Otdfbt

Why can’t you see at the start of the Big Bang?

Transistor gain, what if there is not enough current?

Has the United States ever had a non-Christian President?

The selling of the sheep

How would you say "You forget wearing what you're wearing"?

What's the 2-minute timer on mobile Deutsche Bahn tickets?

Why are condenser mics so much more expensive than dynamics?

How important are good looking people in a novel/story?

What happens if I accidentally leave an app running and click "Install Now" in Software Updater?

Changing stroke width vertically but not horizontally in Inkscape

Referring to person by surname, keep or omit "von"?

GitLab account hacked and repo wiped

Copper as an adjective to refer to something made of copper

How is Pauli's exclusion principle still valid in these cases?

Is there a reason why Turkey took the Balkan territories of the Ottoman Empire, instead of Greece or another of the Balkan states?

Stereochemical outcomes in opening of vinyl epoxides

How long did it take Captain Marvel to travel to Earth?

What word describes the sound of an instrument based on the shape of the waveform of its sound?

In "Avengers: Endgame", what does this name refer to?

Which version of the Squat Nimbleness feat is correct?

Does Thanos's ship land in the middle of the battlefield in "Avengers: Endgame"?

Two denim hijabs

As a GM, is it bad form to ask for a moment to think when improvising?

Hostile Divisor Numbers

Windows Server Firewall: Block all incoming traffic except from domain members

Windows Server Firewall configurationWindows Firewall 2008 Server - Allow only given IP in, block all othersHow to configure Windows Firewall for Domain Controller?Windows firewall blocks MS SQL Server even with firewall exceptionsApplying outbound connection rules PER USER in Windows Firewall with Advanced SecurityHow to block all incoming request through one network interface?Configure Windows Firewall to block all except for specific trafficWindows Server 2003 - Block outgoing traffic of programIs it possible to block HTTP traffic from specific machines?Firewall: allow all traffic from sources authenticated via. an open ssh connection

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

1

I want to secure a Remote-Desktop server farm (running on Windows Server 2019). I run multiple servers with different roles (as Active Directory, Connection Broker, RD Gateway, ...).

Now I want to setup the firewall so that only the 443 port of the RD Gateway is available from the internet. All other servers should be unavailable.

My idea was to create a firewall rule, that blocks all incoming traffic except from the computers, which are members of the domain - but I don't know how to realize that.

Things I DONT want:

• Allow all incoming traffic from the domain members - the default windows firewall rules should persist




• Manually specify all IP addresses which should be allowed to access the servers




• Delete all preset firewall rules and set all rules manually per protocol, port and IP

I hope you can help me out with this.

windows networking firewall tcp udp

share|improve this question

asked Apr 27 at 20:10

dinnerspoondinnerspoon

61

migrated from superuser.com Apr 27 at 20:19

This question came from our site for computer enthusiasts and power users.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  You should be creating the firewall rule to restrict traffic from the Internet on your Internet-facing firewall appliance. Is that what you're trying to do?
  
  – Twisty Impersonator
  Apr 27 at 20:13
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes this is exactly the thing I’m trying to do. It’s a virtualized cloud server - not supporting a private network interface or vSwitch. I’m able to mange the server with a VNC console.
  
  – dinnerspoon
  Apr 27 at 20:21
  

  
  
  
  

add a comment | 

1

I want to secure a Remote-Desktop server farm (running on Windows Server 2019). I run multiple servers with different roles (as Active Directory, Connection Broker, RD Gateway, ...).

Now I want to setup the firewall so that only the 443 port of the RD Gateway is available from the internet. All other servers should be unavailable.

My idea was to create a firewall rule, that blocks all incoming traffic except from the computers, which are members of the domain - but I don't know how to realize that.

Things I DONT want:

• Allow all incoming traffic from the domain members - the default windows firewall rules should persist




• Manually specify all IP addresses which should be allowed to access the servers




• Delete all preset firewall rules and set all rules manually per protocol, port and IP

I hope you can help me out with this.

windows networking firewall tcp udp

share|improve this question

asked Apr 27 at 20:10

dinnerspoondinnerspoon

61

migrated from superuser.com Apr 27 at 20:19

This question came from our site for computer enthusiasts and power users.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  You should be creating the firewall rule to restrict traffic from the Internet on your Internet-facing firewall appliance. Is that what you're trying to do?
  
  – Twisty Impersonator
  Apr 27 at 20:13
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes this is exactly the thing I’m trying to do. It’s a virtualized cloud server - not supporting a private network interface or vSwitch. I’m able to mange the server with a VNC console.
  
  – dinnerspoon
  Apr 27 at 20:21
  

  
  
  
  

add a comment | 

I want to secure a Remote-Desktop server farm (running on Windows Server 2019). I run multiple servers with different roles (as Active Directory, Connection Broker, RD Gateway, ...).

Now I want to setup the firewall so that only the 443 port of the RD Gateway is available from the internet. All other servers should be unavailable.

My idea was to create a firewall rule, that blocks all incoming traffic except from the computers, which are members of the domain - but I don't know how to realize that.

