I have inherited a rather gross setup that I have to make work in as secure a
manner as possible. Ideally, I’d be securing with ISA 2006 but let’s proceed
knowing it’s ugly and we can’t do much about it right now:
-Single server Windows 2008 AD DC (64 bit)
-Exchange 2008 w SP1
-basic SOHO firewall providing DSL internet access to a private subnet we’ll
call WAN.
-RRAS NAT on the server NATting on the WAN network interface on the server.
Internal clients are connected to a second network interface LAN, also a
private (but different from WAN) subnet.
I’m making some assumptive conclusions here so please correct if any of them
are flat wrong…
I have NAT Services and Ports defined but they don't seem to be restricting
traffic. They only allow HTTPS and RDP from WAN to LAN. I think this is due
to Windows Firewall superseding those NAT rules.
When I look at the WF-AdvSec interface, I see the various location profiles.
As this is a server, I can’t see it changing so it will likely always be in
Domain Profile. I further see all the default Allows that permit all the
nominal server traffic but on Any interface. This likely includes the WAN
interface, which I really don’t want.
Am I correct thus far? If so, then is there an efficient way I can restrict
these rules to only operate on the LAN interface and provide for different
rules on the LAN interface? What is required to do this?
Thanks.
Kevin
|
Similar Threads
Linear Mode
