Firewall recommendations

Similar Messages

• Security/Firewall recommendations for DirectAccess 2012 (Dual-NIC Edge Configuration)

  Hello all,
  We have installed and configured DirectAccess 2012 with the Edge Configuration with the thought that we would be able to install TMG directly on this server (as we did with the original 2008 DirectAccess/UAG). It appears that we cannot install TMG on Server
  2012 R2, so now we have a server directly connected to the outside world with public IP's assigned to it and no firewall other than Windows Firewall. I know that most organizations choose to configure DirectAccess behind an Edge device (hindsight being perfect,
  we should have as well) however we did not and it appears that we can't easily change this without completely reconfiguring DirectAccess (which took several days to get it right).
  So my question: What are the security/firewall recommendations for a DirectAccess server in an Edge scenario? I've Googled this and have not found much. Thanks in advance,
  Brad
  -Brad

  Its always good to have a Firewall infront of a domain joined machine and of course DA Server is not an exception.
  Server 2012 can work behind a Firewall with NAT functionality enabled or disabled.
  if you have a fully functional DA with EDGE profile enabled, still you can configue any firewall(without NATing functionality) without changing the configuration settings in DA.
  Also you can have TMG protecting your existing DA setup. Below is the link for it.
  http://www.isaserver.org/articles-tutorials/general/implementing-windows-server-2012-directaccess-behind-forefront-tmg-part1.html
  Please let me know, how it goes.

• Ms exchange server

  i have 2 locations. Each location has its own .com address. We have mail setup with ms exchange on each location server. I have a email address at each location. How do I receive mail from location 1 while I am at location 2?

  Sounds like you just want to send email to and from these addresses.  Here are the things that you would need:
  Connect the servers to the Internet - either thru a firewall (recommended) or directly
  If thru a firewall, open port 25 (inbound & outbound) and have inbound 25 forwarded directly to your Exchange server's IP address
  On each Exchange server, set up a Send Connector (http://technet.microsoft.com/en-us/library/aa998662(v=exchg.150).aspx)
  Talk to your ISP or DNS provider about using MX records.  At a minimum, publish an A record for your domain that points to the public ip address.
  If you want to receive email, configure your receive connector (http://technet.microsoft.com/en-us/library/jj657447(v=exchg.150).aspx)
  If you want contact's create in the local Exchange environment for each user located in the remote environment, you can either do this manually thru powershell (example
  1) or look for a dirsync solution.
  Hope this answers what you are looking for.

• MicroCell Dropped Calls

  If by failing you mean the light panel going dark and then coming back that is either related to sporadic power outages, either house wiring from the outlet, a failing ac adapter, or the MicroCell itself is having issues with its power board. Even during an update by AT&T, which happens on occassion and usually late at night, the power will blink out momentarily and then the unit will reset itself if that's required for the update to take.
  I wouldn't place the MicroCell in direct sunlight. It does generate some heat and the added extra heat from an external source is not good for it overtime. They should have plenty of ventilation around them. Mine sits about 6" away from a North facing window so it gets light in the summertime but not direct sunlight. In fact, all of my MicroCells have been in the same location.
  If by failing you mean losing connection to your phones I sill say it has something to do with your setup. Did you see my post about the pfSense configurations?

