• 0

Configure server firewall to allow remote connections?


 Share

Question

HI everyone!

 

I was hoping someone could help me with this.

 

I have a Windows Server 2016 device connected to a VPN router.

 

I can connect to the router, but don't have access to anything on the server so I believe this is a firewall issue on the server?

 

Does anyone know what should be configured in the firewall to allow remote / VPN connections?

 

I appreciate everyone's help!

Link to comment
Share on other sites

Recommended Posts

  • 0
11 minutes ago, grunger106 said:

Can you ping anything on the subnet with your server?
What is your VPN config - what exactly are you doing?

Thank you for your response.

 

I can ping the server from the remote machine. I haven't tried pinging a remote machine from the server but would imagine it would work, but I can try that.

 

I have a server connected to the router and I'm VPN'ing in to the router. I can log into the router remotely and I can ping the server, but I do not have access to SQL Server on the server or any resources on the server (files, directories, etc).

 

So I was assuming firewall but I guess it could be something else? I've confirmed with the router company that that is configured properly.

Link to comment
Share on other sites

  • 0

HI everyone!

 

I just wanted to post back and see if anyone could help me. I haven't been able to find much that was helpful and I would like to work remotely.

 

Thank you everyone in advance for your help!

Link to comment
Share on other sites

  • 0

Your going to have to provide more details.. So you are vpn'd into the router vpn services - from where?  What is this router your running the vpn server on?  Is it openvpn, ipsec? what?

 

So your local network where the server is what say 192.168.1/24, say the server IP is 192.168.1.100 for example, and this server points back to your router lets say 192.168.1.1 for example as its gateway.

 

Now your remote vpn client gets an IP say 192.168.2.X/24  And he can ping 192.168.1.100?

 

If that is the case more than likely the problem is with the local firewall on the server not allowing access to whatever services SQL for example from your vpn IP range 192.168.2/24

Link to comment
Share on other sites

  • 0
On 3/19/2020 at 9:08 AM, BudMan said:

Your going to have to provide more details.. So you are vpn'd into the router vpn services - from where?  What is this router your running the vpn server on?  Is it openvpn, ipsec? what?

 

So your local network where the server is what say 192.168.1/24, say the server IP is 192.168.1.100 for example, and this server points back to your router lets say 192.168.1.1 for example as its gateway.

 

Now your remote vpn client gets an IP say 192.168.2.X/24  And he can ping 192.168.1.100?

 

If that is the case more than likely the problem is with the local firewall on the server not allowing access to whatever services SQL for example from your vpn IP range 192.168.2/24

Sorry it took me so long, I wanted to get everything together to try to answer all of your questions.

 

1) I am remoting in from home, but we have several people that are attempting to do the same.  We used to do this regularly before we had to upgrade our server & router.

 

2) The router at the office is a Draytek.  It offers several different VPN options, right now I have been playing around with SSL since that worked with our old configuration.

 

3) The office network is 10.0.0.1.  The home network (in this case) is 192.168.1.1.

 

4) When I connect to the VPN, the office network does give the computer an IP address (in this case 10.0.0.11).

 

5) When I'm connected via VPN, I can ping the server's IP address AND log in to the office's router.

 

I understand that it's likely the firewall, but how do I set that up so that I can remote in without making it too exposed?  That's a concern of course.  Also, what if someone tries to connect from a network using a different IP range?  I won't have control over many of these networks and want to be able to have a VPN that works for them wherever they are.

 

And with this current Coronavirus thing, being able to work remotely is increasingly important, so I'm really hoping that I can get this straightened out.

 

I really appreciate all of your help and everything.  I really, REALLY, appreciate it.

Link to comment
Share on other sites

  • 0

A quick and dirty solution is to disable the Windows Firewall for a couple of minutes and test, that will prove one way or the other if it is the problem.

If your VPN IP pool is in the same subnet as your servers I wouldn't expect it to be an issue though - you are in the server's eyes local to it.

 

You say you can ping the server's IP, can you ping the FQDN?

 

 

Link to comment
Share on other sites

  • 0
2 hours ago, M_Lyons10 said:

I understand that it's likely the firewall, but how do I set that up so that I can remote in without making it too exposed?

