There are 3 GPO's that affect the firewall on client machines in an SBS 2008 domain.
Open the group policy management console on the SBS and edit each of the 3 following GPO's, or the ones that match the types of client PC's you have. They can be found under My Business | Computers | SBS Computers or under Group Policy Objects:
Windows SBS Client - Windows Vista Policy
Windows SBS Client - Windows XP Policy
Windows SBS Client
The item to edit is:
Computer Configuration | Policies | Administrative Templates | Network | Network Connections | Windows Firewall | Domain Profile | Protect All Network connections
By default this is set to enabled. Setting to disabled will turn it off, setting to not configured allows administrators to enable or disable the firewall on the PC.
Note this only affects computers while connected to your domain. If you want to affect them while outside of your domain (not recommended) you also need to edit:
Computer Configuration | Policies | Administrative Templates | Network | Network Connections | Windows Firewall | Standard Profile | Protect All Network connections
There is another GPO: Computer Configuration | Policies | Administrative Templates | Network | Network Connections | Prohibit use of Internet Connection Firewall on your DNS domain network", which can override the above. The default is set to not configured, but if has been changed to enabled or disabled it will force enabling or disabling of the firewall and administrators have no control. This should be left as "not configured"
Remember it can take up to 90 minutes for the policy to be applied to the workstations. You can force this almost immediately by running at a command line, on the workstation:
A frequent question is how to limit access to a VPN/RRAS server to users connecting from a specific IP.
The following outlines using RRAS "Inbound Filters" on server 2003. Similar steps can be taken using Inbound filters with NPS on Server 2008 and newer.
- Using Inbound/Outbound Filters within RRAS should not be used in place of a proper firewall solution.
- As soon as filter rules are enabled, all other traffic is blocked by default and filters need to be configured for each service both incoming and outgoing
- You should have console access when editing RRAS features and filters as it is very easy to lock yourself out of remote access regardless of what service you are using, RDP, VPN, TeamViewer, LogMeIn, etc.
- More granular control is possible with a proper perimeter VPN device/router
It is assumed the VPN has already been configured and working properly. As this stems from a previous specific question, it addresses a single NIC RRAS configuration, however the same process is followed for 2 NIC RRAS servers. Should you need assistance with configuring the basic VPN within RRAS see:
To configure the Inbound and Outbound filters, open the RRAS console, expand the server name, expand "IP Routing", click on "General", in the right hand widow select the WAN/public network adapter, right click on it and choose properties. Under the "General" tab click "Inbound Filters". The rules are very basic, there are only 3 required for the PPTP VPN; incoming PPTP and GRE and matching outgoing rules, or an 'allow any' outgoing rule. Keep in mind you need to create rules for any other service used such as DNS, HTTP, HTTPS, RDP, etc. Not doing so will result in failed services.
To create a new rule select "New" and complete the filter configurations as follows.
Starting with a default rule allowing all outgoing traffic so that specific rules do not need to be created for each service. The following allows all protocols 'out' from the local subnet 192.168.20.0. By not checking the "Destination network" check box it will default to "Any" destination or remote address.
Next you will need incoming rules for PPTP and GRE. The purpose of this article is to allow access from only one public IP by VPN clients, therefore in the example below we have allowed access only from 126.96.36.199. The destination network is set to the entire local 192.168.20.0/24 network segment but could be limited to a particular server if you so desire. The protocol is TCP, and under the source/remote port '0' is entered which defaults to any, and the destination port is 1723.
GRE is protocol 47, not port 47 so the configuration is a little different than other services and does not require a port number.
Once you have created your rules you need to check the box "Drop all packets except those that meet the criteria bellow" as in the screenshot below:
These rules will only allow VPN access from the 188.8.131.52 remote IP. In order for any client, internal or external, to use other services that require external access, or replies from external services, you will have to add rules for additional ports/services whether TCP, UDP, or both. Below is a chart showing the VPN access above and additional examples for HTTP , HTTPS, DNS (requires both TCP and sometimes UDP), and RDP connections. The "Source network" for these need to be set as "Any" to allow replies from any remote site. Also carefully note the source and destination port configurations in the different example types.
Don't for get to "Apply"/save your filters on exiting.