Configure Packet Filters to Block Access to Domain Controllers

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

Important

This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=179989).

For the DirectAccess Setup Wizard to run, at least one physical interface of the DirectAccess server computer must not be in the domain profile. Windows Firewall places an interface in the domain profile if a domain controller for the domain for which the computer is a member is reachable on that interface. The Internet interface of the DirectAccess server is attached to the perimeter network. If your perimeter network contains a domain controller, such as a read-only domain controller, Windows Firewall will place the Internet interface in the domain profile. To prevent the Internet interface from reaching the domain controllers on the perimeter network, you must configure outbound rules on the Internet interface to prevent connectivity to the IP addresses of the perimeter network domain controllers.

To complete these procedures, you must be a member of the local Administrators group, or otherwise be delegated permissions to create Windows Firewall rules. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To add packet filters to prevent access to domain controllers from the Internet interface

  1. On the DirectAccess server, click Start, click Run, type wf.msc, and then press ENTER.

  2. In the console tree, right-click Outbound Rules, and then click New Rule.

  3. On the Rule Type page, click Custom, and then click Next.

  4. On the Program page, click Next.

  5. On the Protocol and Ports page, click Next.

  6. On the Scope page, in Which local IP addresses does this rule apply to?, click These IP addresses, and then click Add. In IP Address, specify the Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) addresses of the Internet interface of the DirectAccess server, and then click OK.

  7. In Which remote IP addresses does this rule apply to?, click These IP addresses, and then click Add. In IP Address, specify the IPv4 or IPv6 addresses of the domain controllers that are reachable from the Internet interface of the DirectAccess server, and then click OK.

  8. Click Next.

  9. On the Action page, click Next.

  10. On the Profile page, clear Domain, and then click Next.

  11. On the Name page, specify a name for the rule, and then click Finish.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.