Locked down RDS Server

Similar Messages

• Trying to lock down DNS server settings to force use of OpenDNS

  I'm trying to lock down my time capsule on my home network to only allow outgoing DNS traffic to go through OpenDNS. I  have an 18 year old son, with his own computer, who bypasses my OpenDNS by entering the DNS settings for Google on his Windows 7 machine. I have no control over his machine, only my router.
  A discussion on the OpenDNS forums mentions blocking port 53 and forcing all DNS traffic through the OpenDNS server settings I've entered into my router, but I can't see any way to do this on the time capsule. Am I missing something?

  There is nothing you can do.. TC do not have access to firewall.. at least for ipv4.
  You need a much better router.. bridge the TC and grab a Netgear WNDR3800 and run Gargoyle firmware. The power will be put back in your hands.. then he will buy his own 3G connection.. maybe at 18 it is rather too late.

• Best Practise to lock down server 2012 for Junior Admins

  We require locking down the desktop for junior admins. Essentially we would like for them to only access specific tools and applications.
  Below are examples of specific tools they would require access to however, if we want to block out everything else then what is the best way to go about that? I would image a combination of group rights? how best to handle this?
  Examples
  All Programs->Accessories->System Tools->System Information. then export report.
  "ipconfig /all
  go to Run and then type "systeminfo" and capture all data.

  You can use security group and delegation of administration model.
  http://technet.microsoft.com/en-us/library/cc755982(v=WS.10).aspx
  Santhosh Sivarajan | Houston, TX | www.sivarajan.com
  ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
  Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
  Blogs: Blogs
  Twitter: Twitter
  LinkedIn: LinkedIn
  Facebook: Facebook
  Microsoft Virtual Academy:
  Microsoft Virtual Academy
  This posting is provided AS IS with no warranties, and confers no rights.

• Exchange 2013 with Outlook on RDS Server is extremely slow

  Exchange 2013 CU5 on Server 2012 R2 fresh install/new to domain; Outlook 2010 or 2013 on Remote Desktop server not in cached mode is slow to open, search and send messages with attachments.  Opening messages and opening attachments runs quickly.  
  My test mailbox has 300kb worth of mail in it and sending a message with a 5Mb attachment locks up Outlook for close to 1 minute and takes another 30 to 90 seconds to disappear from the outbox and and move to sent items.  This issue does not present
  itself in OWA.  My current testing RDS environment is a fresh install of Server 2008 R2 with Outlook 2013.  No additional add-ins or AV running on the Exchange server or the test RDS server.
  When cached mode is enabled, Outlook runs better as shown in Outlook 2010 (+ Exchange 2013) works extremely slow; however, I don't consider this an option because there isn't enough drive space on the RDS server to cache all of the user profiles.  
  Other Exchange environments - Outlook 2010 or 2013 in an RDS environment (non-cached) with Exchange 2007 or 2010 - don't show the same performance issues.  Moving within Outlook and sending large attachments runs quickly.
  I have checked Exchange throttling settings and monitored logs, but have not found cases where my test user is being throttled.  I have also looked at turning off IPv6 based on another post's suggestion; however, I have seen conflicting information
  about disabling IPv6 for Server 2012 R2, so I have not yet gone down this path.
  The Exchange server is a VM on a new VMware host and has assigned 8 cores from Intel Xeon E5-2640 procs and 16GB RAM; 1TB thick provisioned database volume on a RAID 5 array with 6 x 10k RPM SAS drives.  Disk queues are low on the Exchange server (in
  the .20 to .70 range).  My test RDS server is on the same VMware host on the same vSwitch.  Another test system is on a different system, but exhibiting the same behavior.

  Hi,
  How about the suggestion from Festivalman?
  Feel free to contact me if there is any update.
  Thanks
  Mavis
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Mavis Huang
  TechNet Community Support

• RD Session Host lock down best practice document

   
  Hello,
  I am currently working on deploying an RDS Farm. My farm has several RD Session host servers. Today I learned that you can do some bad things to the RD Session hosts, if a user presses
  CTRL + Alt + End when having a open session. I locked all of this down using different GPOs which include disabled access task manager, cmd, locking the server, reboot and shutdown etc.
  However, this being sad how would I know what else to lock down since I am new to this topic. I tried to find some Microsoft document about best practices what should be locked down but I wasn’t
  successful and unfortunately a search in the forum did not bring up anything else.
  With all the different features and option Windows Server 2008 R2 has I do not even know where to start.
  Can some please point me into the right direction.
  Thank you
  Marcus

