Outbound firewall rules

Posted by

Ever thought about what type of outbound firewall rules that is required for you clients to run as expected? Maybe you want to minimize the outbound rules on your public or private Windows firewall profile.

You probably already know that when Windows NLA service is discovering what type of network you’re on it will try to connect gateway, do a LDAP query, recognize your DNS suffix among other things. More about that here: Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles

The problem is maybe not to limit the outgoing traffic in these profiles, but to get back to the domain profile from public or private profile.

Here is very good guide to get this going: http://technet.microsoft.com/en-us/library/ee215186(v=ws.10).aspx
Make sure that this will not enable traffic like webbrowsing, FTP etc. just what really necessary like DNS, DHCP, authentication etc.

Where is how you do: Start with enable the predefined rule: Core Networking


Don’t forget to change this to Allow

Do the same with the predefined rule: File and Printer Sharing

Don’t forget to Allow the rule!

Now to two more trickier rules: First allow outgoing authentication from lsass.exe





Second custom rule is to allow WMI queries, if you have them in your Group policies







When done it should look something like this


Remember that this list most probably need to be extended or edited to fit your environment.

2014-05-13 Update. Be aware that one more outbound rule needs to be added to make NLA and Firewall profile switching working correctly:

  1. Right-click Outbound Rules, and then click New Rule.
  2. On the Rule Type page, click Custom, and then click Next.
  3. On the Program page, select This program path, and then type %windir%\System32\svchost.exe. Also Click Customize, Select Apply to service with this service short name, and then type NlaSvc to add the Network Location Awareness service, click OK, and then click Next.
  4. Read and accept the changes by pressing Yes.
  5. On the Protocol and Ports page, change Protocol type to TCP, change Remote port to Specific Ports, type 389, and then click Next.
  6. On the Scope page, click Next.
  7. On the Action page, select Allow the connection, and then click Next.
  8. On the Profile page, click Next.
  9. On the Name page, type Allow outbound NlaSvc Service port 389, and then click Finish.


Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.