How to Configure the Windows Server 2012 R2 Firewall

Applies to

SecureAuth IdP 9.1.x on Windows Server 2012 R2

Introduction

This article explains how to manage the Windows Advanced Firewall on a SecureAuth IdP appliance. For documentation on configuring a perimeter firewall, see the support document Network Communication Requirements for SecureAuth IdP 9.1 - 9.2.

Configuration Steps

Firewall Settings Management

Windows Firewall with Advanced Security is a host-based firewall included with Windows Server 2012 and enabled by default on all SecureAuth IdP appliances. Firewall settings within Windows Server 2012 are managed from within the Windows Firewall MMC (Microsoft Management Console). Do the following to review and configure firewall settings:

Open Windows Firewall with Advanced Security
Using the Windows interface...
a. Click Start > All Programs > Administrative Tools > Windows Firewall with Advanced Security
b. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue
Using the command prompt...
a. Open a command window
b. Type wf.msc and press Enter
c. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue
First review the Required Rules to ensure they are securely configured, then review the Optional Rules to see which of them should be activated in your environment

Required Rules

DNS

By default, the DNS rules on the SecureAuth IdP Appliance allow it to communicate with any DNS server for greater ease during the initial configuration. Post configuration security best practices recommend restricting communication to only trusted DNS servers on your network. Follow the instructions below to only include DNS traffic from DNS servers within your organization.

Select Outbound Rules on the left side of the management console
Select the rule titled Core Networking - DNS (UDP-Out) and in the Actions section of the management console, click Properties
In the Core Networking - DNS (UDP-Out) Properties window, select the Scope tab
In the Remote IP Address section, select the These IP Addresses: radio button and click Add
In the IP Address window, enter the IP for your trusted DNS server
When you have finished adding all of the IPs for your DNS servers, click OK to accept the changes
Description
Direction
Port
Protocol
Outbound rule allowing DNS requests over UDP
Outbound
53
UDP
Select the rule titled SecureAuth - Allow DNS (TCP-Out) and in the Actions section of the management console, click Properties
In the SecureAuth - Allow DNS (TCP-Out) Properties window, select the Scope tab
In the Remote IP Address section, select the These IP Addresses: radio button, and click Add
In the IP Address window, enter the IP for your trusted DNS server
When you have finished adding all of the IPs for your DNS servers, click OK to accept the changes
Description
Direction
Port
Protocol
Outbound rule to allow DNS requests over TCP
Outbound
53
TCP

Description	Direction	Port	Protocol
Outbound rule allowing DNS requests over UDP	Outbound	53	UDP

Description	Direction	Port	Protocol
Outbound rule to allow DNS requests over TCP	Outbound	53	TCP

Network Time Protocol (NTP)

By default, the NTP rule on the SecureAuth IdP Appliance allows it to communicate with any (S)NTP server for greater ease during the initial configuration. Post configuration security best practices recommend restricting communication to only trusted (S)NTP servers on your network. Follow the instructions below to permit NTP traffic only to servers within your organization.

Select Outbound Rules on the left side of the management console
Select the rule titled SecureAuth - Allow NTP and in the Actions section of the management console, click Properties
In the SecureAuth - Allow NTP Properties window, select the Scope tab
In the Remote IP Address section, select the These IP Addresses: radio button and Add
In the IP Address window, enter the IP for your trusted (S)NTP server
When you have finished adding all of the IPs for your NTP servers, click OK to accept the changes
Description
Direction
Port
Protocol
The preferred (S)NTP server
Outbound
123
UDP

Description	Direction	Port	Protocol
The preferred (S)NTP server	Outbound	123	UDP

Remote Desktop

By default, a SecureAuth IdP Appliance allows any IP address to initiate a Remote Desktop session for greater ease during the initial configuration. Post configuration security best practices recommend restricting communication to only trusted IPs or a range of trusted IPs to maximize security on the appliance. Follow the instructions below to restrict Remote Desktop traffic.