  Hi,
  The RD Session host  lock down best practices of each business is different, every enterprise admin can only to find the most suitable for their own solutions based on their IT infrastructure.
  I collected some resource info for you.
  Remote Desktop Services: Frequently Asked Questions
  http://www.microsoft.com/windowsserver2008/en/us/rds-faq.aspx
  Best Practices Analyzer for Remote Desktop Services
  http://technet.microsoft.com/en-us/library/dd391873(WS.10).aspx
  Remote Desktop Session Host Capacity Planning for 2008 R2
  http://www.microsoft.com/downloads/details.aspx?FamilyID=CA837962-4128-4680-B1C0-AD0985939063&displaylang=en   
  RDS Hardware Sizing and Capacity Planning Guidance.
  http://blogs.technet.com/iftekhar/archive/2010/02/10/rds-hardware-sizing-and-capacity-planning-guidance.aspx
  Technical Overview of Windows Server® 2008 R2 Remote Desktop Services
  http://download.microsoft.com/download/5/B/D/5BD5C253-4259-428B-A3E4-1F9C3D803074/TDM%20RDS%20Whitepaper_RC.docx
  Remote Desktop Load Simulation Tools
  http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c3f5f040-ab7b-4ec6-9ed3-1698105510ad
  Hope this helps.
  Technology changes life……

• Windows 2012r2 Remote desktop services: session based: Locked down

  I am trying to lock down the remote desktop services sessions , just like I did with windows 2003 TS.
  I am following this article :
  http://www.it.ltsoy.com/windows/lock-down-remote-desktop-services-server-2012/
  I have done till disable registry modifications.
  I stopped to check if the changes made were in effect before continuing.
  What did work is the disable server manager popup at user logon.
  Nothing else seems to have taken effect: just to mention a few
  Microsoft administrative tools,
  network and sharing center.
  ABCD drives are still being seen.
  What did I miss ?
  regards
  Leopold
  (first time I am doing gpo with > ms 2003) so maybe I am doing something wrong.)

  Hi Leopold,
  Here is related article below for you:
  How to restrict users from accessing local drives of an RD Session Host server while using RemoteApp programs
  http://blogs.msdn.com/b/rds/archive/2011/05/26/how-to-restrict-users-from-accessing-local-drives-of-an-rd-session-host-server-while-using-remoteapp-programs.aspx
  If the group policy setting doesn’t take effect, please log off users then log back on.
  If the issue persists, please run GPresult.exe to determine whether the setting is applied to users.
  Gpresult
  https://technet.microsoft.com/en-us/library/cc733160.aspx?f=255&MSPPError=-2147217396
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• How do I lock down an iPad from having certain apps removed?

  Hello,
  We are a Microsoft-based enterprise that has purchased iPad 2 devices as a means of reducing costs of wireless services as well as integration with the 3G adapter (to reduce damage and theft). While I have had great success with the iPhone Configuration Utility and an MDM server, I need to ensure that users cannot remove the Find My iPad App which we use to track employees and ensure they do not lose or steal the device (since they can't remove the battery).
  What can I do to lock down this app from being removed and also, I want to give these employees access to load whatever they wish on these iPad units. We control their access through a VPN to a Microsoft Terminal Server and with Microsoft Exchange but I don't want iTunes and the CEO's credit card being used to purchase apps. Any ideas anyone? I know that this can be done and if not, it will be done by me.
  Brian Tate
  Information Technology Manager
  Grand Texas Homes Inc
  http://www.grandhomes.com

  I'm not sure about the apps, but to prevent theft, you'll also need to disable the power button and the ability to restore the ipad. You might also want to superglue in your Sim card because if they remove that, it wont be tracked unless they connect to WiFi.
  Also, I'm not so sure it is an app on the iPad. I think it is built into the mail, calendar and contacts options if you have a Mobile me account.  http://www.apple.com/ipad/find-my-ipad-setup/

• Directory preferences in a locked down PC environment

  How do I change:
  ide.pref.dir
  ide.pref.dir.base
  ide.user.dir
  ide.work.dir
  ide.work.dir.base
  user.home
  so that they don't reference a windows path like \\<server>\<user>$, but <drive letter>:\Oracle\sqldeveloper instead
  We use locked down PC's (with no access to the A: and C: drives) . And when we start SQLD we get 16 dialogue windows say that it cannot access the A: drive, to which we press the continue button. You also get the message when using the File navigator and the File->Open or File-Save functions.
  On upgrade from 1.5.1 to 1.5.4 the number of dialogue windows dropped from 16 to 2.
  We also always lose our connextions and have to reimport from a saved file every morning.
  A response to thread Connections fail to load at startup by user user641239 at 1-sep-2008 0:59 seems to have the solution - except it requires access to regedit. We don't have that. It's much too painful to get SQLD part of the PC build at the customer, so we need to be able to configure without resorting to regedit.
  Any help appreciated.
  Nic
  Edited by: Nic Atkin on 17-apr-2009 2:41
  Edited by: Nic Atkin on 17-apr-2009 2:54

  Hi FurryOne,
  There is a way to hide both A: and C: - but you need Windows Administrator rights to do it. Not possible in a locked down PC, So I'll live with it for now.
  I was also having the Configure File Type Associations at startup everytime problem (see
  Re: Configure File Type Associations at startup everytime
  So, my current solution looks like this:
  AddVMOption -Dide.pref.dir.base=M:\Oracle\
  AddVMOption -Dide.pref.dir=M:\Oracle\sqldeveloper
  AddVMOption -Dide.user.dir.base=M:\Oracle\
  AddVMOption -Dide.user.dir=M:\Oracle\sqldeveloper
  AddVMOption -Dide.work.dir.base=M:\Oracle\
  AddVMOption -Dide.work.dir=M:\Oracle\sqldeveloper
  AddVMOption -Duser.home=M:\
  AddVMOption -Dno.shell.integration=true

• Forward facing locked down machines... kiosk?

  Hey everyone,
  So I have done a lot of research on this topic, but have yet to find an end-all solution to my conundrum. I have many machines in my network that are forward facing and public use reference terminals that connect to a database of books and things. These
  machines are not and should not be used to casual internet browsing so we have manually locked them down. These machines currently run IE10 Win7x32. The windows side locking down is no problem. But we are having a BIG issue with the current way we allow specific
  sites and lock out all others. 
  In our system, we have an abundance of allowed sites for quick research purposes that these machines are allowed to access. Still technically reference information. For the sake of argument, we have about 25 sites including the main database site that should
  be allowed through a proxy or other filtering system. Currently, we have this proxy based with exceptions built into IE... however, there is around a 255 char limit on that input box (for whatever reason).
  So that brings me to my current solution that is not quite working correctly. I have configured a .PAC script and stored it on a server that these machines can access and an msi for IE10 branding using the IEAK for IE10. This .PAC script does not seem to
  be working the way it should. I got the idea from a site I didn't save, but the basic idea is below:
  function FindProxyForURL(url, host)
  // variable strings to return
  var proxy_yes = "PROXY 255.255.255.255:8080";
  var proxy_no = "DIRECT";
  if (shExpMatch(url, "*.google.com")) { return proxy_no; }
  // Proxy anything else with yes
  return proxy_yes;
  So, my understanding is this would run when sites are accessed, if it matches the if statements it passes and if it doesn't, it defaults to proxy_yes which doesn't exist and thus doesn't load. The ADMX configures the proxy itself and everything should be
  great. 
  My main question: is there a better way to allow sites through to a machine WITHOUT loading the pages first. A simple whitelist/blacklist doesn't necessarily work because it, as far as I understand, still loads the pages but does not display them. Currently,
  it looks like IEAK is the only way to correctly manipulate these settings in internet explorer 10+, unless I'm getting that wrong. It doesn't seem like the list from our previous installation from GP is being overridden using this method, and it doesn't
  apply to new machines connected to the policy. Of course, I know it is applying because other functions, like the content rating system that I accidentally left on, have caused some problems in the past. 
  We will be upgrading these machines to newer optiplex models and installing Windows 8, so if there is a more effective solution that only works in windows 8, I am willing to try it. 
  Thanks in advance for the help, you guys are always awesome! 

  Hi,
  >>Currently, it looks like IEAK is the only way to correctly manipulate these settings in internet explorer 10+, unless I'm getting that wrong.
  In addition to IEAK 10, to configure proxy for IE 10 on Windows 7, if our most up-to-date domain controller is Windows Server 2012 or R2, we can use Group Policy Preferences
  Internet Settings extension to configure the proxy setting. Besides, we can also choose to install Remote Server Administrative Tools on a Windows 8 or 8.1 client and manage group policy settings from this client.
  Moreover, another way is that we can try using Group Policy Preferences Registry extension to configure the proxy settings for IE10 on Windows 7.
  Regarding this point, the following thread can be referred to as reference.
  Proxy settings not applying to IE above 8
  http://social.technet.microsoft.com/Forums/en-US/3b0f54d7-7293-49dc-9e3f-e8799c20265b/proxy-settings-not-applying-to-ie-above-8?forum=winserverGP
  Best regards,
  Frank Shen

• Tuxedo transaction branch in GMTREADY and cannot finishit without shutting down weblogic server

  Trying to reproduce a problem in an application we are deployed a servlet in a
  weblogic 8.1 sp2 server, doing the folowing:
  1. Begin a transaction
  2. Call a tuxedo service (tuxedo 6.5) via tuxedo gateway "A"
  3. Call another tuxedo service (tuxedo 6.5) via tuxedo gateway "B"
  4. Before commit the transaction in the servlet, we shutdown tuxedo gateway "B"
  5. After commit transaction branch via gateway "A" remains indefinitely in GMTREADY
  state, while transaction branch via gateway "B" gets GMTABRTONLY after timming
  out.
  After commit(that fail doing rollback), transaction is not reported like inflight
  in weblogic server. We cannot finish transaction branch in GMTREADY state. Only
  after shutdown weblogic server, and after an undetermined time(sometimes a lot)
  transaction branch is rolled back.
  While transaccion is not rolled back, all locks in DB remains active.
  How we could finnish that branch without shutting down weblogic server, or, if
  not, how we could control the time in witch transaction is rolled back?

  We open a case with BEA eSupport and the servlet problem was a bug. Engineering
  got a
  temporary patch that seems to solve the problem. The case continues trying to
  solve our original problem (the servlet was to reproduce the situation).
  Thank you very much.
  Jose Emilio Ortega.
  "Todd Little" <[email protected]> wrote:
  >
  Hi Jose,
  Can you provide a little more information. In particular, what are the
  JTA timeout
  values configured for your WLS application? Did you set the interoperate
  setting
  to Yes under the WTC local access point's connection settings? When
  you begin
  the transaction in the servlet, do you specify a timeout value and if
  not, do
  you know what your thread's default transaction timeout value is?
  If possible, can you post or e-mail your WLS's config.xml and the domain
  configuration
  files for the two Tuxedo domains (not the UBB files, although those would
  be helpful
  as well.)
  Thanks,
  Todd
  "Jose Emilio Ortega" <[email protected]> wrote:
  Trying to reproduce a problem in an application we are deployed a servlet
  in a
  weblogic 8.1 sp2 server, doing the folowing:
  1. Begin a transaction
  2. Call a tuxedo service (tuxedo 6.5) via tuxedo gateway "A"
  3. Call another tuxedo service (tuxedo 6.5) via tuxedo gateway "B"
  4. Before commit the transaction in the servlet, we shutdown tuxedo
  gateway "B"
  5. After commit transaction branch via gateway "A" remains indefinitely
  in GMTREADY
  state, while transaction branch via gateway "B" gets GMTABRTONLY after
  timming
  out.
  After commit(that fail doing rollback), transaction is not reportedlike
  inflight
  in weblogic server. We cannot finish transaction branch in GMTREADYstate.
  Only
  after shutdown weblogic server, and after an undetermined time(sometimes
  a lot)
  transaction branch is rolled back.
  While transaccion is not rolled back, all locks in DB remains active.
  How we could finnish that branch without shutting down weblogic server,
  or, if
  not, how we could control the time in witch transaction is rolled back?

• Wireless Controller locking down User per SSID

  I am using Wireless Controller 4112. We use WPA enterprise mode for authentication and encryption via Microsoft IAS server and MS AD domain.
  My question is how to lock down a user to a specific SSID? I would guess that this is via some vendor specific radius attributes, am I right? And if so, what would be the name (and ID) for the attributes?
  Thanks in advance.

  Making progress in setting up the wireless controller with multiple VLAN and WLAN/SSID. I create a virtaul interface at the controller and assign a VLAN number to it. The controller mgmt port is also set to a trunk port. Create a new SSID WLAN and have it mapped to the new virtual interface. Things work good.
  The new problem I am trying to solve is how to prevent wired users to access the controller admin web interface via the virtual interface IP. I try create ACL and map it to the virtual interface. It doesn't seem working.

• Application.cfc & locking down media files

  Hi,
  I've used a login framework for the Application.cfc (from
  Forta's CF8 book chapter 23). It successfully locks down .cfm
  files, but media/image files such as .jpg are still unsecure.
  What am I missing to make sure that even no matter what's in
  the folder, whether it be .jpg, .gif, .mov, .swf, etc... will only
  be accessible if the site visitor has the proper login credentials?
  I could probably "lock" the media files away in a database
  structure, but that's not very efficient. I'm sure CF8 has an easy
  way to handle this that I just don't know about.
  Thank you for your help!

  Azadi wrote:
  > the only secure way to not allow access to a web content
  is to not put
  > it on the web. cf never processes those 'media' files
  you mention - it
  > is your web server that handles requests for them.
  >
  > so either:
  > a) move those files into non-web-accessible part of your
  server and
  > serve them with cf via file system interaction
  tags/functions and
  > cfcontent/cfherader combinations
  > b) configure cf to process those files instead of your
  web server
  >
  > mind you, both options above may add significant
  processing overhead to
  > your application, so balance the need to secure access
  to those files
  > and your app performance wisely...
  >
  As well as these CF solutions mentioned by Azadi, you can
  look into the
  security options of your web server and try to apply them.
  These work
  differently then the ColdFusion based solution, but they get
  to the same
  end.

• Locked down Administrator profiles

  Hi,
  we're having a strange issue on our terminal servers.
  We have some GPOs to lock down normal user profiles which only apply to our TS users and not to administrators.
  When we create a new user profile for an Administrator he gets a locked down profile e.g. no right click in start menu, no icons in control panel...
  Existing administrator profiles work fine.
  When I check the registry under "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" there are many settings set to 1 (like NoChangeStartMenu, NoManageMyComputerVerb). If I change them to 0 everything is working fine.
  We have already disabled all GPOs and also removed the server from the Domain. It also happens when we create a new local user.
  We have tried to copy the default user profile from another server but we still get a locked down profile.
  Has anyone had the same issue?
  Regards

  Ok there are some files in %windir%\system32\grouppolicy:
  %windir%\system32\grouppolicy\machine\Citrix\GroupPolicy\Policies.gpf
  %windir%\system32\grouppolicy\user\Citrix\GroupPolicy\Policies.gpf
  %windir%\system32\grouppolicy\gpt.ini
  If I delete these files I can successfully create a new Admin profile!
  Is it safe to delete all those files?

• Add RDS server in HomeSite

  Had to reinstall MX7 suite and forgot how to set up RDS
  server in homesite so i can view my dBs.
  my dbs are internal (testbed) so have no username or
  password.
  also trying to connect, created several listings... can i
  delete these??
  tnx in advance.

  When you are in the Developer Mappings area the first tab is
  Debug Start and has a drop down for RDS server and there is an
  option to add one. Add a new one and once you are done you will be
  able to browse tables.
  You can also add one from the Files resource window with the
  drop down list of your file system. There is a selection in there
  for RDS. This will bring up the RDS sites navigator where you can
  delete or add RDS entries.

• Locking Down & Creating Exceptions

  We have seven school district buildings which includes an administration
  building. Each school has it's own server set on NW6.5SP5 and BM3.8SP4 as
  well as Zen 7. The admin bld has two servers, one for the building and one
  is our web/e-mail server using GW 7.0.2HP and Apache2. It also has GWava
  running with Kaspersky A/V (e-mail) and both servers are our DNS servers.
  If I set the default filters (to lock down the system) with BM, all
  connectivity is lost, which it should be. However, I've not been able to
  figure out the correct filters to set to allow traffic into and out of the
  web server and e-mail, i.e., if I lock down the building server no one can
  get to their e-mail or access the web server but can access the Internet via
  the BM proxy.
  I have Craig's books but guess I need a little more detail and pictures. Is
  there a book out there for those of us with A.D.D. that will walk me through
  creating a filter one-step-at-time including saying what each step is
  for/doing or what will be accomplished?
  I need to lock down each of the servers, but can't because, although users
  can get out to the Internet via the BM Proxy, they still don't have access
  to GroupWise from the client and / or Novell's iFolder, and Instant
  Messaging, of course. If I go to iManager 2.6 and attempt to creating
  exceptions for GW, iFolder and IM, the filter exceptions are created but
  don't make a difference.
  Sorry to drag on so long, but we've had an incident happen in the last month
  and we need to make the network more secure but still allow users to such
  things as the Internet, GW, iFolder, etc.
  Any suggestions and/or ideas would be appreciated,
  Tim

  >> In article <[email protected]>, Tim Ferguson wrote:
  >> When I say "Yes" to create a secure system when running BRDCFG, all outside
  >> access is blocked or isn't it supposed to be?.
  >> When you do that, it blocks all traffic to and from the public interface, and
  >> then adds some default exceptions intended to allow the VPN and certain
  >> proxies to work. (It will not overwrite any exceptions you might already
  >> having in place that would allow too much traffic through).
  >> The only way to the Internet
  >> is through the proxy, and VPN traffic is ok. Traffic on the VPN and the
  >> private IP network is fine, or should be, correct?
  >> Should be, correct.
  >> For Example:
  >> I have a user at 192.168.30.150 that needs to access his GW e-mail using the
  >> GW client to the server at 209.xxx.xxx.163, port 1677, but can't once the
  >> "secure system" is set. Realistically, we should set his client to check
  >> the private IP of the e-mail server at 192.168.20.1, port 1677, correct?
  >> Well...
  >> I'm not clear if you are trying to have the client access the GW process from
  >> inside or outside the LAN. Normally if you have a client on the inside of the
  >> LAN, that client should always be pointed to the internal IP address of a
  >> process, not the public IP address.
  I was talking about each teacher's workstation GW client, all of which are inside the VPN-created LAN
  >> If the GW process (POA, here) is running on the BMgr server itself, it is most
  >> likely listening on all IP addresses, and you need to make sure the internal
  >> address (unfiltered) is being used when inside the LAN.
  We have seven buildings, six schools and the administration building. Each building has it's own BorderManager server. Each building has it's own T-1 circuit. The buildings are connected by a BorderManager VPN (IKE). The web/mail server at the administration building is the VPN master.
  Currently each workstation's GW client (in each building) is set to the GW server's (MTA, POA, GWIA, WEBACC) public IP. Setting the filters to create a secure system would kill this capability, correct?
  >> If the process is being static NAT'd to that public address, you should not be
  >> able to access it from the inside (using the public address) with filters up
  >> or not.
  We are using "dynamic" NAT in each building. I only use "static" NAT when I create a secondary IP to my office computer so I can access it from home. NAT is then set to "dynamic and static" and not "static" only.
  >> If the process is being proxied to the public address, you could access it on
  >> the public address, as long as filter exceptions were added to allow the
  >> traffic from private to public, but it would be better to just point to the
  >> internal address.
  The process is not being proxied to the public address, was never able to get that configured and working.
  >> Often this means you just set up an internal DNS server.
  Explain further, please. Each of the two servers at the administration building is a public DNS server. To create an internal DNS server, it would be set just to the private IP's of most of the same objects on the public DNS servers?
  >> Should I then: (1) Create an exception on his building's server (the
  >> gateway) using the public interface to let his client out on port 1677? And
  >> (2) Create an exception on the mail server using the public interface to
  >> allow port 1677 in, and use a stateful filter exception on both so traffic
  >> goes both ways? or (3) ???
  >> If the client is on the inside of the LAN, you definitely should be pointing
  >> the client to an internal IP address.
  >> If the client is on the outside of the LAN (laptop taken home, for instance,
  >> or a home PC using GW client), then you have options:
  >> 1. GW running on a BMgr server
  YES
  >> 2. GW running internally, proxied to a public address
  NO
  >> 3. GW running internally, static NAT'd to a public address.
  NO
  From home or otherwise outside the private LAN, we use the GW server's public IP from the GW client.
  >> With 1 and 2, the filter exceptions are the same. With 3, they are different.
  >> I have examples for each in the filtering book.
  >> With 2, you not only have to have filter exceptions (public to public), you
  >> also have to have proxy configured and running AND access rules.
  >> With 3, you just need to have static NAT configured, filter exceptions, and a
  >> default route on the GW server. This option is the most common one I see.