I'm trying to define per interface rules, much like it was in Server 2003.
We will be replacing our old 2003 server with a new 2008 R2 server. The server runs IIS and SQL Server. It's a dedicated server at the hosting company. We use a OpenVPN connection from the office to access SQL server, RDesktop, FTP and other administrative services. Only http and ssh is listening on the public interface.
On the old server running 2003, I was able to define global rules for http and ssh, and allow other services only on the vpn interface. I can't find a way to do the same on 2008 R2.
I understand that there is the Network Location Awareness service, firewall rules are applied according to the current network location. But I don't understand the purpose of this on a server.
The only close solution I found is to set the scope on the firewall rule and restrict remote ip addresses to the private subnet of the office. But the ports will still be listening on the public interface.
So how can I restrict a firewall rule to the connections coming from the vpn interface ?
A note on this page
states that scoping a rule to an interface does not exist anymore:
In earlier versions of Windows, many of these command accepted a parameter called interface. This parameter is not supported in the firewall context in Windows Vista or later versions of Windows.
I can't believe that they simply decided to remove a core firewall functionality that every firewall has. There must be a way to restrict a rule to an interface.
Any ideas ?
I'm still unable to find an adequate solution to my problem. So for now, my workaround is this:
Administrative services listen on VPN IP address
Firewall rules restrict the scope to the local IP address of VPN
Public services listen on all interfaces, no scope restriction on firewall rules
This is not optimal, if I change the IP address of the VPN, I need to edit the firewall rules too. It won't be the case if the rules were bound to the interface.
