Allow users to modify firewall policies for each location based on company's base rules
Please forgive me if this information has already been posted somewhere. I just don't see it. A nudge in the right direction would be helpful.
My question is how to allow all users to have control over firewall settings BUT have a base set of rules distrubted (and updated without overwriting custom rules by the user). These are technically inclined people who at times need to open ports up.
I've got this partially working. Take this for example-
I've got a client with there location types:
1) Connected locally to their domain (only)
2) Connected to their domain (either locally or via VPN) and connected to another subnet (one of their client's networks). This would be either when
a) They're connected locally in the office to the domain by VPN out to one of their clients or
b) They're connected at one of their clients or at a hotspot and VPN back into their own network
3) Hotspot / Client location (no access to their domain)
We've got different firewall settings for each location, and they seem to work (mostly) as we want. The problems will be a topic of a separate thread...
I've got the Client User Interface Control Settings set to mixed control for all locations, with the ability to manage firewall set to client.
No matter which location a user is connected to, their firewall, in unedited form has 4 lines (Allow NDISUIO.SYS, Allow RDP, Block IPv6 over IPv4, and Allow All). We didn't set these up, and the 3 different firewall policies that we ahve for each location are not reflected. Has anyone else experienced this or know what the problem may be?
We need to distrubute a base set of rules and then let the user go from there on a location by location basis.
The second part of this question is what would happen with updates once we get this working correctly. Take, for example, a rule that blocks all incoming ip traffic (except for those previously allowed). A user opens up access to port 12345 from ip address 184.108.40.206, which would have ordinarily be blocked by the generic block all rule. This should work fine. If on a company basis they decide to specifically close port 12345 and remove the block all other incoming after the user has already specifically allowed 220.127.116.11 thru, would the user's allow override for IP 18.104.22.168?
Message Edited by weinberk on 01-28-2008 01:32 PM
Message Edited by weinberk on 01-28-2008 01:33 PM