  The Problem is dropped calls using ATT MicroCell.  Sometimes we look at the MicroCell when we experience a problem and all or some of the lights are off, then slowly coming back to green.  But that is not always the case, sometimes calls drop and the MicroCell shows no changes in the lights.  Without the MicroCell we get a signal range from 0 to 4 bars on our iPhones (4s and 5s) that varies by time of day and location in the house.  Neither phone is more or less impacted and we drop every other call or more when that call is longer than about 5 minutes.  The MicroCell is the older type with the antenna connector (which is not used). History: - Installed MicroCell in 2012, At time time we had UVerse and it was connected directly to the UVerse device.  ATT indicated that our local cell tower was getting overloaded during rush hour (it is located near a major highway) and reducing power in order to shed users.  Since we live some distance away we would just lose our service, it seems we had no other tower to go to.  The situation was elevated to a special case of some sort, a bunch of network analysis was run over a few weeks, and then we were essentially given a MicroCell.  The MicroCell always dropped calls, no matter where it was located, but it was better than no service at all during rush hour and I assumed that it was the bad UVerse service. - In 2014, after experiencing a lot of problems with UVerse reliability, we switched to Comcast, which was 20% cheaper and 5 to 8 times the speed and much lower packet loss.  As part of this change we installed our own Zoom modem 5341J and a pfSense certified firewall (dumped our older SonicWall).  We reconnected the MicroCell and got about the same performance with respect to dropped calls.   Today: - Recently, after reading a bunch of posts here, I relocated the MicroCell from the basement upstairs and near a window in an attempt to reduce the dropped calls.  Has not helped.  We've rotated the MicroCell 90 degrees, and moved it around to no avail.  The MicroCell is currently hardwired wired as MicroCell -> HP Procurve 1810 Switch -> Netgate pfSense Certified Firewall -> Zoom Modem.  WiFi endpoint is currently about 6 feet away (but was more than 20 ft away before the MicroCell was moved). Our house was built for us in 2011 and contains all new CAT 6 wiring which the MicroCell uses.  We have changed the wiring runs, switch ports, etc. to no avail. We have 59.45 Mbps upload, 5.98 Mbps download, 45 ms latency, 7 ms jitter according to www.att.com/speedtest on Sunday morning Aug 9, 2015 at 8:58 CST.  For the speed test the laptop was hardwired to the HP Switch.  This seems consistent with our firewall logs that shows WAN latency of 9 ms to the first hop and no packet loss around the same time.  Prior to Saturday our WAN latency was around 2 ms, but seems to have jumped up over the weekend. I can provide full quality and traffic graphs going back to December 2014. To date we have not been able to correlate dropped calls to local traffic or quality anomalies. We do not show any consistent packet loss to the first hop. In the last 24 hours packet loss had a maximum of 0.4%, average of 0.0%, and minimum of 0.0% and in the last 8 hours 0.0% min, max, average.  Our switch shows zero errors on our LAN. - The Question?  How do I make our cell phone service more reliable?  Having previously designed and managed network services and being an amateur radio operator I have some fundamental understanding of potential problems.  Which probably makes me the worst type of customer to have to support, since it means I am not very accepting of the standard, “Do you have it plugged in?” questions. What I lack is a good understanding of the MicroCell and what in detail is happening when our calls drop, even after reading the on-line MicroCell guide by OttoPylot and FAQs by ATT. I do not have my firewall inbound ports open, I have no problem opening them if I was given a domain where requests should come from, but the docs (ATT Firewall recommendations) just say open’em up baby and thats not going to happen.  The docs don’t give any reason for having NTP port inbound open.  In this day and age, and in this security environment just opening up 5 inbound ports from any source around the globe seems less than professional.  Plus I get a pretty consistent but low number of random blocked requests inbound to the firewall (someone is searching for something). It makes no sense, based on what I know today, that a MicroCell using a secure tunnel would need inbound ports open.  All inbound communications should use the secure tunnel, but I may not know the complete story. The other difference is that the interfaces on the firewall are set to automatic MTU size.  Both sides of the firewall generally show MTU of 1500. I’ve tried 1492 and it did not seem to make a difference so they are set back to automatic. Now if someone has some technical information that explains why any of the above should be changed, then I would be happy to evaluate it.  But the problem does not seem to be configuration, since it works some of the time.  It appears that the problem is reliability.  My firewall and switch are commercial quality, the MicroCell and cable modem are consumer quality. How do I figure out a solution without spending hours on the phone with a customer support person that thinks my IQ is 5?  Now that all of our cell phone contracts are done in September, this reliability problem will feature significantly in our decision to continue with ATT after 25 years. 

