Windows Server - Question about outbound rules and security

Asked By randyboy

11-Nov-09 04:16 AM

I am running ISA 2006 as an Edge firewall for my internal network, and client
workstations and servers are connected to the internet as securenat clients
(DG pointed to ISA IP).

I am concerned about the security for the servers and would like to tighten
the amount of access the servers have to the internet.

Right now, I have an access rule which allows common protocols (http, https,
ftp etc) from Internal to External networks. The parameters of these
protocols are all Outbound.

My question is, does 'outbound' here actually mean exclusively outbound?
Correct me if I am wrong, but there is an exchange of data in both inbound and
outbound directions via the ports for protocols such as http or ftp?

If so, does this also mean that 'outbound' is actually moot and that the
ports of these protocols for the servers are open to the internet (inbound
direction)?

If this is the case, what is the definition of Outbound here if access is
actually 2-way?

ISA Configuration Discussions

Nexoe
(1)

Protocols
(1)

Securenat
(1)

Firewall
(1)

Trafic
(1)

Dns
(1)

Thomas Moeller Nexoe replied to randyboy

06-Jan-10 06:47 AM

Hi.

Outbound means that clients (and servers acting as clients) can initiate
connections via the specified protocols and are able to receive replies
via the connections on the specified protocols/ ports.

A host on the outside cannot initiate connections to hosts on the
inside, but hosts on the inside can for instance contact a dns server on
the internet and recieve a dns reply from that server once the lookup
takes places.

Thanks!
Thomas

Thomas Moeller Nexoe replied to Thomas Moeller Nexoe

06-Jan-10 06:53 AM

I see that my previous reply is a little confusing.
What I meant was that if you have an access rule - say allowing http
trafic from 'inside' to 'outside', only trafic initiated from the
'inside' network is allowed.

Clients on the 'inside' can initiate trafic to the 'outside' and receive
replies, but not the opposite way around - unless defined in a seperate
rule of course...

Previous Discussion: ISA Web Proxy SSL Config

Best practice to setup a DMZ? (hyperV and guests) Windows Server

that i'm no longer just opening and closing ports on the sonicwall email security firewall gateway, which is basically how i've been doing things for a while. . IE: Cloud d have a lan cable coming out of the ExtraPhysicalSwitch and going into my sonicwall firewall's 2nd or 3rd port I think i'd have to setup a static route the public Internet or the LAN. The most common setup is the back to back firewall model, where you have one firewall between the Internet and the DMZ and another between the DMZ and the LAN. You would need a second firewall between the DMZ and the private LAN. Since your virtual machines run on different hosts I would use a hardware firewall or firewall software running on physical hardware for this second firewall. The routing and network config would get complicated trying to run this firewall in a

What antivirus to use SBS 2008ST R2 Windows Server

a server positive is on unmanaged networks where the clients do not have a proper firewall. it is always a previously undetected malware on a users folders. Couple dozen times. On email address) says. . . You seem to be talking about different things - I never install any firewall on the server, not even the Windows firewall, certainly not the AV vendors firewall. I have not had a properly configured corporate AV solution corrupt, cause problems, delete, break code goes on the box whether you like it or not. SBS 2008 the windows firewall stays on the server and I do not turn it off. Indeed. There is little to no reason *not* to run the built in Windows firewall on *any* box, server or workstation. Exceptions are dead easy, resource use is negligible, and install the workstation part either - very simple to use. I do not use the windows firewall on my SBS 2003 / 2008 boxes, never had a problem in all these many years yourself. spam999free@rrohio.com (remove 999 for proper email address) uh? you disable the SBS2008 firewall? Why? if I may ask? Is it causing you problems? Russ - - Russell Grover - SBITS.Biz

Block TCP 25 to CLient Computers NOT WORKING Windows Server

do this is like killing a bee with a cannon. Better to push out a firewall rule to do this using whatever personal firewall you have deployed in your organization (I actually like Windows built-in firewall, which was added to XP with SP2 and is RTM in Vista and win7) and network (not the local host). Place it appropriately above any allow rules for all outbound protocols that apply to the internal network (the default SBS Internet Access rule is one of dumb as I do not see the ability to add a deny rule to Windows Firewall on Windows 7. . . . Would you be so kind as to point me in the right is allowing that SMTP traffic? You would do this via group policy using the "advanced firewall" section under security. -Cliff In ISA, first matching rule wins. So if your allow rule SMTP traffic. 1) It is sending to the SBS server. This is expected and no firewall rules need to be changed. 2) A user is sending mail through means other than offers no benefit. Furthermore, if a machine is infected, it can change and override desktop firewall rules so you have no gaurantee that, even if you did use program or IPSec

Terminal Server (W2K3) over web Windows Server

desktop over the web but with no joy. If I forward a port on the firewall to any XP workstations it does connect with remote desktop from home so I kinda eliminated the Firewall as cause. When I am at work and in the LAN I can remote desktop one go. . . @Bob Lin - You know the strange thing is that whenever I change the Firewall port route to a normal XP workstation 3389 / 3390 I can telnet from the web the server and just change the IP address to reflect it is IP in the firewall I cannot telnet and cannot see the session hitting the TS. So from that perspective use static IP's from TS clients over the web I lock that on the firewall. For testing purposes I use the same rule for both the XP and TS server port routing variable is out of the way. . Thx Have you ever looked at the firewall rules concerning the TS? Just comes across my mind, cause these days I enabled Remotedesktop to be just accessible from a specific subnet. In firewall rules look for remotedesktop and somewhere you should find a setting to adjust the scope your set up of mashines ;) hth, marcel Hi Marcel, I tried every location on the Firewall (WAN, LAN and *) but it is still the same. If it was a very complex

Installing trend wf 6.0 Windows Server

Windows Server SBS Discussions Report (1) FTP (1) Again.Known (1) GooglingBut (1) Outbreak (1) Firewall (1) Defense (1) Grover (1) Just do some googling But to cover some again. Known Filter Global and Malicious behavior works well. If you are going to use the Trend Firewall Be sure you add Things on PC's you want to allow like FTP etc install the service pack for WFBS 6.0. It adds a checkbox to disable the firewall and remove the firewall drivers, which makes sense if you are not using the firewall. I was always annoyed that the drivers were installed whether I wanted to use the firewall or not. s It can take lots space on your C: drive, be aware The firewall drivers are also used for the Outbreak Defense feature, even with the firewall disabled. So if you remove the drivers, you also kill the Outbreak Defense feature, or