Using the RRAS Firewall

If you already ran the Configure Email and Internet Connection Wizard (CEICW) it is likely that you have configured the built-in firewall without much effort (or maybe without even knowing). Because the process is relatively simple, this chapter focuses on detailing the particulars of this service and providing in-depth information about certain common features.

Let's start by describing the main function of a firewall. The job of any firewall is to separate your internal (trusted) network from an external (not trusted) network, such as the Internet. This is an important function because it reduces the surface attack area of your network by exposing only those services that need to be accessed from outside.

For a firewall to be effective, both networks must be physically separated. Hence, one of the requirements to use RRAS as a firewall is that you must have two network cards. One card is connected to the local network, and the other card is connected to the Internet side, as shown in Figure 7.1.

Figure 7.1. Network diagram of a typical installation using SBS as the firewall.

RRAS acts as a basic firewall because it can filter traffic only at the network layer (based the properties of the IP packet). Although it is not as fancy as ISA Server 2004, you still can protect your network effectively by restricting access not only by port number but also by source or destination address among other things.

Remember that although firewalls are important, they are not the be-all and end-all of network security. There are ways around firewalls (such as VPNs), and there is always the potential for having a vulnerable service behind an open port. Also, keep in mind that an improperly configured firewall can create a false sense of security.

Best Practice: Use ISA 2004 If You Have SBS 2003 Premium

If you already own the SBS 2003 Premium Edition, it is strongly suggested that you install ISA Server 2004. Not only does it provide a much more sophisticated firewall than RRAS, you also get more detailed reports and more control over what your users can access.

CEICW and the RRAS Firewall

Although CEICW takes care of most of the firewall configuration, you might be wondering exactly what it does. Understanding why and how ports are opened by the wizard is an important step toward improving your network security.

Table 7.1 lists the most common ports used in a typical SBS installation. By default, eight ports (marked with an asterisk) can be opened by the CEICW. Also, you can manually add other ports if you deem it necessary.

Table 7.1. TCP Ports Used in a Typical SBS 2003 Installation
TCP Port	Service	Description
21^[*]	FTP	Enables the external file transfer
25^[*]	SMTP	Enables incoming SMTP mail in Exchange
80^[*]	IIS	Enables all nonsecure browser access, including: IIS websites and HTTPS redirectors
110	POP3	Enables external access to Exchange POP3 server
143	IMAP4	Enables external access to Exchange IMAP4 server
443^[*]	IIS	Enables all secure browser access, including OWA, OMA, RWW, and RPC over HTTP
444^[*]	Windows SharePoint Services	Enables external access to the SharePoint (Companyweb) website.
1723^[*]	PPTP clients	Enables external PPTP VPN connections
3389^[*]	Terminal Services	Enables access to Terminal Services using the Remote Desktop protocol
4125^[*]	Remote Web Workplace	Enables Remote Desktop Connection via the Remote Web Workplace interface

^[*] Denotes a port defined in the CEICW by default.

Which ports are opened by the CEICW depends on the choices you make running it. For example, TCP port 444 will be opened only if you select Windows SharePoint Services Intranet Site on the Web Services Configuration screen.

Best Practice: Open Ports Only as Needed

Only open ports that are really necessary; opening ports that are not required can put your network at risk.

For example, if you use the POP3 Connector to retrieve email, allowing inbound SMTP access is not necessary. Unselect E-mail from the Services Configuration screen in CEICW to close it.

One nice feature of configuring your firewall using the CEICW is that if you have a hardware router/firewall installed on your network it can be automatically configured. If the device supports Universal Plug and Play (UPnP) the CEICW will not only open the ports on the RRAS firewall but also will open/forward the appropriate ports on the device. This eliminates much of the guesswork when manually configuring the hardware firewall.

Configuring the RRAS Firewall

As previously mentioned, the CEICW configures most basic functions of the RRAS firewall. However, there are a couple of things that you might want to do that are not directly configurable using the wizard. This section presents an overview of three common scenarios for configuring the firewall in an SBS network.

Creating a Packet Filter

At some point you might need to open an uncommon port to remotely access a service that resides on the server. For example, you might have a handheld device that needs IMAP4 or POP3 access to your mailbox in Exchange. Although opening another port in not really a best practice, sometimes you don't have a choice (although in this case you might want to consider buying a device that supports Exchange ActiveSync).

To create a packet filter to allow IMAP4 access (port TCP 143) through the RRAS firewall, follow these steps. These steps assume that the CEICW has been already run at least once.

