A Cisco router with a software-based firewall offers some of the networking industry's best security features. The configuration of a Cisco router with a firewall is similar to configuration of a router without a firewall. The only addition is the inclusion of security-based commands that restrict access across external interfaces. Firewall IP addresses and ports for Direct Routing media: The SBC communicates to the following services in the cloud: SIP Proxy, which handles the signaling Media Processor, which handles media -except when Media Bypass is on These two services have separate IP addresses in Microsoft Cloud, described later in this document.
Routing policies allow you to control the routing informationbetween the routing protocols and the routing tables and between therouting tables and the forwarding table. All routing protocols usethe Junos OS routing tables to store the routes that they learn andto determine which routes they should advertise in their protocolpackets. Routing policies also allow you to control which routes therouting protocols store in and retrieve from the routing table.Firewall filter policies allow you to control packets transitingthe router to a network destination and packets destined for and sentby the router. They provide a means of protecting your router fromexcessive traffic transiting the router to a network destination ordestined for the Routing Engine. Firewall filters that control localpackets can also protect your router from external incidents suchas denial-of-service attacks.
Hi There - The DirectAccess Server (in different of configuration) requires full access to all internal resources.So for example if you have an internal firewall behind the DA Server a recommended practise I have used is to allow a rule allow the DA Server Access to internal resources. For example allow internal IP of DA Server to all VLAN's behind operating servicesand also apply the correct static routes to the DA Server to provide network routing.Internal IP of the DA Server - allow all traffic to selected VLAN'sThe above rule is restricting traffic from the DA Server to the required VLAN's / Networks you specify, The reasoning being is that Direct Access requires full connectivity to your apps / infrastructure unless you want to create Firewall Rules for everyapplication and port. The suggested answer limits the DirectAccess Server Internal IP full access only to internal resources. A good example of opening ports on the backend Firewall for each application (and the difficulties you may encounter) would besomething like Active Directory Certificate Services which uses a full RPC high port range (TCP/IP) unless limited to a specific port.See this link as an example if you go down the individual application firewall rules.KrJohn Davies. Hi BarkleyPlease see this Technet Link which will backup your requirements - Reads -When using additional firewalls, apply the following internal network firewall exceptions for Remote Access traffic:ISATAP—Protocol 41 inbound and outboundTCP/UDP for all IPv4/IPv6 trafficAlso another link from have had a number of conversations with security administrators and network architects who have expressed a desire to place the DirectAccess server between two firewalls (firewall sandwich) in order to explicitly control access from the DirectAccessserver to the internal corporate network.
While at first this may sound like a sensible solution, it is often quite problematic and, in my opinion, does little to improve the overall security of the solution. Restricting network access from the DirectAccessserver to the internal LAN requires so many ports to be opened on the inside firewall that the benefit of having the firewall is greatly diminished. Placing the DirectAccess server’s internal network interface on the LAN unrestricted is the best configurationin terms of supportability and provides the best user experience.' Kindest RegardsJohn Davies. Hi BarkleyPlease see this Technet Link which will backup your requirements - Reads -When using additional firewalls, apply the following internal network firewall exceptions for Remote Access traffic:ISATAP—Protocol 41 inbound and outboundTCP/UDP for all IPv4/IPv6 trafficAlso another link from have had a number of conversations with security administrators and network architects who have expressed a desire to place the DirectAccess server between two firewalls (firewall sandwich) in order to explicitly control access from the DirectAccessserver to the internal corporate network. While at first this may sound like a sensible solution, it is often quite problematic and, in my opinion, does little to improve the overall security of the solution.
Restricting network access from the DirectAccessserver to the internal LAN requires so many ports to be opened on the inside firewall that the benefit of having the firewall is greatly diminished. Placing the DirectAccess server’s internal network interface on the LAN unrestricted is the best configurationin terms of supportability and provides the best user experience.' Kindest RegardsJohn DaviesThank for your reply and information John. I find it somewhat disappointing that Microsoft does not provide much more in the way of documentation and information regarding this topic. I required more information to show to our security team so they will allowus to have the internal facing NIC not have more restrictive rules in place as it is a security concern.
As long as it is a requirement from MS that the DA servers are members of the domain, you need to make sure that the DA servers have the necessary ports open to the DC's (Don't forget TCP 1688 for KMS activation if you have a KMS host.Also, if you want to make the DA Client behave like it's an internal Client, you need to both provide static routes on the DA servers to Your other internal Networks, plus all the ports necessary for normal Communications between the DA servers and the internalNetworks. Usually that means at least SMB ports.If you have an existing internal Client network already in Place, you need to copy those firewall rules and apply it from the DA server as well.
If that is Your Company policy of course. Hi Barkley - whilst Steve is also correct in his answer this would only allow access to Domain Controllers and file shares would not cater for all applications and their specfic ports. The technet link sent earlier by myself dies state all tcp / udp fromthe internal ip of the DA Server to the corp lan, and as Steve mentioned static routes to the required vlans. I have been on many deployments where security want to limit the fw ports and the deployment starts out this way until specific apps are requiredand then inevitably they end up opening the backend fw as I originally suggested.John Davies.