Select Inbound Rules on the left side of the management console
Select the rule titled Remote Desktop - User Mode (UDP-In) and in the Actions section of the management console, click Properties
In the Remote Desktop - User Mode (UDP-In) Properties window, select the Scope tab
In the Remote IP Address section, select the These IP Addresses: radio button and click Add
In the IP Address window, enter an IP or network range
When you have finished adding all of the IPs or network ranges, click OK to accept the changes
Description
Direction
Port
Protocol
Allow RDP traffic for Remote Desktop
Inbound
3389
UDP
Select the rule titled Remote Desktop - User Mode (TCP-In) and in the Actions section of the management console, click Properties
In the Remote Desktop - User Mode (TCP-In) Properties window, select the Scope tab
In the Remote IP Address section, select the These IP Addresses: radio button, then click the Add button
In the IP Address window, enter an IP or network range
When you have finished adding all of the IPs or network ranges, click the OK button to accept the changes
Description
Direction
Port
Protocol
Allow RDP traffic for Remote Desktop
Inbound
3389
TCP

Description	Direction	Port	Protocol
Allow RDP traffic for Remote Desktop	Inbound	3389	UDP

Description	Direction	Port	Protocol
Allow RDP traffic for Remote Desktop	Inbound	3389	TCP

Optional Rules

Active Directory / LDAP

If the SecureAuth IdP Appliance will be communicating with a Microsoft Active Directory (AD) domain controller or an LDAP server, the following rules must be enabled and configured:

Select Outbound Rules on the left side of the management console
Select the rule titled SecureAuth - Allow Active Directory-LDAP (TCP-Out)
In the SecureAuth - Allow Active Directory-LDAP (TCP-Out) Properties window, select the General tab
In the General section, select the Enabled checkbox and click Apply
Select the Scope tab, and in the Remote IP Address section, select the These IP Addresses: radio button
Click Add, and in the IP Address window, enter an IP for an AD/LDAP server
When you have finished adding all of the IPs, click OK to accept the changes
Description
Direction
Port
Protocol
Allow outbound traffic to AD/LDAP
Outbound
88,389,636,3268,3269
TCP
Select the rule titled SecureAuth - Allow Active Directory-LDAP (UDP-Out) and in the Actions section of the management console, click Properties
In the SecureAuth - Allow Active Directory-LDAP (UDP-Out) Properties window, select the General tab.
In the General section, select the Enabled checkbox and click Apply
Select the Scope tab, and in the Remote IP Address section, select the These IP Addresses: radio button
Click Add, and in the IP Address window, enter an IP for an AD/LDAP server
When you have finished adding all of the IPs, click OK to accept the changes
Description
Direction
Port
Protocol
Allow outbound traffic to AD/LDAP
Outbound
88,389
UDP

Description	Direction	Port	Protocol
Allow outbound traffic to AD/LDAP	Outbound	88,389,636,3268,3269	TCP

Description	Direction	Port	Protocol
Allow outbound traffic to AD/LDAP	Outbound	88,389	UDP

Active Directory Password Reset

If the SecureAuth IdP Appliance will be using Microsoft Active Directory as a Data Store and you would like to leverage the Password Reset IdM functionality, the following rules must be enabled and configured:

Select Outbound Rules on the left side of the management console.
Select the rule titled SecureAuth - Allow Active Directory Password Reset (TCP-Out) and in the Actions section of the management console, click Properties
In the SecureAuth - Allow Active Directory Password Reset (TCP-Out) Properties window, select the General tab
In the General section, select the Enabled checkbox and click Apply
Select the Scope tab, and in the Remote IP Address section, select the These IP Addresses: radio button
Click Add, and in the IP Address window, enter an IP for an Active Directory Domain Controller
When you have finished adding all of the IPs, click OK to accept the changes.
Description
Direction
Port
Protocol
Allow outbound traffic to AD for Password Reset
Outbound
139,445,464
TCP
Select the rule titled SecureAuth - Allow Active Directory Password Reset (UDP-Out) and in the Actions section of the management console, click Properties
In the SecureAuth - Allow Active Directory Password Reset (UDP-Out) Properties window, select the General tab
In the General section, select the Enabled checkbox and click Apply
Select the Scope tab, and in the Remote IP Address section, select the These IP Addresses: radio button
Click Add, and in the IP Address window, enter an IP for an Active Directory Domain Controller
When you have finished adding all of the IPs, click OK to accept the changes
Description
Direction
Port
Protocol
Allow outbound traffic to AD for Password Reset
Outbound
445,464
UDP

Description	Direction	Port	Protocol
Allow outbound traffic to AD for Password Reset	Outbound	139,445,464	TCP

Description	Direction	Port	Protocol
Allow outbound traffic to AD for Password Reset	Outbound	445,464	UDP

Joining a Domain

If the SecureAuth IdP Appliance will be joined to a Microsoft Active Directory domain, the following rules must be enabled and configured:

Select Outbound Rules on the left side of the management console
Select the rule titled SecureAuth - Allow Domain Membership (TCP-Out) and in the Actions section of the management console, click Properties
In the SecureAuth - Allow Domain Membership (TCP-Out) Properties window, select the General tab
In the General section, select the Enabled checkbox and click Apply
Select the Scope tab, and in the Remote IP Address section, select the These IP Addresses: radio button
Click Add, and in the IP Address window, enter an IP for an Active Directory Domain Controller
When you have finished adding all of the IPs, click OK to accept the changes
Description
Direction
Port
Protocol
Allow outbound traffic for AD Domain
Outbound
389,636,3268,3269,88,445,139,1025-5000,49152-65535
TCP
Select the rule titled SecureAuth - Allow Domain Membership (UDP-Out) and in the Actions section of the management console, click Properties
In the SecureAuth - Allow Domain Membership (UDP-Out) Properties window, select the General tab
In the General section, select the Enabled checkbox and click Apply
Select the Scope tab, and in the Remote IP Address section, select the These IP Addresses: radio button
Click Add, and in the IP Address window, enter an IP for an Active Directory Domain Controller
When you have finished adding all of the IPs, click OK to accept the changes
Description
Direction
Port
Protocol
Allow outbound traffic for AD Domain
Outbound
389,88,445,137,138,1025-5000,49152-65535
UDP

Description	Direction	Port	Protocol
Allow outbound traffic for AD Domain	Outbound	389,636,3268,3269,88,445,139,1025-5000,49152-65535	TCP

Description	Direction	Port	Protocol
Allow outbound traffic for AD Domain	Outbound	389,88,445,137,138,1025-5000,49152-65535	UDP

SQL

If the SecureAuth IdP Appliance will use a SQL server as a Data Store and/or for reporting, the following rule must be enabled and configured:

Select Outbound Rules on the left side of the management console
Select the rule titled SecureAuth - Allow SQL and in the Actions section of the management console, click Properties
In the SecureAuth - Allow SQL Properties window, select the General tab
In the General section, select the Enabled checkbox and click Apply
Select the Scope tab, and in the Remote IP Address section, select the These IP Addresses: radio button
Click Add, and In the IP Address window, enter an IP address for a SQL server
When you have finished adding all of the IPs, click OK to accept the changes
Description
Direction
Port
Protocol
Allow outbound SQL traffic
Outbound
1433
TCP

Description	Direction	Port	Protocol
Allow outbound SQL traffic	Outbound	1433	TCP

SMTP

If the SecureAuth IdP Appliance will send One Time Passwords (OTP) via Email, the following rule must be enabled and configured:

Select Outbound Rules on the left side of the management console
Select the rule titled SecureAuth - Allow SMTP and in the Actions section of the management console, click Properties
In the SecureAuth - Allow SMTP Properties window, select the General tab
In the General section, select the Enabled checkbox and click Apply
Select the Scope tab, and in the Remote IP Address section, select the These IP Addresses: radio button
Click Add, and in the IP Address window, enter an IP address for a SMTP server
When you have finished adding all of the IPs, click OK to accept the changes
Description
Direction
Port
Protocol
Allow outbound SMTP traffic
Outbound
25
TCP

Description	Direction	Port	Protocol
Allow outbound SMTP traffic	Outbound	25	TCP

Syslog

If the SecureAuth IdP Appliance will be using Syslog for reporting, the following rule must be enabled and configured:

Select Outbound Rules on the left side of the management console
Select the rule titled SecureAuth - Allow Syslog and in the Actions section of the management console, click Properties
In the SecureAuth - Allow Syslog Properties window, select the General tab
In the General section, select the Enabled checkbox and click Apply
Select the Scope tab, and in the Remote IP Address section, select the These IP Addresses: radio button
Click Add, and in the IP Address window, enter an IP address for a Syslog server
When you have finished adding all of the IPs, click OK to accept the changes
Description
Direction
Port
Protocol
Allow outbound Syslog traffic
Outbound
514
UDP

Description	Direction	Port	Protocol
Allow outbound Syslog traffic	Outbound	514	UDP

