Vista - Advanced firewall rules help please.

07-04-2009

I'm trying to create a rull, that will lock-down a Vista Home Premium PC, so
that it can only gain access to the internet via a corporate proxy on a
Cisco VPN client. I can block all port 80 and 443 traffic, but then can't
get a rule to work that permits traffic to the VPN gateway or proxy server.
I guess the port 80 block is getting a higher priority to the gateway permit
or something similar.

Any ideas please?

I need this to replace Novell Endpoint Security suite, which simply doesn't
work on Vista, even though they claim it does!

Thanks,

Martin.

07-05-2009

A block rule always takes priority over an allow rule. Once ports 80 and 443
are blocked, another rule exception will never un-block them.

Instead you have to make the same block rule not apply to the proxy server,
so that it will be exempt.

Create an Outgoing rule to block remote ports TCP 80 and 443 , and in the
scope set two ranges for the remote IP address that exclude the proxy
server. Ignore the VPN tunnel IP addresses, as the firewall will not see
those.

So, for example, if your proxy server on the other side of the tunnel has an
IP address of 172.10.45.100, then the scope should 0.0.0.0 - 172.10.45.99
and 172.10.45.101 - 255.255.255.255.

Simple!

Martin

07-04-2009	#1 (permalink)
Martin Connolly n/a posts	Advanced firewall rules help please. I'm trying to create a rull, that will lock-down a Vista Home Premium PC, so that it can only gain access to the internet via a corporate proxy on a Cisco VPN client. I can block all port 80 and 443 traffic, but then can't get a rule to work that permits traffic to the VPN gateway or proxy server. I guess the port 80 block is getting a higher priority to the gateway permit or something similar. Any ideas please? I need this to replace Novell Endpoint Security suite, which simply doesn't work on Vista, even though they claim it does! Thanks, Martin.
My System Specs

07-05-2009	#2 (permalink)
Martin Connolly n/a posts	Re: Advanced firewall rules help please. A block rule always takes priority over an allow rule. Once ports 80 and 443 are blocked, another rule exception will never un-block them. Instead you have to make the same block rule not apply to the proxy server, so that it will be exempt. Create an Outgoing rule to block remote ports TCP 80 and 443 , and in the scope set two ranges for the remote IP address that exclude the proxy server. Ignore the VPN tunnel IP addresses, as the firewall will not see those. So, for example, if your proxy server on the other side of the tunnel has an IP address of 172.10.45.100, then the scope should 0.0.0.0 - 172.10.45.99 and 172.10.45.101 - 255.255.255.255. Simple! Martin
My System Specs

Similar Threads
Thread	Forum
Windows Firewall and WF with Advanced Security rules not working	Vista security
Vista Firewall with Advanced Security	Vista General
Vista Advanced Firewall	Vista security
Advanced interface to Windows Firewall	Vista General
Firewall rules: how to get list of allow program through firewall?	Vista security