Endpoint Protection Small Business Edition

 View Only
Expand all | Collapse all

Firewall rule need to be created in Symantec Endpoint Protection

  • 1.  Firewall rule need to be created in Symantec Endpoint Protection

    Posted Oct 24, 2014 06:56 AM

    Hi,

    I want to create a firewall for sep 12.1. Description is based upon windwos firewall rules as given below: How I can achieve it

    Windows Firewall Policy

    Administrators can create a custom Windows Firewall rule set to prevent Lync client traffic from entering the VPN. There are multiple options to push this policy, but this article will use the Windows Firewall snap-in to create the rules. Using group policy, administrators can follow the same configuration tasks. Deploying rules through group policy scales well in larger environments. For the scenario described below, we assume the following:

    • Corporate subnets all fall within the 10.0.0.0/8 range.
    • VPN subnet is 172.16.1.0/8.
    • A Connection type of Remote Access is shown in windows when VPN is connected.
    • A Network type of Domain is shown in windows when connected to the VPN.

    Note: If you are not using Windows Firewall, but want to deploy firewall rules through your VPN appliance, consider the following rules:

    Table 1. Firewall Rules to Block Lync Traffic over VPN

    Source

    Destination

    Port

    Description

    Client VPN Subnets

    Corporate VPN network

    1024-65535 TCP/UDP (this is by default; however these port ranges are configurable. See the QoS Deployment Guide for more details.

    Lync 2010 client media traffic to all other internal clients.

    Client VPN Subnets

    All Lync Servers, including the Edge Server internal interface

    All Ports TCP/UDP

    Lync 2010 client traffic to Lync Servers, all should be blocked.

    The above rules, used in conjunction with the remaining configurations, allow you to force Lync 2010 traffic to relay through the Edge Server.

    As mentioned above, all Windows Firewall configurations shown here are created using the local Windows Firewall Snap-In.

    Windows Firewall Policy Configuration Steps

    To begin, create a new inbound rule for the Lync application (Communicator.exe). This rule needs to be a Custom rule. See Figure 2 below.

    Figure 2. New Inbound Rule Type Custom

     

    Next, specify the executable for Lync or Communicator (Communicator.exe) as shown in Figure 3. Although this article only covers the Lync client, the same principles can be applied to other applications such as Microsoft Office Live Meeting 2007 or the Microsoft Lync 2010 Attendee.

    Figure 3. Communicator.exe specified as the program path

     

    For protocols and ports, leave the default settings as shown in Figure 4. This blocks all ports and all protocols.

    Figure 4. Default Configuration for Protocol and Ports

     

    To scope, define the VPN subnet in the Which local IP addresses does this rule apply to box, and the corporate and VPN subnets in the Which remote IP addresses does this rule apply to box. See Figure 5. Defining the VPN subnet in the remote IP address field prevents hair-pinning. Hair-pinning occurs when traffic enters and leaves the same interface on a network device, such as a VPN concentrator. Blocking hair-pinning prevents two VPN based users, from sending their peer to peer media traffic through the VPN tunnel.

    Figure 5. VPN subnet defined as the local IP, VPN and corporate subnets defined as remote subnets.

     

    When in the Scope section, customize the interface type to include only Remote Access. See Figure 6. This prevents the configuration from being applied when not connected to the corporate VPN.

    Figure 6. Custom Interface Type of Remote Access selected

     

    For action, choose block as shown in Figure 7.

    Figure 7. Blocking configured to prevent connections from utilizing VPN based IP address

     

    In the Profile screen select Domain. See Figure 8. This ensures the settings are only applied when connected to the users’ corporate Active Directory domain. This setting cannot be used for machines that are not joined to the domain. This setting keeps the configuration from being applied when connected to VPN networks other than the users’ corporate connection with the same network numbering.

    Figure 8. Network profile type of Domain

     

    Give the rule a meaningful name and description see Figure 9.

    Figure 9. Configure the name of your rule and provide a description

     

    After creating the inbound rule, create an outbound rule with the same configuration.

     



  • 2.  RE: Firewall rule need to be created in Symantec Endpoint Protection

    Posted Oct 27, 2014 01:21 PM

    May want to post this as a blog