cancel
Showing results for 
Search instead for 
Did you mean: 

Mixed Clients V13/V14 - Firewall - How to / best practice ?

F-Secure

Re: Mixed Clients V13/V14 - Firewall - How to / best practice ?

Indeed, sub-domain admin should clone profile himself to be able to edit it, but it will be visible, usable and editable for other sub-domain admins of this scope and root admins in sub-domain scope. So dropped my a bit confusing 'PS' from previous post 😊

 

As for GPO, both undefined and enable are acceptable. Do not see any reason why having two Firewalls up is unwanted, especially if we are talking about short transition period…

 

Regards,

Alexander

M_M
Regular Member

Re: Mixed Clients V13/V14 - Firewall - How to / best practice ?

Is there a way to move up or down the rules in the firewall profile, or it does not matter now ?
F-Secure

Re: Mixed Clients V13/V14 - Firewall - How to / best practice ?

Hi, with CS 14 we moved to windows firewall where rules have no order. All matching will apply.

 

M_M
Regular Member

Re: Mixed Clients V13/V14 - Firewall - How to / best practice ?

Don't understand logic of the new firewall. We need allow inbound trafic from remote MS SQL server to subnet hosts. We create network service "MSSQL"

Name    Protocol Initiator port Responder ports

MSSQL TCP (6)    >1023                 1433

 

We create firewall rule "Allow inbound MSSQL" in firewall profile:

Services     Remote hosts

<= MSSQL  SQL server IP address

 

When we look at Windows firewall settings, we find rule with:

Direction   Local address   Remote address   Local Port   Remote Port

Inbound     Any                       SQL server             1433               1024-65535

                                                     IP address

 

This is the wrong situation. What would happen if we create the rule in a bi-directional (<=>) direction?

Superuser

Re: Mixed Clients V13/V14 - Firewall - How to / best practice ?

First of all there is NO need to define anythin on the Client side if you want to access a Windows SQL-Server. The standard Office profile has a Allow All TCP/UDP Outbound rule, that covers that.

Nevertheless you certainly have to allow inbound traffic on the server's Firewall (not managed by F-Secure)

 

"inbound" and "outbound" are always from the point of view, where the local firewall is installed. So a Client is connecting to a service that is outbound.

you want to remote adminster a User's windows system:
your system has and outbound connection (covered by the allow all outbound TCP/UDP), but
the user's windows box has an "inbound" connection.

The rule is always the same. initiator (local) ports: >1023; receiver (remote) port: 1433

Matthias
----------
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de