• How to enable recommended settings in the Firewall in my network

  Situation: we are using Windows 7 Pro on client machines in a domain environment. Windows Firewall is turned on by default. But we install Symantec Endpoint Protection which has a built-in firewall. Every time we install new version of Symantec Windows Firewall
  shows that it is not using the Recommended settings. When this happens, we have problems pinging machines, connecting via RDP or sending files in out instant messaging application. One can press the "Use the recommended settings" button and after
  providing the administrator password the error goes away. After the next system startup Symantec takes over this page and there is a messages that Symantec is managing firewall settings. Everything works fine till another Symantec program update (not the definitions).
  I'm trying to find a way to "press that button" automatically, so i can deploy it to all users, preferably via GPO. But so far i haven't found a way. It looks like GPO only allows to change single options, not to apply some scheme. Yet if i compare
  settings on two machines (one with error, one without) it shows the same result - all Network Connections > Windows Firewall > etc. settings are Not Configured.
  I have found this topic https://social.technet.microsoft.com/Forums/windows/en-US/1c35af41-6e48-479f-a71f-3a16e119d828/windows-firewall-not-using-recommended-settings?forum=itprovistanetworking
  But if i check permissions for that key on both machines, permissions are the same (though not Full).

  Did that resolve your issue? If yes, please mark your answer to help others!
  Don't forget to mark the post that solved your issue as "Answered." By marking the Answer you are enabling users with similar issues to find what helped you. Lewis Renwick - IT Professional

• I have a 6.1.6 MAC desktop and my bank has recommended anti-virus software and turn on Firewall - require advise please

  I have a 6.1.6. MAC desktop and my on-line bank has recommended I download  separate anti-virus software and turn on Firewall
  Please advise
  Thank you
  Karinband

  I concur with Etresoft. If they persist in their demands for you to install AV software and turning on a firewall, ask to speak to a manager of the bank and suggest to them that you are seriously considering changing banks. That usually changes their tune.

• My online bank has recommended we turn on Firewall and download an anti-virus programme.  Understood MAC is already protected please advise

  I have a MAC desktop version 6.1.6.
  My online Bank has recommended Firewall turned on and download a separate anti-virus programme.
  Please advise and we understood MAC  has anti-virus built in
  Kind regards
  Karinband

  Do not download anti-virus programs for your Mac.   They do not need them.   Have you got Java disabled.   If so turn it on again for the duration of your work with the bank, then torn it off.
  This is what to do with iMacs 10.6.8 or earlier.   Incidentally, you really should update your profile, questions may apply to some versions and not others.   Your iMac cannot be 6.1.6.

• Unable to restore Windows recommended firewall settings

  I received an HP Support Assistant notification that my  Network firewall was off. I also saw that Norton internet security and antivirus protection had somehow disappared from my computer. (My service contract is still active and current) I used Norton's remove (though there was nothing there to remove) and reinstall program to restore the Norton program first, then went to Windows Firewall > Customize settings to turn the firewall back on. But when I click the "Use recommended settings" button,  I get the following error message: Windows Firewall can't change some of your settings. Error code 0x80070424 I also tried Windows Firewall with Advanced Security on Local Computer, but get the following error message: There was an error opening the Windows Firewall with Advanced Security snap-in ...The Windows Firewall with Advanced Security snap-in failed to load. Restart the Windows Firewall serice on the computer that you are managing. Error code 0x6D9 I'm just a little bit computer-literate, but not enough to figure this one out. Any help would be appreciated.  Thanks!

  Hi, If Norton is running correctly it will disable the Windows firewall and use its own.  There is no need to use the Windows firewall. You may have to go thru the Windows add/remove programs and again run the Norton Remove. Now try reinstalling Norton.

• The recommended number of IP addresses to block, which can be added to one rule Windows Firewall

  Good afternoon.
  Interested in the question, I need to create
  a rule to deny access the server with the
  specified IP address. List of large
  - about 50 thousand. So
  how can I add an IP rule blocking
  connections from IP addresses. If they
  will be in Rule 10000 does not
  affect whether it is the speed of the
  server and of the whole will be
  any changes in your work?
  The bottom line is that I have added
  10,000 IP rule. Through the
  API Windows Firewall, I realized that the maximum number
  of IP addresses that I can add is equal
  10000 (10001 already swears "array bounds are invalid").
  Rule added - these IP-addresses
  are blocked. The question is - Will the
  fact that the rule as many IP
  addresses on the server rate.
  Is it possible to set this rule remotely on
  multiple servers?

