none
Firewall: Deny All - Allow Only Whitelisted? RRS feed

  • Question

  • We have a new DA 2012 R2 server deployed and it's working well. However, I'd like to deny all access to our internal network and only allow traffic to whitelisted servers. This seems pretty straightforward with the combination of GPO and the firewall block list. I've tested it and it seems to apply the policy almost immediately on the client and deny the traffic.

    If I want to block all, is allowing (whitelisting) IPv4/IPv6 to the DA server and to our AD servers adequate to allow a user to continue to connect via DA and log into their workstation via their AD account?

    Also, although we cannot alter our base network infrastructure at this point, but is there perhaps another way I can accomplish this using DA?

    Friday, April 24, 2015 2:58 AM

Answers

  • Hello Matt,

    You can configure DirectAccess ONLY to manage remote clients - meaning users will not be able to connect to ANY internal resources apart from DC/SCCM/AV Servers or only for servers you specify.

    Here is the article to configure this. -> https://technet.microsoft.com/en-us/library/jj574200.aspx

    Once you are done with configuring as per above article, you can add the servers one by one (Ones which want to whitelist) to so called "Management Servers" list in DA Wizard.

    So traffic to all other destinations will be blocked apart from the list you specify as you need.

    Please let me know, how it goes.

    • Proposed as answer by Vasu Deva Friday, April 24, 2015 1:11 PM
    • Marked as answer by Matt336 Friday, April 24, 2015 2:11 PM
    Friday, April 24, 2015 1:11 PM

All replies

  • Hello Matt,

    You can configure DirectAccess ONLY to manage remote clients - meaning users will not be able to connect to ANY internal resources apart from DC/SCCM/AV Servers or only for servers you specify.

    Here is the article to configure this. -> https://technet.microsoft.com/en-us/library/jj574200.aspx

    Once you are done with configuring as per above article, you can add the servers one by one (Ones which want to whitelist) to so called "Management Servers" list in DA Wizard.

    So traffic to all other destinations will be blocked apart from the list you specify as you need.

    Please let me know, how it goes.

    • Proposed as answer by Vasu Deva Friday, April 24, 2015 1:11 PM
    • Marked as answer by Matt336 Friday, April 24, 2015 2:11 PM
    Friday, April 24, 2015 1:11 PM
  • Hello Vasu,

    That worked perfectly and is so much easier to manage. Thank you!

    Friday, April 24, 2015 2:11 PM
  • Good to hear that Matt :)
    Monday, April 27, 2015 8:47 AM
  • Hi Vasu,

    please help here, 

    https://social.technet.microsoft.com/Forums/windows/en-US/7b67a9b7-50c6-416a-8bcd-19aedc99fbdc/how-to-allow-only-specific-ip-and-deny-remaining-all-through-windows-firewall?forum=win10itpronetworking#b4131a05-63fb-4d2e-86f0-14e4956859ac

    Monday, March 27, 2017 7:14 AM