Assistance Setting up IP Filtering in a 2003 Routing Remote Access Server

Hi,

I'm looking to setup IP filtering on both internal and external NICs to cut
down on the amount streaming video/music traffic occuring in the office on
non-standard ports. Here is the current setup:
Routing server: Windows 2003 server standard w/two NICs on external to a T-1
router and one to the internal network 192.168.100.x

The following services will need to be able to route to the internet and are
already setup in the firewall:
2x DNS servers (192.168.100.105, .106) requesting DNS queries from our two
external DNS servers (port 53 UDP queries?)
2x IIS servers (192.168.100.117, .116) TCP 80, TCP 21, TCP 20, TCP 443
1x Exchange server (192.168.100.108) TCP 443, 80, 25, 110, 143

Workstation Internet Access:
(192.168.100.x 255.255.255.0) TCP 80, TCP 21
I don't think DNS port 53 is need here because they will be communicating
w/the AD DNS servers internally.

I've tried setting it up in the past myself but it ends up never working
properly and I'm confusing myself with the inbound filter on the external is
actually the outbound of the internal NIC and such. Also the server routing
is attached to the AD network so it will also have to have thouse ports
opened to it on the internal NIC.

Any help how how to set this up would be great. TIA. Nate

Filter on the External Nic. Not the Internal one.

Haven't messed with RRAS Filters in a long time and I don't have one here to
look at. But focus on the external Nic,...then outbound is really outbound, and
inbound is really inbound. That is backwards on the internal nic because it is
"centric" to the RRAS box itself (like Cisco Routers do),..and there is no
reason to filter at the internal nic anyway.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed (as annoying as they are, and as stupid as they sound), are
my own and not those of my employer, or Microsoft, or anyone else associated
with me, including my cats.
-----------------------------------------------------

"Nathaniel" <(E-Mail Removed)> wrote in message
news:tC6zh.173441$(E-Mail Removed) ...
> Hi,
>
> I'm looking to setup IP filtering on both internal and external NICs to cut
> down on the amount streaming video/music traffic occuring in the office on
> non-standard ports. Here is the current setup:
> Routing server: Windows 2003 server standard w/two NICs on external to a T-1
> router and one to the internal network 192.168.100.x
>
> The following services will need to be able to route to the internet and are
> already setup in the firewall:
> 2x DNS servers (192.168.100.105, .106) requesting DNS queries from our two
> external DNS servers (port 53 UDP queries?)
> 2x IIS servers (192.168.100.117, .116) TCP 80, TCP 21, TCP 20, TCP 443
> 1x Exchange server (192.168.100.108) TCP 443, 80, 25, 110, 143
>
> Workstation Internet Access:
> (192.168.100.x 255.255.255.0) TCP 80, TCP 21
> I don't think DNS port 53 is need here because they will be communicating
> w/the AD DNS servers internally.
>
> I've tried setting it up in the past myself but it ends up never working
> properly and I'm confusing myself with the inbound filter on the external is
> actually the outbound of the internal NIC and such. Also the server routing is
> attached to the AD network so it will also have to have thouse ports opened to
> it on the internal NIC.
>
> Any help how how to set this up would be great. TIA. Nate
>

Thank you Phillip for your reply:

So just as an example the Front End server which I Remote Desktop to should
be setup like the following:
Drop all packets except the criteria below:

External NIC Inbound Filter:
Source Network: Any
Destination Network: 192.168.100.102
Protocal: TCP
Src Port:
Dest Port: 3389

External NIC Inbound Filter:
Source Network: Any
Destination Network: 192.168.100.102
Protocal: TCP Established
Src Port:
Dest Port: 3389