  Hi,
  I can't find any document about this limitation.
  But it is not recommended to add so many rules in Windows Firewall. It will be resource intensive.
  Could you use the wildcard? It can reduce the number of the rules.
  Best Regards.
  Steven Lee
  TechNet Community Support

• Recommend firewall appliance to use with AEBS?

  My ISP provides me only with a bridge modem - no firewall, etc. I'd like to install a hardware firewall between my AEBS and the modem.
  Any recommendations for something effective, reliable, and easy to admin?
  Also, should I worry about things like Deep Packet Inspection? This is just a home network, but I'd like to err on the secure side...

  FWIW, I am currently using the following combination and it is working quite well for me:
  Internet Modem > Cisco RVS4000 > 802.11n AirPort Extreme Base Station (AEBSn), where ">" represents an Ethernet connection.
  In this configuration, my AEBSn is bridged and the Cisco is providing both the router and hardware firewall services.

• Need firewall/ router / nat / vpn recommendation

  As the title states, I'm looking for an all-in-one hardware solution (not software) that will work seemlessly with our xserve. Right now we are using a consumer grade Linksys vpn/router as a temporary solution. We also have a business series linksys 24-port switch, so I don't need the router to handle any of that.
  We have about 15 users in the office. The vpn will need to support about 3-5 users at any one time, both Mac and Windows clients. We would like to utilize PPTP since it is easier to setup. The internet is provided via Cox cable and sits around 5MB of bandwidth.
  Any recommendations would be greatly appreciated. I would prefer to base this purchase on those who use a solution in a production environment as opposed to hearsay.
  Thanks in advance.

  We use a SonicWALL TZ 170 for that, and it works fine. The current product is the TZ 180, its replacement, which is a bit faster. The TZ 180 can handle 5 MB bandwidth with Intrusion Prevention Services on (signature watching on packet inspection); about 6 MB is the real limit for the TZ 170 with IPS (don't believe the marketing sheets that say faster). With 15 users in your office, you might want the PRO 2040 rather than the TZ 180 for increased processor power. Avoid the 1260, which is essentially just a TZ 170 with a switch on the back end.
  Supports the major VPN protocols. If you want to use IKE, you will need the Equinux VPN Tracker client for the Macs (SonicWALL doesn't have a Mac VPN client). Note that their Vista VPN client is now in beta, people are having mixed results with it. No Vista 64 bit VPN client is even announced.
  We have used it for several years with Mac VPN (VPN Tracker) from iMacs at our homes to our Xserve G5 and LAN, works fine. SonicWALL support is Mac hostile, they claim it doesn't work with Macs. Hogwash. Be prepared for Bob from Bangalor for the Level 1 and Level 2 support people, who seem untrained on the product line. The Level 3 support people are good, except when you get the anti-Macintosh bigots.
  If you need to do NAPT (NAT with port translation), you will have to get the SonicOS Enhanced OS. SonicOS Standard can do NAT but not port translation. The learning curve on SonicOS Standard is not that bad; SonicOS Enhanced is a very different animal - more powerful and featured but more difficult to set up.
  Sonic's business model is to pretty much give the hardware away and make it up on support contracts/licenses for firmware/hardware support, IPS, Anti-Spyware, Anti-Virus licensing, etc. The hardware is reliable.
  Hope that helps,
  Russ
  Xserve G5 2.0 GHz 2 GB RAM   Mac OS X (10.4.8)   Apple Hardware RAID, ATTO UL4D, Exabyte VXA-2 1x10 1u

• Need recommendations for virus/firewall protection on iphone-i believe my iphone has a virus because i keep getting 20 no info e-mails and then all my inbox is wiped out!

