Configure Firewall Rules to Prevent Traffic between Proxy Servers and DirectAccess Servers

  • Article

Updated: July 1, 2010

Applies To: Windows Server 2008 R2

Important

This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=179989).

To prevent DirectAccess clients from using IP-HTTPS to connect to your intranet through your proxy servers and DirectAccess servers when they are connected to your IPv4-only intranet or an IPv4-only subnet of your intranet, you can do one of the following:

  • On your DirectAccess servers, create an inbound rule that blocks all traffic from the IPv4 addresses of your proxy servers.

  • On your proxy servers, create an outbound rule that blocks all traffic to the external (Internet) IPv4 addresses of your DirectAccess servers.

To create an inbound rule on a DirectAccess server to drop traffic from your proxy servers

  1. On the DirectAccess server, click Start, click Run, type wf.msc, and then press ENTER.

  2. In the console tree of the Windows Firewall with Advanced Security snap-in, right-click Inbound Rules, and then click New Rule.

  3. On the Rule Type page, click Custom, and then click Next.

  4. On the Programs page, click Next.

  5. On the Protocols and Ports page, click Next.

  6. On the Scope page, under Which remote IP addresses does this rule apply?, click These IP addresses.

  7. Click Add, type the IPv4 address of a proxy server in This IP address or subnet, and then click OK. Repeat this step for the additional IPv4 addresses of your proxy servers.

  8. When you have added all of the IPv4 addresses of your proxy servers, click Next.

  9. On the Action page, click Block the connection, and then click Next.

  10. On the Profile page, click Next.

  11. On the Name page, for Name, type Drop inbound proxy server traffic, and then click Finish.

To create an outbound rule on a proxy server to drop traffic to your DirectAccess servers

  1. On a proxy server running Windows Server 2008 or later, click Start, click Run, type wf.msc, and then press ENTER.

  2. In the console tree of the Windows Firewall with Advanced Security snap-in, right-click Outbound Rules, and then click New Rule.

  3. On the Rule Type page, click Custom, and then click Next.

  4. On the Programs page, click Next.

  5. On the Protocols and Ports page, click Next.

  6. On the Scope page, under Which remote IP addresses does this rule apply?, and then click These IP addresses.

  7. Click Add, type the IPv4 address assigned to an external (Internet) interface of a DirectAccess server in This IP address or subnet, and then click OK. Repeat this step for the additional external IPv4 addresses of your DirectAccess servers.

  8. When you have added all of the external IPv4 addresses of your DirectAccess servers, click Next.

  9. On the Action page, click Block the connection, and then click Next.

  10. On the Profile page, click Next.

  11. On the Name page, for Name, type Drop outbound DirectAccess server traffic, and then click Finish.