RRAS Server in Windows server 2008: Which one to use - Windows firewall or RRAS filters

  • Article

 

Hi All,

Till Windows 2003, routing and remote access server (i.e. RRAS) and Windows firewall didn't co-exist. i.e. if one of the feature is enabled - other cannot be enabled. RRAS was having a version of Windows firewall called as "Basic Firewall" - which is now removed in Windows server 2008 - in order to support only one host firewall inside the OS.

 

In Windows server 2008 running as RRAS server role, the packet filtering on a given interface can be enabled via Windows firewall as well as inbound/outbound filters available inside RRAS. There are some subtle differences between the two which I would like to point out in this blog - which will help you to decide which one to use in which scenario.

First a bit on the implementation details:

1) Windows Firewall: is stateful packet filtering that is configurable by Windows firewall UI as well as group policies. This can work on physical interfaces as well as traffic coming from remote access interface (i.e. RAS Dial-in adapter). All the settings are applied to every inbound packet that is destined to the server or outbound packet that is sent from the server.

2) RRAS Packet Filter: is a stateless packet filtering mechanism configurable via RRAS MMC snap-in , netsh based scripting or via remote access policies.

Now let us dig in detail on how both can be used in different scenarios. These are the factors that need to be kept in decision:-

 

1) Host vs Network filters

Windows firewall can act as host packet filter (i.e. filter only the traffic destined to or originated from given machine), but not a "network" or edge packet filter (i.e. it cannot filter traffic in the forwarding path in RRAS server – like the traffic sent from the VPN client going to the intranetn application servers behind RRAS server).

Whereas RRAS packet filters can act as host as well as network packet filter engine.

 

Or in other words: if you want to block or allow certain traffic to RRAS server received on your public interface or RAS dial-in interface, you can use Windows firewall as well as static filters. But if you want to allow or block traffic to network behind RRAS server (i.e. not destined to or originated from any of RRAS server's IP addresses), your only option is RRAS packet filters.

2) Stateful vs stateless

RRAS packet filters does not maintain the state of different TCP/UDP sessions passing through it – i.e. it treats each packet independently and hence is fast (in terms of packets/second). This means it cannot be used in scenarios which require state – like RRAS acting as NAT router OR if some applications opens the ports dynamically (like FTP, RPC etc) without opening whole lot of extra ports. In these scenarios, Windows firewall should be used to protect traffic destined to/originated from RRAS server public interface.

But RRAS packet filters can be good some scenarios which does not require state - like acting as pure remote access or site-to-site server and filtering based upon IP address/mask and may be port number for simple applications (like HTTP, Telnet, TS, etc). RRAS packet filters are also required for VPN NAP scenario – to restrict the traffic of unhealthy VPN clients to a remediation server/network.

Now what happens when both Windows firewall and RRAS packet filters are enabled on a given interface?

They both can co-exist run on the same interface, but you need to manage your filtering rules cautiously. This is because the packet is given to both set of filters and is accepted in the system only if both filters allows it. Or in other words, if a packet is dropped by the filter rule matching in any one, the packet will be dropped. For example, if you have a web server running on RRAS server, then you need to enable TCP port 80 as exception in Windows firewall as well as enable in RRAS packet filters. This will also consume higher CPU utilization too (because more filtering check). My recommendation in this scenario will be to enable Windows firewall as a host firewall (to protect the services running on the server) and use RRAS packet filters to protect the forwarded traffic that is sent/received inside VPN tunnels (i.e. from client to machines behind RRAS server).

Hope this information was useful for you

References:

[1] RRAS static packet filters - do's and don'ts

[2] Which ports to unblock for VPN traffic to pass-through

Cheers

Samir Jain

Lead Program Manager (samirj@online.microsoft.com **)

RRAS, Windows Enterprise Networking

** Remote the "online" to actually email me

[This posting is provided "AS IS" with no warranties, and confers no rights.]