  Does anyone have suggestions for virus protection/firewall/etc on iphone 3GS? i believe i have a virus on my phone because several times, all my inbox mail is wiped out and also i get abot 20 bogus e-mails with no content/with wierd dates/cannot be deleted.

  Unless you have jailbroken your iphone it does not have a virus.
  There is no malware affecting legit iphones.
  It sounds like your e-mail account has been hacked, NOT your iphone.

• Converting a Palo Alto Firewall to a Cisco ASA - recommendations?

  I've seen some tools for converting ASA's to PA... but not the other way around. Anyone come up with a good method? (scripts, tools, etc?)
  Thanks in advance!

  Hi,
  I couldn't find any. May be someone else has it but google didn't show up anything for me:) nor did internal search. I would suggest contacting your account team and see if they can assist you with migration.
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Recommend router/firewall for SMB

  Hello all,
  How do you guys manage server updates and patching. Suppose if we have around 10 physical server and 5 virtual machines environment or a datacenter. Do you use any softwares? Do we have to test the patches before updating to a production environment.
  if yes how its possible to test all those list of updates? 
  Can you guys guide me pls.

  It was known inside the InfoSec community, but now more details have been made public through CNN after a BlackHat 2015 presentation: "Three years ago, the world witnessed the worst hack ever seen. And for the first time, we're now learning new details about the monstrous cyberattack on Saudi Aramco, one of the world's largest oil companies. In a matter of hours, 35,000 computers were partially wiped or totally destroyed. Without a way to pay them, gasoline tank trucks seeking refills had to be turned away. Saudi Aramco's ability to supply 10% of the world's oil was suddenly at risk. US intelligence officials believe the attackers to be Iranians, and they did not just erase data on 30,000 Aramco computers; they replaced the data with an image of a burning US flag. And one of the most valuable companies on Earth was propelled back...

• Cannot install any apps from Creative Cloud in corporate environment.  Suspsected Firewall issues.

  Hello all. 
  I subscribed successfully and easily to CC on my home PC (iMac) and downloaded a few apps.  All is fine. 
  I wanted to download those same few apps on a remove machine I use several times a week (Win 7).
  After many many attempts of trying to download CC and getting a generic error message, I learned it could be a firewall issue here at this work/office. I found this in Adobe's forums:
  Many organizations use a hardware firewall and proxy server that can prevent software from accessing an FTP server. A hardware solution applies to all computers within the corporate network. Most home networks do not use hardware firewall or proxy technology. 
  Contact your company's IT department to obtain firewall or proxy information.
  Configure your browser with proxy or firewall information.
  Configure your corporate firewall to by-pass the servers. The following servers are accessed:
  ccmdl.adobe.com:80
  swupmf.adobe.com:80
  swupdl.adobe.com:80
  Having nothing to loose, I put in a request and had these addresses/ports opened up in our firewall.  That seems to partially fix the problem.
  Now the problem is the speed and traffic is so terribly slow with CC that nothing installs with out failing and giving error. For example, I am trying to install PhotoShop CC and it will take a couple of HOURS to even get to 10% and then it fails.  Usually, it doesn't get that far.  CC just gives me the generic message:
  "Installation Failed - Learn More."
  Download error.  Press Retry to try again or contact customer support.(-7).
  Our network admins swear that there is nothing wrong with the ports/firewall and yet all this works fine at my home.  Can anyone offer any suggestions or advice?  My internet connection here is fine.  All other sites load and work fine.  I simply cannot download any of the CC aps here with any reasonable speed.
  Help!
  PS - The URLs and ports ping just fine.

  Hi RedBirdOBX1,
  I'd recommend checking out the two pdf documents in the
  Adobe Creative Cloud Service Access Documentation for IT section on this page:
  http://www.adobe.com/devnet/creativesuite/enterprisedeployment.html
  Adobe Creative Cloud Network Endpoints
  Adobe Creative Cloud Controlling Service Access
  and if you're still struggling this might be another alternative:
  http://prodesigntools.com/adobe-cc-direct-download-links.html
  Hope that helps,
  -Dave