How to configure the Windows Server 2019 Firewall
This article explains how to manage the Windows Advanced Firewall on a SecureAuth® Identity Platform appliance. For documentation on configuring a perimeter firewall, see the support document Network communication requirements for Identity Platform.
Applies to
SecureAuth Identity Platform release 19.07 or later on Windows Server 2019.
Configuration Steps
Firewall Settings Management
Windows Firewall with Advanced Security is a host-based firewall included with Windows Server 2019 and enabled by default on all SecureAuth Identity Platform appliances. Firewall settings within Windows Server 2019 are managed from within the Windows Firewall MMC (Microsoft Management Console). Do the following to review and configure firewall settings:
Open Windows Firewall with Advanced Security
First review the Required Rules to ensure they are securely configured, then review the Optional Rules to see which of them should be activated in your environment.
Required Rules
DNS
By default, the DNS rules on the SecureAuth Identity Platform Appliance allow it to communicate with any DNS server for greater ease during the initial configuration. Post configuration security best practices recommend restricting communication to only trusted DNS servers on your network. Follow the instructions below to only include DNS traffic from DNS servers within your organization.
Network Time Protocol (NTP)
By default, the NTP rule on the SecureAuth Identity Platform Appliance allows it to communicate with any (S)NTP server for greater ease during the initial configuration. Post configuration security best practices recommend restricting communication to only trusted (S)NTP servers on your network. Follow the instructions below to permit NTP traffic only to servers within your organization.
Remote Desktop
By default, a SecureAuth Identity Platform Appliance allows any IP address to initiate a Remote Desktop session for greater ease during the initial configuration. Post configuration security best practices recommend restricting communication to only trusted IPs or a range of trusted IPs to maximize security on the appliance. Follow the instructions below to restrict Remote Desktop traffic.
Optional Rules
Active Directory / LDAP
If the SecureAuth Identity Platform Appliance will be communicating with a Microsoft Active Directory (AD) domain controller or an LDAP server, the following rules must be enabled and configured:
Active Directory Password Reset
If the SecureAuth Identity Platform Appliance will be using Microsoft Active Directory as a Data Store and you would like to leverage the Password Reset IdM functionality, the following rules must be enabled and configured:
Joining a Domain
If the SecureAuth Identity Platform Appliance will be joined to a Microsoft Active Directory domain, the following rules must be enabled and configured:
SQL
If the SecureAuth Identity Platform Appliance will use a SQL server as a Data Store and/or for reporting, the following rule must be enabled and configured:
SMTP
If the SecureAuth Identity Platform Appliance will send One Time Passwords (OTP) via Email, the following rule must be enabled and configured:
Syslog
If the SecureAuth Identity Platform Appliance will be using Syslog for reporting, the following rule must be enabled and configured:
RADIUS
If the SecureAuth Identity Platform Appliance will be hosting the RADIUS service, the following rule must be enabled and configured:
SecureAuth Filesync Service
If the SecureAuth Identity Platform Appliance will be participating in a FileSync cluster, the following rules must be enabled and configured: