Home > windows server 2008 r2 > Windows Server 2008 R2 Firewall - Interface specific rules

Windows Server 2008 R2 Firewall - Interface specific rules

November 11Hits:0
Advertisement

I'm trying to define per interface rules, much like it was in Server 2003.

We will be replacing our old 2003 server with a new 2008 R2 server. The server runs IIS and SQL Server. It's a dedicated server at the hosting company. We use a OpenVPN connection from the office to access SQL server, RDesktop, FTP and other administrative services. Only http and ssh is listening on the public interface.

On the old server running 2003, I was able to define global rules for http and ssh, and allow other services only on the vpn interface. I can't find a way to do the same on 2008 R2.

I understand that there is the Network Location Awareness service, firewall rules are applied according to the current network location. But I don't understand the purpose of this on a server.

The only close solution I found is to set the scope on the firewall rule and restrict remote ip addresses to the private subnet of the office. But the ports will still be listening on the public interface.

So how can I restrict a firewall rule to the connections coming from the vpn interface ?



A note on this page states that scoping a rule to an interface does not exist anymore:

In earlier versions of Windows, many of these command accepted a parameter called interface. This parameter is not supported in the firewall context in Windows Vista or later versions of Windows.

I can't believe that they simply decided to remove a core firewall functionality that every firewall has. There must be a way to restrict a rule to an interface.

Any ideas ?



I'm still unable to find an adequate solution to my problem. So for now, my workaround is this:

  • Administrative services listen on VPN IP address
  • Firewall rules restrict the scope to the local IP address of VPN
  • Public services listen on all interfaces, no scope restriction on firewall rules

This is not optimal, if I change the IP address of the VPN, I need to edit the firewall rules too. It won't be the case if the rules were bound to the interface.

Answers

I know this is an old/dead thread, but it appeared first on the results list when I searched for this problem on Google, so I'm posting this answer for future visitors:

Please see this thread for how to disable/enable Windows 7 AND Windows Server 2008 firewall on a per-interface basis:

how do I disable the firewall on a single interface in Windows 7?

Took me couple of hours but I found a way to do it on windows 2008 R2 (a bit complicated but can be automated):

  1. run ipconfig /all and get the interface Id you need, it should look like:

Tunnel adapter isatap.{46BE0BE9-4808-4CF4-8C3B-DC543261F096}

  1. This is the registrey key needs to be changed: HKLM\System\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisabledInterfaces

You can swap the "DomainProfile" with the profile you want to edit.

In the value you should set the interface id you want to disable separated by commas :

{46BE0BE9-4808-4CF4-8C3B-DC543261F096},{91...}

Related Articles

  • Windows Server 2008 R2 Firewall - Interface specific rulesNovember 11

    I'm trying to define per interface rules, much like it was in Server 2003. We will be replacing our old 2003 server with a new 2008 R2 server. The server runs IIS and SQL Server. It's a dedicated server at the hosting company. We use a OpenVPN connec

  • Windows Server 2008 R2 firewall order of rulesJanuary 14

    I would like to have one rule that allows Internet Explorer to connect to my proxy-server, but block all other applications to connect to the proxy-server. Is that possible? I've tried one rule that opens "Internet-Explorer" -> "Proxy&qu

  • Windows Server 2008 R2 Firewall can't block?May 3

    A certain computer in my LAN has been hammering the Domain Controller with event 4768 (authentication failure). After conferring with the 'owner' of that computer, it's found out that there's a malware in that computer. We plan on copying the importa

  • Windows Server 2008 Standard, firewall disabled by Group Policy but ports are still filteredFebruary 9

    Hihi, So vanilla install of WS2008R2S, disabled FW with GP and trying grab SNMP with another host on the same subnet. The output of both if/ipconfig's and nmap -p 161 is below. Both machines running in VirtualBox with the connections bridged to the w

  • Windows Server 2008 Run Printing With Specific Printer Always As Specific UserJanuary 27

    I have the follow setup: Windows Server 2008 SBS with an active spooler. I am using this server, besides other things, as a printing server. I've shared a lot of printers and I've added a new one today, but there are some problems. The printer is a v

  • Allowing a specific IP Address through a blocked port in Windows Server 2008 R2 FirewallFebruary 29

    I have created an Inbound rule to block port number 1433 however I need to allow my static ip address to access this as I use SQL Management Studio to connect to databases on the server. I have tried adding my ip address to the "Scope - Remote IP add