"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> Filter on the External Nic. Not the Internal one.
>
> Haven't messed with RRAS Filters in a long time and I don't have one here
> to look at. But focus on the external Nic,...then outbound is really
> outbound, and inbound is really inbound. That is backwards on the
> internal nic because it is "centric" to the RRAS box itself (like Cisco
> Routers do),..and there is no reason to filter at the internal nic anyway.
>
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> The views expressed (as annoying as they are, and as stupid as they
> sound), are my own and not those of my employer, or Microsoft, or anyone
> else associated with me, including my cats.
> -----------------------------------------------------
>
> "Nathaniel" <(E-Mail Removed)> wrote in message
> news:tC6zh.173441$(E-Mail Removed) ...
>> Hi,
>>
>> I'm looking to setup IP filtering on both internal and external NICs to
>> cut down on the amount streaming video/music traffic occuring in the
>> office on non-standard ports. Here is the current setup:
>> Routing server: Windows 2003 server standard w/two NICs on external to a
>> T-1 router and one to the internal network 192.168.100.x
>>
>> The following services will need to be able to route to the internet and
>> are already setup in the firewall:
>> 2x DNS servers (192.168.100.105, .106) requesting DNS queries from our
>> two external DNS servers (port 53 UDP queries?)
>> 2x IIS servers (192.168.100.117, .116) TCP 80, TCP 21, TCP 20, TCP 443
>> 1x Exchange server (192.168.100.108) TCP 443, 80, 25, 110, 143
>>
>> Workstation Internet Access:
>> (192.168.100.x 255.255.255.0) TCP 80, TCP 21
>> I don't think DNS port 53 is need here because they will be communicating
>> w/the AD DNS servers internally.
>>
>> I've tried setting it up in the past myself but it ends up never working
>> properly and I'm confusing myself with the inbound filter on the external
>> is actually the outbound of the internal NIC and such. Also the server
>> routing is attached to the AD network so it will also have to have thouse
>> ports opened to it on the internal NIC.
>>
>> Any help how how to set this up would be great. TIA. Nate
>>
>
>

Looks ok to me, other than I never heard of "TCP Established", I would think
just the TCP would be "it".
I might want the Destination Network to actually be a network instead of a
single Host.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed (as annoying as they are, and as stupid as they sound), are
my own and not those of my employer, or Microsoft, or anyone else associated
with me, including my cats.
-----------------------------------------------------

"Nathaniel" <(E-Mail Removed)> wrote in message
news:Yz0Ah.256620$(E-Mail Removed) ...
> Thank you Phillip for your reply:
>
> So just as an example the Front End server which I Remote Desktop to should be
> setup like the following:
> Drop all packets except the criteria below:
>
> External NIC Inbound Filter:
> Source Network: Any
> Destination Network: 192.168.100.102
> Protocal: TCP
> Src Port:
> Dest Port: 3389
>
> External NIC Inbound Filter:
> Source Network: Any
> Destination Network: 192.168.100.102
> Protocal: TCP Established
> Src Port:
> Dest Port: 3389
>
>
> "Phillip Windell" <@.> wrote in message
> news:(E-Mail Removed)...
>> Filter on the External Nic. Not the Internal one.
>>
>> Haven't messed with RRAS Filters in a long time and I don't have one here to
>> look at. But focus on the external Nic,...then outbound is really outbound,
>> and inbound is really inbound. That is backwards on the internal nic because
>> it is "centric" to the RRAS box itself (like Cisco Routers do),..and there is
>> no reason to filter at the internal nic anyway.
>>
>>
>> --
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>>
>> The views expressed (as annoying as they are, and as stupid as they sound),
>> are my own and not those of my employer, or Microsoft, or anyone else
>> associated with me, including my cats.
>> -----------------------------------------------------
>>
>> "Nathaniel" <(E-Mail Removed)> wrote in message
>> news:tC6zh.173441$(E-Mail Removed) ...
>>> Hi,
>>>
>>> I'm looking to setup IP filtering on both internal and external NICs to cut
>>> down on the amount streaming video/music traffic occuring in the office on
>>> non-standard ports. Here is the current setup:
>>> Routing server: Windows 2003 server standard w/two NICs on external to a T-1
>>> router and one to the internal network 192.168.100.x
>>>
>>> The following services will need to be able to route to the internet and are
>>> already setup in the firewall:
>>> 2x DNS servers (192.168.100.105, .106) requesting DNS queries from our two
>>> external DNS servers (port 53 UDP queries?)
>>> 2x IIS servers (192.168.100.117, .116) TCP 80, TCP 21, TCP 20, TCP 443
>>> 1x Exchange server (192.168.100.108) TCP 443, 80, 25, 110, 143
>>>
>>> Workstation Internet Access:
>>> (192.168.100.x 255.255.255.0) TCP 80, TCP 21
>>> I don't think DNS port 53 is need here because they will be communicating
>>> w/the AD DNS servers internally.
>>>
>>> I've tried setting it up in the past myself but it ends up never working
>>> properly and I'm confusing myself with the inbound filter on the external is
>>> actually the outbound of the internal NIC and such. Also the server routing
>>> is attached to the AD network so it will also have to have thouse ports
>>> opened to it on the internal NIC.
>>>
>>> Any help how how to set this up would be great. TIA. Nate
>>>
>>
>>
>
>

Thanks Phillip.

