Step 2: Allowing Network Traffic for a Program by Using an Outbound Rule

Updated: December 7, 2009

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

In this step, you create a rule for CLIENT1 to allow outbound traffic on TCP port 23 to reenable the Telnet client program. When creating a rule, we recommend that you be as specific as possible about the program and traffic so that you do not unexpectedly allow or block another program. In this example, you allow the Microsoft Telnet client that is included with Windows, and allow it to use only port 23 outbound.

To create an outbound allow rule

  1. On MBRSVR1, in Group Policy Management Editor, in the Firewall Settings for Windows Clients GPO, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security, and then expand Windows Firewall with Advanced Security - LDAP://{GUID},cn=policies,cn=system,DC=contoso,DC=com.

  2. Right-click Outbound Rules, and then click New Rule.

  3. On the Rule Type page, click Custom, and then click Next.

Note

If you select the Port rule type, you can only specify the local port number to allow. We want to allow remote port 23. Therefore, specify the Custom rule type.

  1. On the Program page, select This program path, type %windir%\system32\telnet.exe, and then click Next.

  2. On the Protocol and Ports page, change the Protocol type to TCP.

  3. In the Remote ports list, click Specific Ports, type 23 in the text box, and then click Next.

Note

Be sure to specify the Remote port, not Local. This differs from the inbound rules you set earlier, because this rule applies to the client instead of the server.

  1. On the Scope page, click Next.

  2. On the Action page, select Allow the connection, and then click Next.

  3. On the Profile page, clear the Private and Public check boxes, and then click Next.

  4. On the Name page, type Allow Outbound Telnet TCP 23, and then click Finish.

Now that you have the rule created, deploy it to CLIENT1 and test it.

To deploy and test your outbound allow rule

  1. On CLIENT1, in an Administrator: Command Prompt, run the command gpupdate /force, and then wait until the command has finished.

  2. Run the command telnet mbrsvr1.

  3. The connection succeeds because the TCP port 23 traffic can pass outbound through the client’s firewall, and passed inbound through the server’s firewall.

  4. Type exit, and then press ENTER to end the Telnet session.

To simplify the rest of this guide, disable the default outbound block behavior.

To restore the default outbound firewall behavior

  1. On MBRSVR1, in Group Policy Management Editor, (editing Firewall Settings for Windows Clients) right-click Windows Firewall with Advanced Security – LDAP://CN={GUID},cn=policies,cn=system,DC=contoso,DC=com, and then click Properties.

  2. On the Domain Profile tab, change Outbound connections to Allow, and then click OK.

  3. On CLIENT1, at an Administrator: Command Prompt, run the command gpupdate /force.

  4. On CLIENT1, in the Windows Firewall with Advanced Security MMC snap-in, click Windows Firewall with Advanced Security on Local Computer, and then verify that Outbound connections that do not match a rule are allowed is enabled in the Domain profile.

Next topic: Deploying a Basic Domain Isolation Policy