1.	Open the Server Management Console. On the left pane expand Standard Management and then select To Do List. Under Network Tasks and click on Connect to the Internet to open the Configure Email and Internet Connection Wizard.
2.	On the welcome screen click Next. Assuming that you have already run CEICW previously, select Do Not Change Connection Type on the next screen and click Next.
3.	Select Enable Firewall and click Next. On the Services Configuration Screen (see Figure 7.2) select all the services that you want to enable. Figure 7.2. Services Configuration screen in the Configure Email and Internet Connection Wizard.
4.	Click Add to create a new service. On the Add or Edit a Service screen (see Figure 7.3), enter IMAP as the service name, select TCP for the protocol, and enter 143 for the port number. Click OK to add the service and make sure that the check box next to the new service is selected. Click Next. Figure 7.3. Add or Edit a Service screen in the Configure Email and Internet Connection Wizard.
5.	Finish the wizard by clicking Next on the following screens and selecting Do Not Change Current Web Server Certificate and Do Not Change Internet E-Mail Configuration.
6.	Optional: If you have a firewall in front of SBS that supports Universal Plug and Play (UPnP), the wizard attempts to configure it automatically. However, if your firewall does not support UPnP or it's disabled, you need to forward port 143 manually. Consult your router/firewall user guide for further instructions.

If the Microsoft Exchange IMAP4 service is running (which is disabled by default), you should be able to access the service externally.

Packet Forwarding to Another Device

There are cases where you need to allow access to an internal resource not allocated on the server. For example, you might have a web cam running on your network that you want to access remotely. For the purpose of this example, assume that the camera can be accessed via TCP port 8080.

The following steps outline how to forward a port from the external interface of your SBS box to a device located on the internal network:

1.	Before configuring the port forwarding, make sure that the target device has a static IP assigned or a DHCP reservation.
2.	Open the Routing and Remote Access console in Administrative Tools. Click on your server name to expand it and drill down to IP Routing, NAT/Basic Firewall. On the right pane right-click on Network Connection and select Properties.
3.	On the Network Connection Properties screen click on the Services and Ports tab. Click on Add to bring up the Add Service Screen (see Figure 7.4). Type `Webcam` in the Description of Service box and select the TCP protocol. Enter `8080` as the Incoming and Outgoing Port and type the static IP of the device on the Private Address box. Click OK to save the changes and click OK again to close the Network Connection Properties. Figure 7.4. Add Service Screen on the Network Connection Properties of the RRAS Firewall
4.	Optional: If you have a firewall in front of SBS you will need to forward port 8080 manually (even if your router is UPnP capable). Consult your router/firewall user guide for further instructions.

You should be able to access the webcam remotely by using the public IP of your server.

Note

One interesting feature that the RRAS firewall provides is port address translation. In other words, you can redirect traffic from one port on the external interface to another port on the target.

This is particularly useful for companies that have a single static IP. For example, assume that you have a Terminal Server alongside an SBS box, and you need to be able to access them both using RDP directly. You could change the listening port number on one of the servers, but that would prevent using Remote Web Workplace (RWW) to access it. A better alternative would be to leave both at 3389, but create forward port 3390 on the external interface and translate it to 3389 on the internal network. RWW keeps working, you have direct RDP access, and everybody is happy!

Filtering Connections

In some circumstances you might want to block certain IPs from reaching your server. For example, if you have seen numerous wrong password attempts from a specific IP, it might be wise to prevent it from even knocking at your door. Another use would be to block SMTP traffic (TCP port 25) from a specific IP address to curb spam.

With RRAS you can filter connections based on the source or destination IP address, port number, and protocol. The following steps outline the procedure to block a specific IP address from connecting to the server:

Open the Routing and Remote Access console in Administrative Tools. Click on your server name to expand it and drill down to IP Routing, NAT/Basic Firewall. On the right pane right-click on Network Connection and select Properties.

On the Network Connection Properties screen, click on Inbound Filters. Click on New to open the Add IP Filter screen (see Figure 7.5). Select the source network and on the IP address box type the address of the offending machine. For the subnet mask you can either specify a range of machines or, if you just want to block a single IP, type 255.255.255.255. Click OK three times.

Figure 7.5. Add IP Filter screen on the Network Connection Properties of the RRAS firewall.

After completing the procedure the offending machine should be blocked at the firewall from attempting to contact your server. If you feel adventurous, you might want to play with those settings to restrict traffic based on the protocol and port number.

Best Practice: Regularly Test Your Firewall

Every once in a while get a port scanner and scan the external interface of your server. Make sure that every port you see open is supposed to be that way.