I just realized that all my hard work will be for nothing because itunes,
and music streaming servers use port 80 for streaming.
How can I filter out this non work related traffic?



"Phillip Windell" <@.> wrote in message
news:erF$(E-Mail Removed)...
> Looks ok to me, other than I never heard of "TCP Established", I would
> think just the TCP would be "it".
> I might want the Destination Network to actually be a network instead of a
> single Host.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> The views expressed (as annoying as they are, and as stupid as they
> sound), are my own and not those of my employer, or Microsoft, or anyone
> else associated with me, including my cats.
> -----------------------------------------------------
>
> "Nathaniel" <(E-Mail Removed)> wrote in message
> news:Yz0Ah.256620$(E-Mail Removed) ...
>> Thank you Phillip for your reply:
>>
>> So just as an example the Front End server which I Remote Desktop to
>> should be setup like the following:
>> Drop all packets except the criteria below:
>>
>> External NIC Inbound Filter:
>> Source Network: Any
>> Destination Network: 192.168.100.102
>> Protocal: TCP
>> Src Port:
>> Dest Port: 3389
>>
>> External NIC Inbound Filter:
>> Source Network: Any
>> Destination Network: 192.168.100.102
>> Protocal: TCP Established
>> Src Port:
>> Dest Port: 3389
>>
>>
>> "Phillip Windell" <@.> wrote in message
>> news:(E-Mail Removed)...
>>> Filter on the External Nic. Not the Internal one.
>>>
>>> Haven't messed with RRAS Filters in a long time and I don't have one
>>> here to look at. But focus on the external Nic,...then outbound is
>>> really outbound, and inbound is really inbound. That is backwards on
>>> the internal nic because it is "centric" to the RRAS box itself (like
>>> Cisco Routers do),..and there is no reason to filter at the internal nic
>>> anyway.
>>>
>>>
>>> --
>>> Phillip Windell [MCP, MVP, CCNA]
>>> www.wandtv.com
>>>
>>> The views expressed (as annoying as they are, and as stupid as they
>>> sound), are my own and not those of my employer, or Microsoft, or anyone
>>> else associated with me, including my cats.
>>> -----------------------------------------------------
>>>
>>> "Nathaniel" <(E-Mail Removed)> wrote in message
>>> news:tC6zh.173441$(E-Mail Removed) ...
>>>> Hi,
>>>>
>>>> I'm looking to setup IP filtering on both internal and external NICs to
>>>> cut down on the amount streaming video/music traffic occuring in the
>>>> office on non-standard ports. Here is the current setup:
>>>> Routing server: Windows 2003 server standard w/two NICs on external to
>>>> a T-1 router and one to the internal network 192.168.100.x
>>>>
>>>> The following services will need to be able to route to the internet
>>>> and are already setup in the firewall:
>>>> 2x DNS servers (192.168.100.105, .106) requesting DNS queries from our
>>>> two external DNS servers (port 53 UDP queries?)
>>>> 2x IIS servers (192.168.100.117, .116) TCP 80, TCP 21, TCP 20, TCP 443
>>>> 1x Exchange server (192.168.100.108) TCP 443, 80, 25, 110, 143
>>>>
>>>> Workstation Internet Access:
>>>> (192.168.100.x 255.255.255.0) TCP 80, TCP 21
>>>> I don't think DNS port 53 is need here because they will be
>>>> communicating w/the AD DNS servers internally.
>>>>
>>>> I've tried setting it up in the past myself but it ends up never
>>>> working properly and I'm confusing myself with the inbound filter on
>>>> the external is actually the outbound of the internal NIC and such.
>>>> Also the server routing is attached to the AD network so it will also
>>>> have to have thouse ports opened to it on the internal NIC.
>>>>
>>>> Any help how how to set this up would be great. TIA. Nate
>>>>
>>>
>>>
>>
>>
>
>

By removing ITunes from the machines.
Company policy is supposed to keep them from installing unauthorized software on
the machine.
Computers = bad babysitters
Management w/power to fire people = good babysitters

