Folks, I have a domain controller which runs FTP service. I want to block port 21 from public Network. So far this is what I have done. 1. Modified the Domain Controller Policy. 1a. Windows Firewall. 1b. Blocked port 21 for inbound connection from Public Network. 2. Enforce the policy. I am still able to connect to this server from outside. What am I missing? Any help will be highly appreciated. Thanks. Ash

On Sat, 15 Jan 2011 04:18:51 +0000, Jujiro wrote: 1b. Blocked port 21 for inbound connection from Public Network. 2. Enforce the policy. I am still able to connect to this server from outside. What am I missing? Any help will be highly appreciated. If your DC is behind a NAT then the requests are still, as far as your DC is concerned, coming from the internal network. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Want custom ringtones on your Windows Phone 7 device? It is now pitch dark. If you proceed, you will likely fall into a pit.

Hi Paul, Thanks. I totally understand your point. Yes, the DC is behind a hardware firewall. I suppose, if I run the FTP server on a different port, establish new port to external 21, and block port 21 then I should be good? Ash

Hello, Just block FTP access from the outside using your firewall. You don't need to change the port or anything. If people are accessing FTP from the outside now, that means that you have a NAT rule that allows outside access (throught the firewall) and fordards it to the FTP server. Disble this rule and your FTP will ONLY be available to inside users (user's on your private subnet). MiguelMiguel Fra / Falcon IT Services Computer & Network Support, Miami, FL Visit our Knowledgebase and Support Sharepoint Site

Hello, Just block FTP access from the outside using your firewall. You don't need to change the port or anything. If people are accessing FTP from the outside now, that means that you have a NAT rule that allows outside access (throught the firewall) and fordards it to the FTP server. Disble this rule and your FTP will ONLY be available to inside users (user's on your private subnet). MiguelMiguel Fra / Falcon IT Services Computer & Network Support, Miami, FL Visit our Knowledgebase and Support Sharepoint Site

Hello Miguel, There is no outside firewall. I am using Windows Firewall. There is only one NIC on this machine so I cannot distinguish between local traffic and public traffic. Thanks. Ash

Hello, Having a DC exposed to the Internet like that is very, very, risky. Your DC has critical ports opened opened to efefctively communicate with its LAN clients. I think having a hardware firewall in front of your DC is a security necessity.Miguel Fra / Falcon IT Services Computer & Network Support, Miami, FL Visit our Knowledgebase and Support Sharepoint Site

Hello, Having a DC exposed to the Internet like that is very, very, risky. Your DC has critical ports opened opened to efefctively communicate with its LAN clients. I think having a hardware firewall in front of your DC is a security necessity.Miguel Fra / Falcon IT Services Computer & Network Support, Miami, FL Visit our Knowledgebase and Support Sharepoint Site