  • Is the windows server 2008 r2 firewall in amazon ec2 not necessaryDecember 23

    Under normal circumstances, is the windows server 2008r2 firewall, running on an amazon ec2 instance even necessary? Can it safely be turned off? It appears that thru the security groups, amazon is providing a firewall for the machine, or am I missin

  • Windows server 2008 r2 firewall only affecting one interfaceJuly 21

    I am trying to secure this Windows 2008 R2 server for outside traffic (don't care about inside at the moment). I have two nic's, one for domain and one for outside (two different ip's). By default the server has put up a lot of rules in the Inbound s

  • Windows Server 2008 R2 Firewall - Block ICMP except specific IPsJune 17

    this is half a minute work with any firewall, but with the built-in firewall on Windows 2008 R2, I am stuck here for half an hour. I want to block all incoming ICMP requests to my server, EXCEPT those IP addresses that I want. My firewall policy is t

  • Block all traffic, except specific domians, by windows server 2008 R2 firewallApril 25

    I've got a problem, which I didn't find any other way to restrict all the outbound traffic on my server. I have a web service, which is deployed on a server, alone. This is about one month that I get NETSCAN warnings form HETZNER data center. There a

  • Windows Server 2008 R2 Map User Specific Drive

    Windows Server 2008 R2 Map User Specific DriveMarch 20

    On our old Windows 2003 SBS, the guy that set up the network created a login script that fired to map some drives and add a network printer. I would like to do away with that script and just use the GPO. We're configuring a new Windows 2008 R2 server

  • Does Windows Server 2008 R2 firewall ipsec tunnel encapsulated data in one port?April 28

    Today I have the following setup: All my servers are located in the internet, they are protected by Windows Firewall and Advanced Secutiry using IPSec with certificate. It includes the Domain Controllers. All the clients computers have a GPO and the

  • Outbound Firewall Rules on Windows Server 2008October 12

    One of my clients have raised a requirement to implement outbound firewall rules on all their servers. Current Environment The environment is built on the AWS cloud. All the servers run Windows Server 2008 Base and Windows Server 2008 R2 Operating sy

  • Windows Server 2008 Firewall - Allow RDP (3389) only from specific IPsApril 14

    I have a Windows Server 2008 which I would like to access via RDP on port 3389. I make a forwarding on my router, but I would like to allow only my IP to access the port 3389 on the Windows Server. Is this something that is doable? Maybe with the Win

  • How to migrate WIndows Server 2008 firewall exceptions to a new environment?February 27

    How to migrate Windows Server 2008 (and Windows 7) firewall exceptions to a new environment? Specifically: SQL Server Subversion remote access? Is if possible to use scripts like powershell? Thanks! --------------Solutions------------- wf.msc allows

  • Windows Server 2008 ignores any change made to firewallFebruary 12

    I have been trying for the last 2 hours to make my Windows Server 2008 answer ping. I have tried almost every single solution I have found on the web, so far nothing work. My current setup: 2 NIC (1x Internet connection, 1x Local network) Server act

  • FTP, Windows server 2008 r2, windows firewall problemsAugust 16

    Okay so Google is letting me down just due to the sheer volume of stuff related but not specific to my problem that I could find. I have a c# program that connects to various ftp sites and downloads the info then dumps it into a database for me. On s

  • Windows Server 2008 IP block using built-in firewall issueMay 4

    So here's the situation: I'd like to block one or more IP addresses using native firewall that comes with Windows Server 2008. I opened it, chosen to create a new rule under inbound rules. I choose as follows: custom rule, all programs, any protocol,

  • Block visitor from specific IP address in Windows Server 2008February 16

    I am trying to block all access from specific IP address. I tried add Inbound Rules in Windows Firewall by blocking all connection & program from a IP address (IP address of the other test server). After that I tried to access the website from the te

  • SQL 2008 Multiple instances on Windows Server 2008 - Firewall settings?August 18

    We're just in the process of moving to Windows Server 2008 and SQL Server 2008, so I'm not sure if this is a firewall issue. If I disable the firewall though, all is fine... Basically, I cannot connect to my SQL named instances, although the default

Copyright (C) 2017 ceus-now.com, All Rights Reserved. webmaster#ceus-now.com 14 q. 0.977 s.