : False
Views : 132