Block.web.Browsing.but.Allow.lan.Traffic.with.Ipsec

7/30/2019 Block.web.Browsing.but.Allow.lan.Traffic.with.Ipsec

1/37

Block Web Browsing but Allow Intranet (LAN) Traffic with IPSec

To configure a single computer follow these steps

Configuring IP Filter Lists and Filter actions

1. Open an MMC window (Start > Run > MMC).2. Add the IP Security and Policy Management Snap-In.


2/37


3/37

3. In the Select which computer this policy will manage window select the local computer (or any other policy depending upon your needs). Click Close then click Ok.


4/37

4. Right-click IP Security Policies in the left pane of the MMC console. Select Manage IP Filter Lists and Filter Actions.


5/37

5. In the Manage IP Filter Lists and Filter actions click Add.


6/37

6. In the IP Filter List window type a descriptive name (such as HTTP, HTTPS) and click Add to add the new filters.


7/37

7. In the Welcome window click Next.8. In the description box type a description if you want and click Next.


8/37

9. In the IP Traffic Source window leave My IP Address selected and click Next.


9/37

10. In the IP Traffic Destination window leave Any IP Address selected and click Next.


10/37

11. In the IP Protocol Type scroll to TCP and press Next.


11/37

12. In the IP Protocol Port type 80 (for HTTP) in the To This Post box, and click Next.


12/37

13. In the IP Fil ter List window notice how a new IP Filter has been added. Now, if you want, add HTTPS (Any IP to Any IP, Protocol TCP, Destination Port 443) in themanner.


13/37

14.Now that you have both filters set up, click Ok.


14/37

15.Back in the Manage IP Filter Lists and Filter actions review your filters (you can add or remove more filters later). Now we'd like to add a new filter that will define thINTRANET web traffic. Again, click Add.


15/37

16.Again, give the new filter an appropriate name - for example - Intranet, and then proceed to configuring the filter by clicking Add.


16/37

17. In the IP Traffic Source window leave My IP Address selected and click Next.18. In the IP Traffic Destination click the drop-down list and select the type of destination. For example, if you only want to allow web traffic for one specific Intranet we

server called SERVER200, choose A Specific DNS Name.


17/37

Then, in the Host Name box type SERVER200 and click Next.


18/37

If you want to allow web traffic for an entire internal subnet such as 192.168.0.0/24, select A Specific IP Subnet, and type the Network ID and Subnet Mask for the required s

Click Next.


19/37

19.Back in the IP Filter list add any other filter you want, and finally click Ok.


20/37

20.Back in the Manage IP Filter Lists and Filter actions review your filters and if al l are set, click on the Manage Filter Actions tab. Now we need to add a filter action thblock our designated traffic, so click Add.


21/37

21. In the Welcome screen click Next.22. In the Filter Action Name type Block and click Next.


22/37

23. In the Filter Action General Options click Block then click on Next.


23/37

24.Back in the Manage IP Filter Lists and Filter actions review your filters and if all are set, click on the Close button. You can add Filters and Filter Actions at any time.

Next step is to configure the IPSec Policy and to assign it.


24/37

Configuring the IPSec Policy

1. In the same MMC console right-click IP Security Policies on Local Computer and select Create IP Security Policy.


25/37

2. In the Welcome screen click Next3. In the IP Security Policy Name enter a descriptive name, such as "Block HTTP, HTTPS, allow Intranet". Click Next


26/37

4. In the Request for Secure Communication window click to clear the Active the Default Response Rule check-box. Click Next


27/37

5. In the Completing IP Security Policy Wizard window, click Finish.


28/37

6. We now need to add the various IP Filters and Filter Actions to the new IPSec Policy. In the new IPSec Policy window click Add to begin adding the IP Filters and FilActions.


29/37

7. In the Welcome window click Next.8. In the Tunnel Endpoint make sure the default setting is selected and click Next.


30/37

9. In the Network Type windows select All Network Connections and click Next.


31/37


32/37

11. In the Filter Action window select one of the previously configured Filter Actions, for example "Block" (configured in step #20 at the beginning of this article). Again,you did not previously configure the right Filter Action, you can now press Add and begin adding it now. When done, click Next.


33/37

12.Back in the new IPSec Policy window; make sure the new IP Filter is selected. Click Add to add more IP Filters and Filter Actions just like you did before. In this exawe will add the "Intranet" IP Filter.

Performs steps #7 through #11.


34/37

13.Add the "Intranet" IP Filter.


35/37

14.Configure it to use the Permit Filter Action.


36/37

15.Notice how the two IP Filters have been added.

Also notice that you cannot change their order like in other full-featured firewalls. Even so, this configuration works perfectly as you will soon discover.


37/37

The next phase is to assign the IPSec Policy.

Assigning the IPSec Policy

In the same MMC console, right-click the new IPSec Policy and select Assign.

Done, you can now test the configuration by trying to surf to restricted and unrestricted websites.

Documents

Block.web.Browsing.but.Allow.lan.Traffic.with.Ipsec