KB

Using IPSec to Block Ports on Client Machines

Sometimes you want to block a port but use a hardware firewall to achieve this.

An example is an SBS network with a dual NIC configuration but does not have ISA. We want to block port 25 on the PCs because from time to time a virus may slip through the cracks and cause the server to be blacklisted.

Because all traffic is routed through the SBS server's public network interface we cannot block port 25 at the firewall without also stopping Exchange from working.

In this case we can apply a group policy to all PCs to block the ports using IPSec.

  1. On the SBS machine, open Group Policy Management and edit the appropriate GPO for all the client machines(not include the server itself).
  2. Expand to Computer Configuration->Windows Settings->Security Settings->IP Security Policies.
  3. Right click IP Security Policies and select Create IP Security Policy.
  4. Follow the wizard and name the rule.
  5. Uncheck Activate the Default Response Rule.
  6. Click Finish and the Edit Properties window will pop up.
  7. Click Add to add a new rule and select Next.
  8. Click Next and select Local Area Network(LAN).
  9. Click Add to add a new IP Filter List.
  10. Type a name and click Add.
  11. Follow the Wizard and click Next twice.
  12. The source IP address is My IP Address. Click Next.
  13. The Destination IP address is Any IP Address. Click Next.
  14. Select the protocol type as TCP. Click Next.
  15. Type "25" in To This Port and click Next.
  16. Click Finish and we've created a IP Filter List for TCP port 25.
  17. Click Add again and this time select UDP instead of TCP.
  18. We can set port number 25 in From This Port as well.
  19. After creating IP Filter lists, type Next in the Security Rule Wizard to create a Filter Action.
  20. Select Add and follow the wizard to select Block. Now we've created a new Filter Action which is blocking the traffic.
  21. Click Finish and close all the windows.
  22. In Group Policy Editor, right click the newly created IP Security Policy, select Assign.
  23. Close Group Policy Editor and type "gpupdate /force" to refresh the policy.

Please note: do not apply the group policy to the Exchange server otherwise port 25 will be blocked on the server as well.

More information: How to Use Internet Protocol Security to Secure network traffic between two hosts in Windows 2000