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed (as annoying as they are, and as stupid as they sound), are
my own and not those of my employer, or Microsoft, or anyone else associated
with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------


"Nathaniel" <(E-Mail Removed)> wrote in message
news:Ye6Ah.212683$(E-Mail Removed) ...
> Thanks Phillip.
>
> I just realized that all my hard work will be for nothing because itunes, and
> music streaming servers use port 80 for streaming.
> How can I filter out this non work related traffic?
>
>
>
> "Phillip Windell" <@.> wrote in message
> news:erF$(E-Mail Removed)...
>> Looks ok to me, other than I never heard of "TCP Established", I would think
>> just the TCP would be "it".
>> I might want the Destination Network to actually be a network instead of a
>> single Host.
>>
>> --
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>>
>> The views expressed (as annoying as they are, and as stupid as they sound),
>> are my own and not those of my employer, or Microsoft, or anyone else
>> associated with me, including my cats.
>> -----------------------------------------------------
>>
>> "Nathaniel" <(E-Mail Removed)> wrote in message
>> news:Yz0Ah.256620$(E-Mail Removed) ...
>>> Thank you Phillip for your reply:
>>>
>>> So just as an example the Front End server which I Remote Desktop to should
>>> be setup like the following:
>>> Drop all packets except the criteria below:
>>>
>>> External NIC Inbound Filter:
>>> Source Network: Any
>>> Destination Network: 192.168.100.102
>>> Protocal: TCP
>>> Src Port:
>>> Dest Port: 3389
>>>
>>> External NIC Inbound Filter:
>>> Source Network: Any
>>> Destination Network: 192.168.100.102
>>> Protocal: TCP Established
>>> Src Port:
>>> Dest Port: 3389
>>>
>>>
>>> "Phillip Windell" <@.> wrote in message
>>> news:(E-Mail Removed)...
>>>> Filter on the External Nic. Not the Internal one.
>>>>
>>>> Haven't messed with RRAS Filters in a long time and I don't have one here
>>>> to look at. But focus on the external Nic,...then outbound is really
>>>> outbound, and inbound is really inbound. That is backwards on the internal
>>>> nic because it is "centric" to the RRAS box itself (like Cisco Routers
>>>> do),..and there is no reason to filter at the internal nic anyway.
>>>>
>>>>
>>>> --
>>>> Phillip Windell [MCP, MVP, CCNA]
>>>> www.wandtv.com
>>>>
>>>> The views expressed (as annoying as they are, and as stupid as they sound),
>>>> are my own and not those of my employer, or Microsoft, or anyone else
>>>> associated with me, including my cats.
>>>> -----------------------------------------------------
>>>>
>>>> "Nathaniel" <(E-Mail Removed)> wrote in message
>>>> news:tC6zh.173441$(E-Mail Removed) ...
>>>>> Hi,
>>>>>
>>>>> I'm looking to setup IP filtering on both internal and external NICs to
>>>>> cut down on the amount streaming video/music traffic occuring in the
>>>>> office on non-standard ports. Here is the current setup:
>>>>> Routing server: Windows 2003 server standard w/two NICs on external to a
>>>>> T-1 router and one to the internal network 192.168.100.x
>>>>>
>>>>> The following services will need to be able to route to the internet and
>>>>> are already setup in the firewall:
>>>>> 2x DNS servers (192.168.100.105, .106) requesting DNS queries from our two
>>>>> external DNS servers (port 53 UDP queries?)
>>>>> 2x IIS servers (192.168.100.117, .116) TCP 80, TCP 21, TCP 20, TCP 443
>>>>> 1x Exchange server (192.168.100.108) TCP 443, 80, 25, 110, 143
>>>>>
>>>>> Workstation Internet Access:
>>>>> (192.168.100.x 255.255.255.0) TCP 80, TCP 21
>>>>> I don't think DNS port 53 is need here because they will be communicating
>>>>> w/the AD DNS servers internally.
>>>>>
>>>>> I've tried setting it up in the past myself but it ends up never working
>>>>> properly and I'm confusing myself with the inbound filter on the external
>>>>> is actually the outbound of the internal NIC and such. Also the server
>>>>> routing is attached to the AD network so it will also have to have thouse
>>>>> ports opened to it on the internal NIC.
>>>>>
>>>>> Any help how how to set this up would be great. TIA. Nate
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>