RADIUS

If the SecureAuth IdP Appliance will be hosting the RADIUS service, the following rule must be enabled and configured:

Select Inbound Rules on the left side of the management console
Select the rule titled SecureAuth - Allow RADIUS and in the Actions section of the management console, click Properties
In the SecureAuth - Allow RADIUS Properties window, select the General tab
In the General section, select the Enabled checkbox and click Apply
Select the Scope tab, and in the Remote IP Address section, select the These IP Addresses: radio button
Click Add, and in the IP Address window, enter an IP address for a RADIUS server
When you have finished adding all of the IPs, click OK to accept the changes
Description
Direction
Port
Protocol
Allow outbound RADIUS traffic
Outbound
1812,1813
UDP

Description	Direction	Port	Protocol
Allow outbound RADIUS traffic	Outbound	1812,1813	UDP

SecureAuth Filesync Service

If the SecureAuth IdP Appliance will be participating in a FileSync cluster, the following rules must be enabled and configured:

Select Outbound Rules on the left side of the management console
Select the rule titled SecureAuth - Allow SecureAuth Filesync Service (TCP-Out) and in the Actions section of the management console, click Properties
In the SecureAuth - Allow SecureAuth Filesync Service (TCP-Out) Properties window, select the General tab
In the General section, select the Enabled checkbox and click Apply
Select the Scope tab, and in the Remote IP Address section, select the These IP Addresses: radio button
Click Add, and in the IP Address window, enter the IP address of another cluster member
Repeat step 6 until all cluster member IPs (except for the one being configured) have been entered
When you have finished adding all of the IPs, click OK to accept the changes
Description
Direction
Port
Protocol
Allow outbound Filesync Service traffic
Outbound
139,445
TCP
Select the rule titled SecureAuth - Allow SecureAuth Filesync Service (UDP-Out) and in the Actions section of the management console, click Properties
In the SecureAuth - Allow SecureAuth Filesync Service (UDP-Out) Properties window, select the General tab
In the General section, select the Enabled checkbox and click Apply
Select the Scope tab, and In the Remote IP Address section, select the These IP Addresses: radio button
Click Add, and in the IP Address window, enter the IP address of another cluster member
Repeat step 12 until all cluster member IPs (except for the one being configured) have been entered
When you have finished adding all of the IPs, click OK to accept the changes
Description
Direction
Port
Protocol
Allow outbound Filesync Service traffic
Outbound
137,138
UDP
Select Inbound Rules on the left side of the management console
Select the rule titled SecureAuth - Allow SecureAuth Filesync Service (TCP-In) and in the Actions section of the management console, click Properties
In the SecureAuth - Allow SecureAuth Filesync Service (TCP-In) Properties window, select the General tab
In the General section, select the Enabled checkbox and click Apply
Select the Scope tab, and in the Remote IP Address section, select the These IP Addresses: radio button
Click Add, and in the IP Address window, enter the IP address of another cluster member
Repeat step 21 until all cluster member IPs (except for the one being configured) have been entered
When you have finished adding all of the IPs, click OK to accept the changes
Description
Direction
Port
Protocol
Allow inbound Filesync Service traffic
Inbound
139,445
TCP
Select the rule titled SecureAuth - Allow SecureAuth Filesync Service (UDP-In) and in the Actions section of the management console, click Properties
In the SecureAuth - Allow SecureAuth Filesync Service (UDP-In) Properties window, select the General tab
In the General section, select the Enabled checkbox and click Apply
Select the Scope tab, and in the Remote IP Address section, select the These IP Addresses: radio button
Click Add, and in the IP Address window, enter the IP address of another cluster member
Repeat step 21 until all cluster member IPs (except for the one being configured) have been entered
When you have finished adding all of the IPs, click OK to accept the changes
Description
Direction
Port
Protocol
Allow inbound Filesync Service traffic
Inbound
137,138
UDP

Description	Direction	Port	Protocol
Allow outbound Filesync Service traffic	Outbound	139,445	TCP

Description	Direction	Port	Protocol
Allow outbound Filesync Service traffic	Outbound	137,138	UDP

Description	Direction	Port	Protocol
Allow inbound Filesync Service traffic	Inbound	139,445	TCP

Description	Direction	Port	Protocol
Allow inbound Filesync Service traffic	Inbound	137,138	UDP

In this section: