Microsoft Advanced Firewall Isolation

encoad
encoad used Ask the Experts™
on
Hi All,

I need to set up Microsoft Advanced Firewall Isolation.  The goal is to prevent domain computers from making connections to non-domain computers.

I've tried setting up a basic Any-All type rule (see attached), but it just blocks everything, nothing is permitted.

Can anyone guide me to making a single basic "required" isolation rule?2016-02-19_Snag033.png
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Greg HejlPrincipal Consultant

Commented:
There is only one way to do this and be 100% effective.

Two subnets.  one for domain, one for workgroups.  
Firewall in between so that network resources can be shared.

Author

Commented:
Hi Greg,

Actually the goal here is to prevent data theft.  I can cover almost any scenario except when someone boots up the computer and then changes the network cable into a cross over connected to a laptop.

This solution looks like it's designed to prevent this scenario.  If I can make it work.

Thanks.
Distinguished Expert 2018

Commented:
You did not link your other thread where you asked about the same thing: I told you to use ipsec. Did you read about how to set that up?

Author

Commented:
Hi McKnife,

I'm actually asking this question based on the advice received in that question.

The problem with IPSec is that you need to restrict it by IP.  So a rogue DHCP server could simply put the computer in a range outside of the IPSec rules thereby defeating them.

I could use a Static IP, but then I'll lose PXE.

Please correct me if I'm wrong.

Thanks,
Nicholas
Distinguished Expert 2018
Commented:
Please read tutorials about ipsec secured firewall rules. They can't be defeated like that.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial