Firewall: Deny All - Allow Only Whitelisted?

We have a new DA 2012 R2 server deployed and it's working well. However, I'd like to deny all access to our internal network and only allow traffic to whitelisted servers. This seems pretty straightforward with the combination of GPO and the firewall block list. I've tested it and it seems to apply the policy almost immediately on the client and deny the traffic.

If I want to block all, is allowing (whitelisting) IPv4/IPv6 to the DA server and to our AD servers adequate to allow a user to continue to connect via DA and log into their workstation via their AD account?

Also, although we cannot alter our base network infrastructure at this point, but is there perhaps another way I can accomplish this using DA?

April 23rd, 2015 10:59pm

Hello Matt,

You can configure DirectAccess ONLY to manage remote clients - meaning users will not be able to connect to ANY internal resources apart from DC/SCCM/AV Servers or only for servers you specify.

Here is the article to configure this. -> https://technet.microsoft.com/en-us/library/jj574200.aspx

Once you are done with configuring as per above article, you can add the servers one by one (Ones which want to whitelist) to so called "Management Servers" list in DA Wizard.

So traffic to all other destinations will be blocked apart from the list you specify as you need.

Please let me know, how it goes.

  • Proposed as answer by Vasu Deva 18 hours 12 minutes ago
  • Marked as answer by Matt336 17 hours 12 minutes ago
Free Windows Admin Tool Kit Click here and download it now
April 24th, 2015 9:12am

Hello Vasu,

That worked perfectly and is so much easier to manage. Thank you!

April 24th, 2015 10:13am

Hello Matt,

You can configure DirectAccess ONLY to manage remote clients - meaning users will not be able to connect to ANY internal resources apart from DC/SCCM/AV Servers or only for servers you specify.

Here is the article to configure this. -> https://technet.microsoft.com/en-us/library/jj574200.aspx

Once you are done with configuring as per above article, you can add the servers one by one (Ones which want to whitelist) to so called "Management Servers" list in DA Wizard.

So traffic to all other destinations will be blocked apart from the list you specify as you need.

Please let me know, how it goes.

  • Proposed as answer by Vasu Deva Friday, April 24, 2015 1:11 PM
  • Marked as answer by Matt336 Friday, April 24, 2015 2:11 PM
Free Windows Admin Tool Kit Click here and download it now
April 24th, 2015 1:11pm

Hello Matt,

You can configure DirectAccess ONLY to manage remote clients - meaning users will not be able to connect to ANY internal resources apart from DC/SCCM/AV Servers or only for servers you specify.

Here is the article to configure this. -> https://technet.microsoft.com/en-us/library/jj574200.aspx

Once you are done with configuring as per above article, you can add the servers one by one (Ones which want to whitelist) to so called "Management Servers" list in DA Wizard.

So traffic to all other destinations will be blocked apart from the list you specify as you need.

Please let me know, how it goes.

  • Proposed as answer by Vasu Deva Friday, April 24, 2015 1:11 PM
  • Marked as answer by Matt336 Friday, April 24, 2015 2:11 PM
April 24th, 2015 1:11pm

Good to hear that Matt :)
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2015 4:48am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics