Archive for the ‘Windows Firewall’ Category

How do I keep my firewall on?

August 27th, 2013 No comments

Using a firewall is like locking the front door to your house—it helps keep intruders (in this case, hackers and malicious software) from getting in. Windows Firewall is included in Windows and is turned on by default.

If you see a warning that your firewall is turned off, it could be because:

  • You or someone else has turned off your firewall.
  • You or someone else has installed antivirus software that includes a firewall and that disables Windows Firewall.
  • The warnings that you see are fake alerts, caused by malicious software.

You do not need to turn off your firewall

There are two ways to allow an app or a program through a firewall. Both are risky, but not as risky as turning off your firewall. Learn how to allow an app through a firewall in Windows 8 or Windows 7.

Check your firewall settings in Windows 8

If you think your firewall is turned off, open Windows Firewall by swiping in from the right edge of the screen, tapping Search (or if you’re using a mouse, pointing to the upper-right corner of the screen, moving the mouse pointer down, and then clicking Search). Type firewall in the search box, tap or click Settings, and then tap or click Windows Firewall.

In the left pane, tap or click Turn Windows Firewall on or off . You might be asked for an admin password or to confirm your choice.

For more information, see Windows Firewall from start to finish.

Check your firewall settings in Windows 7 and Windows Vista

If you think your firewall is turned off, follow these steps:

  1. Open Windows Firewall by clicking the Start button , and then clicking Control Panel. In the search box, type firewall, and then click Windows Firewall.
  2. In the left pane, click Turn Windows Firewall on or off.  If you’re prompted for an administrator password or confirmation, type the password or provide confirmation.
  3. Below each network location type, click Turn on Windows Firewall, and then click OK. We recommend that you turn on the firewall for all network location types.

You don’t need antivirus software that includes a firewall

Because Windows comes with a firewall, you don’t need to install an additional one. You don’t need to buy or download antivirus software that includes a firewall.

Windows 8 also comes with built-in antivirus software that is turned on by default, so you do not need to install other antivirus software.

If your computer is running Windows 7, Windows Vista, or Windows XP, you may want to install antivirus software to help protect your computer. You can install Microsoft Security Essentials for free. If you’ve already installed other antivirus software, you will need to uninstall the other antivirus software before you install Microsoft Security Essentials.

Microsoft Security Essentials includes integration with Windows Firewall, so you can turn Windows Firewall on by using Microsoft Security Essentials.

Watch out for fake alerts

Rogue security software is malicious software that might display fake warnings telling you that your firewall is turned off, even if it isn’t. If you think your computer is infected with rogue secure software, use your antivirus software or do a free scan with the Microsoft Safety Scanner. For more information, read Watch out for fake virus alerts.

Free tool automatically checks and builds up your computer’s defenses

July 12th, 2012 No comments

Want to know an easy way to make sure you have the most up-to-date security settings and software for your Windows operating system? Microsoft offers a free downloadable tool that scans your computer and makes recommended changes based on your current settings.

Run the Microsoft Malware Prevention troubleshooter.

The following are a few examples of how the Microsoft Malware Prevention troubleshooter helps protect your computer:

  • It turns on your Windows Firewall. Enabling your Windows Firewall will block communications to your PC that may be malicious software.
  • It checks your anti-virus protection status. You will be prompted to update your anti-virus program if needed. If you have no anti-virus program installed, it tells how you can download Microsoft Security Essentials (free) or learn about other security software partners.
  • It turns on automatic updating. Windows Update automatically downloads and installs the latest security and feature updates from Microsoft to help enhance the security and performance of your PC.

Find out what else the Microsoft Malware Prevention troubleshooter can do.

UAG DirectAccess and the Windows Firewall with Advanced Security – Things You Should Know

December 1st, 2010 Comments off

Both the Windows DirectAccess and the UAG DirectAccess solutions are heavily dependent on the Windows Firewall with Advanced Security. DirectAccess clients take advantage of both firewall rules and Connection Security Rules. Connection Security Rules are IPsec rules that control the IPsec tunnel mode connections between the DirectAccess clients and the DirectAccess server. In addition to the IPsec tunnel mode connections, Connection Security Rules are used to enable IPsec transport mode connections for servers for which you want the DirectAccess clients to connect using end-to-end security.

In order to get the most out of DirectAccess and how DirectAccess works, it helps to have a better understanding of the different components of the Windows Firewall with Advanced Security and how some of the important settings work and how they interact with DirectAccess

Windows Firewall Profiles – Public Profile, Private Profile and Domain Profile

Windows Firewall offers three firewall profiles: domain, private and public. The domain profile applies to networks where the host system can authenticate to a domain controller. The private profile is a user-assigned profile and is used to designate private or home networks. Lastly, the default profile is the public profile, which is used to designate public networks such as Wi-Fi hotspots at coffee shops, airports, and other locations.

Different firewall and connection security rules can be configured for each profile. There are default settings that are applied to each profile, but the administrator can customize their default settings.

What Does This Have to Do with DirectAccess?

The different profiles are important because a computer only works as a DirectAccess client when it is not on the corporate network. In order words, if the DirectAccess client detects that it can connect to its domain controller and is on the corporate network, it will use the domain profile. The DirectAccess client will only act as a DirectAccess client when the Private or Public Profiles are enabled. The reason for this is that the Connection Security Rules that enable the IPsec tunnel mode connections to the DirectAccess server are included only in the Public or Private Profiles. There are no Connection Security Rules that enable IPsec tunnel mode connections to the DirectAccess server in the Domain Profile.

The UAG DirectAccess server (as well as the Windows DirectAccess server) will create the Connection Security Rules that allow for the creation of the DirectAccess IPsec tunnels (and the end-to-end IPsec transport mode connections for servers configured for end-to-end security). However, the UAG DirectAccess wizard does not import any firewall rules that you might have configured to work on the corporate network. Those rules that you created for the intranet hosts were created for the Domain Profile. If you want your Domain Profile firewall rules to apply to DirectAccess clients, you will need to enable those rules on the Public Profile and Private Profile too.

How Do I Create Firewall Rules for DirectAccess Clients?

In order for intranet computers to connect to DirectAccess clients, there need to be firewall rules in place on the DirectAccess clients that allow the incoming connections from the intranet servers. In addition, if you are blocking outbound connections, you may need to create rules that enable required protocols outbound. There are several things you need to know about these firewall rules:clip_image001

  • Teredo clients need to have the Edge Traversal setting enabled on inbound firewall rules that allow the intranet clients to connect to DirectAccess clients that are using Teredo to connect to the DirectAccess server (
  • Teredo clients must have also have rules that allow them ICMPv6 access to intranet clients, such as ICMPv6 neighbor discovery. This rule is enabled by default and you should not delete it. In addition, Teredo clients require ICMPv6 Echo Request access to your intranet if you are using ISATAP or native IPv6 on the intranet. If you are using NAT64/DNS64, then you need to enable ICMPv4 Echo Requests to your intranet (
  • With reference to the second bullet point, you should be aware of a scenario where domain policy doesn’t allow firewall rules to merge with local policy. While the required rule is enabled by default in local policy, if your organization disables merging local with domain policy, then only rules created for domain policy will be applied to the DirectAccess client, which will cause this rule to be disabled. If this is the case, you should manually create all of the required infrastructure rules, such as those required for IP-HTTPS, Teredo, 6to4, ESP, IKE and ICMPv6.
  • DirectAccess clients using 6to4 and IP-HTTPS to connect to the UAG DirectAccess server don’t require the Edge Traversal setting to allow for remote management. However, since you can’t predict which IPv6 transition protocol will be used by the DirectAccess client, you should always enable Edge Traversal on the firewall rules.
  • The firewall rules that enable intranet hosts to connect to the DirectAccess clients should be applied to the Public and Private profiles. You can apply them to the domain profile if you like, but in order for the computer that is acting as a DirectAccess client to apply these rules, they must be enabled on the Public and Private Profiles.
  • When creating these firewall rules, make sure that one of the endpoints (can be the remote endpoint, it doesn’t matter) includes the IPv6 prefix of the intranet. Failing to configure this type of access control in the rule may create a security issue that allows anyone on the Internet to connect to the DirectAccess client using these protocols. You can find the ISATAP IPv6 prefix in the details of the intranet tunnel rule as Endpoint 2.
  • If you have firewall rules that you enable for intranet clients using the Domain profile, be aware that these are not automatically applied to the DirectAccess clients, since they will be using either the Public or Private profile. Therefore, if you want your domain firewall rules applied to DirectAccess clients, make sure to replicate them for your DirectAccess clients’ Public and Private profiles.

While it’s possible for you to create your firewall rules in the DirectAccess Clients GPO, that’s not a good idea because your rules will be overwritten the next time you use the UAG DirectAccess wizard and deploy updated GPO settings. Instead, create a new GPO with the firewall settings and apply it to your DirectAccess clients security group or OU.

For a very good tutorial on configuring firewall rules for DirectAccess client, check out How to enable Remote Desktop Sharing (RDS/RDP) from corporate machines to DirectAccess connected machine at

And if you want to try it out for yourself in your UAG DirectAccess Test Lab, check out Test Lab Guide: Demonstrate UAG DirectAccess Remote Management over at

Anything Else I Need to Know About DirectAccess Client Firewall Rules?

I’m glad you asked! Yes, there are a few more things you should think about when configuring firewall rules for DirectAccess clients. These are:

  • Don’t turn off the Windows Firewall on either the DirectAccess client or DirectAccess server. This will disable IPsec and Edge Traversal – so it essentially breaks all DirectAccess connectivity
  • Avoid allowing all inbound connections to the DirectAccess clients. Doing so will disable Edge Traversal. This breaks Teredo and manage-out.
  • Avoid blocking all outbound connections as well. If you block all outbound traffic, you will not only need to enable the infrastructure protocols, you will also need to allow any other protocol required by the DirectAccess client, such as HTTP, SMT, RDP, etc) on the Public and Private Profiles.
  • If your organization manages all of your firewall rules through a central GPO, you need to make sure that you enable the rules that are required for DirectAccess to work. These include rules to support IPv6 Transition Technologies, ICMPv6 (as mentioned previously) and ESP and AuthIP. However, you do not need to any rule to the UAG server, as the Firewall capability is disabled on the UAG and the TMG server is in control.


Yaniv Naor, SDE
Tom Shinder, Knowledge Engineer/Principal Technical Writer, Anywhere Access Group (AAG)