Things I DONT want:

• Allow all incoming traffic from the domain members - the default windows firewall rules should persist




• Manually specify all IP addresses which should be allowed to access the servers




• Delete all preset firewall rules and set all rules manually per protocol, port and IP

I hope you can help me out with this.

windows networking firewall tcp udp

share|improve this question

asked Apr 27 at 20:10

dinnerspoondinnerspoon

61

share|improve this question

asked Apr 27 at 20:10

dinnerspoondinnerspoon

61

share|improve this question

asked Apr 27 at 20:10

dinnerspoondinnerspoon

61

asked Apr 27 at 20:10

dinnerspoondinnerspoon

61

asked Apr 27 at 20:10

dinnerspoondinnerspoon

61

2 Answers
2

active

oldest

votes

1

For IPv4 there is an easy solution : Add firewall rules that block all
incoming connections from any IP address range that is not in your segment.

You may need to add two rules for the ranges.
One for 1.1.1.1 up to your IP segment,
and another for the IP following your segment and up to the end of the Internet.

share|improve this answer

answered Apr 27 at 20:30

harrymcharrymc

44839

add a comment | 

0

The only way to leverage that functionality of the Windows Firewall is to implement Domain/Server Isolation. Both the Server and connecting client will need to be configured to use the same Main Mode Rule and Connection Security Rule. This allows them to negotiate an IPsec channel and achieve Domain Member authentication. These rules should be distributed via GPO or administrative script.

If there will be off-site clients connecting, they will also need access to a domain controller. For example, first connect to the company VPN before allowing access to the RDP server. This is to achieve the authentication/authorization of IPsec. To get around this use a Preshared Key for the Main Mode rule.

Taking this route is nothing short of complex though the result is a far more secure infrastructure.

share|improve this answer

answered Apr 27 at 21:28

phbitsphbits

314

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f964876%2fwindows-server-firewall-block-all-incoming-traffic-except-from-domain-members%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

1

For IPv4 there is an easy solution : Add firewall rules that block all
incoming connections from any IP address range that is not in your segment.

You may need to add two rules for the ranges.
One for 1.1.1.1 up to your IP segment,
and another for the IP following your segment and up to the end of the Internet.

share|improve this answer

answered Apr 27 at 20:30

harrymcharrymc

44839

add a comment | 

1

For IPv4 there is an easy solution : Add firewall rules that block all
incoming connections from any IP address range that is not in your segment.

You may need to add two rules for the ranges.
One for 1.1.1.1 up to your IP segment,
and another for the IP following your segment and up to the end of the Internet.

share|improve this answer

answered Apr 27 at 20:30

harrymcharrymc

44839

add a comment | 

For IPv4 there is an easy solution : Add firewall rules that block all
incoming connections from any IP address range that is not in your segment.

You may need to add two rules for the ranges.
One for 1.1.1.1 up to your IP segment,
and another for the IP following your segment and up to the end of the Internet.

share|improve this answer

answered Apr 27 at 20:30

harrymcharrymc

44839

share|improve this answer

answered Apr 27 at 20:30

harrymcharrymc

44839

answered Apr 27 at 20:30

harrymcharrymc

44839

answered Apr 27 at 20:30

harrymcharrymc

44839

0

The only way to leverage that functionality of the Windows Firewall is to implement Domain/Server Isolation. Both the Server and connecting client will need to be configured to use the same Main Mode Rule and Connection Security Rule. This allows them to negotiate an IPsec channel and achieve Domain Member authentication. These rules should be distributed via GPO or administrative script.

If there will be off-site clients connecting, they will also need access to a domain controller. For example, first connect to the company VPN before allowing access to the RDP server. This is to achieve the authentication/authorization of IPsec. To get around this use a Preshared Key for the Main Mode rule.

Taking this route is nothing short of complex though the result is a far more secure infrastructure.

share|improve this answer

answered Apr 27 at 21:28

phbitsphbits

314

add a comment | 

0

The only way to leverage that functionality of the Windows Firewall is to implement Domain/Server Isolation. Both the Server and connecting client will need to be configured to use the same Main Mode Rule and Connection Security Rule. This allows them to negotiate an IPsec channel and achieve Domain Member authentication. These rules should be distributed via GPO or administrative script.

If there will be off-site clients connecting, they will also need access to a domain controller. For example, first connect to the company VPN before allowing access to the RDP server. This is to achieve the authentication/authorization of IPsec. To get around this use a Preshared Key for the Main Mode rule.

Taking this route is nothing short of complex though the result is a far more secure infrastructure.

share|improve this answer

answered Apr 27 at 21:28

phbitsphbits

314

add a comment | 

The only way to leverage that functionality of the Windows Firewall is to implement Domain/Server Isolation. Both the Server and connecting client will need to be configured to use the same Main Mode Rule and Connection Security Rule. This allows them to negotiate an IPsec channel and achieve Domain Member authentication. These rules should be distributed via GPO or administrative script.

If there will be off-site clients connecting, they will also need access to a domain controller. For example, first connect to the company VPN before allowing access to the RDP server. This is to achieve the authentication/authorization of IPsec. To get around this use a Preshared Key for the Main Mode rule.

Taking this route is nothing short of complex though the result is a far more secure infrastructure.

share|improve this answer

answered Apr 27 at 21:28

phbitsphbits

314

share|improve this answer

answered Apr 27 at 21:28

phbitsphbits

314

answered Apr 27 at 21:28

phbitsphbits

314

answered Apr 27 at 21:28

phbitsphbits

314