none
2012 R2 DirectAccess - Windows Firewall RRS feed

  • Question

  • Hey,

    I see from the pre-requisites that the Windows Firewall is required to be on for all profiles. Is there any guidance on how this should be done for a large Windows environment. We have Exchange, SQL, WDS/MDT, WSUS, RDS etc.

    For example if I just enable it in group policy as-is, inbound Remote Desktop to machines is blocked, as well as some 3rd-party software we have.

    I don't want to just enable it to find Exchange, SQL etc. all stop accepting inbound connections. Am I really going to have to enable it and manually fine-tune?

    Thanks

    Friday, November 3, 2017 8:22 PM

Answers

  • Actually for DA to work on client you must enable firewall for only Public and Private profiles on DA clients.
    For inbound connections to DA clients when they're outside you can add a few FW rules for needed protocols (icmp, rdp etc).

    >I don't want to just enable it to find Exchange, SQL etc. all stop accepting inbound connections
    If you mean DA clients - they do not accept inbound connections from Exchange, SQL, WSUS, WDS etc as they are clients, not servers. 
    Instead they establish outbound connections to servers and outbound connections for resources on corp network are enabled in FW by default.
    • Marked as answer by Lanky Doodle Wednesday, November 8, 2017 9:01 PM
    Saturday, November 4, 2017 9:29 AM

All replies

  • Actually for DA to work on client you must enable firewall for only Public and Private profiles on DA clients.
    For inbound connections to DA clients when they're outside you can add a few FW rules for needed protocols (icmp, rdp etc).

    >I don't want to just enable it to find Exchange, SQL etc. all stop accepting inbound connections
    If you mean DA clients - they do not accept inbound connections from Exchange, SQL, WSUS, WDS etc as they are clients, not servers. 
    Instead they establish outbound connections to servers and outbound connections for resources on corp network are enabled in FW by default.
    • Marked as answer by Lanky Doodle Wednesday, November 8, 2017 9:01 PM
    Saturday, November 4, 2017 9:29 AM
  • Thanks.

    Regarding things like Exchange, I was refering to having the firewall on for all 3 profiles, including Domain so on the servers, that I didn't want things blocked obviously. I've setup different GPOs for Servers, Desktops and Laptops, so that's got around that one. Doesn't the DA server have to have the same firewall state as the clients?

    One other thing, DA seems to not allow custom ports through. We have a 3rd party app that uses port 11000; this app does not work for clients connected with DA. If I disconnect the DA connection, this app works because we have it configured on our firewall (TMG 2010) as a server publishing rule. Do I need to do something for these custom ports to work with DA, as this is not a Windows Firewall problem.

    For DA, TMG is configured with just 443 inbound to the DA server.

    Thanks



    Saturday, November 4, 2017 5:34 PM