How would it be exposed?  Its behind your nat router/firewall - you don't forward ports to it right?  Your VPN'd into your network...

 

>When I connect to the VPN, the office network does give the computer an IP address (in this case 10.0.0.11)

 

So your running openvpn client on your remote machine?  You have setup a TAP connection if your getting IP on the same 10 network.  Then if you can ping this server at what IP??  I find it unlikely that it would allow you to ping but block sql, if your on the same network as when your at the office... You can connect to this sql server when your at the office.. Can you RDP to the server?

 

Link to comment
Share on other sites

  • 0
2 minutes ago, BudMan said:

How would it be exposed?  Its behind your nat router/firewall - you don't forward ports to it right?  Your VPN'd into your network...

 

>When I connect to the VPN, the office network does give the computer an IP address (in this case 10.0.0.11)

 

So your running openvpn client on your remote machine?  You have setup a TAP connection if your getting IP on the same 10 network.  Then if you can ping this server at what IP??  I find it unlikely that it would allow you to ping but block sql, if your on the same network as when your at the office... You can connect to this sql server when your at the office.. Can you RDP to the server?

 

I think the OP is SSL VPN'ing to his Draytek box, slightly unusual to have the SSL VPN client pool in the same subnet as the internal lan in my experience.
I don't know Draytek though.....

 

I agree with you though if it really is the same subnet as the internal resources then it should work if it works internally - it can't not.

 

My guess is DNS resolution over the tunnel is incorrectly configured and that the SQL connection strings are referencing the server by name.

Link to comment
Share on other sites

  • 0
1 minute ago, grunger106 said:

My guess is DNS resolution over the tunnel is incorrectly configured and that the SQL connection strings are referencing the server by name.

Yup would be a good guess for sure.

Link to comment
Share on other sites

  • 0
Just now, BudMan said:

Yup would be a good guess for sure.

And also they've not said, but I'd be willing to bet ADDS is in play, if SQL is using NT auth a tunnel alone isn't going to authenticate you with ActiveDirectory......

Link to comment
Share on other sites

  • 0
2 minutes ago, grunger106 said:

have the SSL VPN client pool in the same subnet as the internal lan in my experience.

Yeah it would be - this is TAP vs TUN setup... and very odd.. Could be he setup wrong tunnel network to be the same as his remote network... And when he thinks he is pinging the server IP... He is just pinging something else..

 

If really a L2 setup, then look at your arp table when you ping your server IP... is it the actual mac of the server?

 

Link to comment
Share on other sites

  • 0

Thank you both for your responses.  I appreciate your help very much.

 

I want to try to answer some of the questions, but I also have a few if you don't mind.

 

@grunger106: By pinging the FQDN, do you mean pinging the hostname that resolves to the Router IP?  I have a DrayDNS-like service running on the server that resolves the IP should it change.

 

@BudMan: I am not forwarding ports to it no.  I appreciate your addressing that concern.

 

@BudMan & @grunger106: I apologize, but I'm not really clear on what you're talking about in your back and forth.  Is there anything I can look up to help narrow the issue down?  I will be in the office tomorrow for a little bit and can check whatever you need.

 

I did check on the router and I am showing as connected via VPN, so I should be on the network. 

 

I took a closer look at ipconfig /all while connected to the VPN network remotely and while the ipv4 is 10.0.0.11 under the VPN Connection, I noticed a few things that may or may not be an issue:

Default Gateway 0.0.0.0

DNS Servers 75.75.75.75, 75.75.76.76

Under Wireless LAN

ipv4: 192.168.1.4

Default Gateway: 192.168.1.1

DHCP Server: 192.168.1.1

DNS Servers: 192.168.1.1

 

When I ping the server, I am pinging it's 10.0.0.x ip address ad it is succeeding.  I'm not sure what else I could be hitting with that ping though as I'm connected to the router and can log into the dashboard.

 

I also CAN connect to the server via RDP.  So I'm definitely connected to the network.  But, I cannot access SQL Server via the remote computer OR any of the file system.  So, for instance, I can't access shared folders / files on the server.

 

How would I confirm that the DNS resolution over the tunnel is configured properly?  Draytek did take a look at the setup and told me it was correct, but we all may have missed something so I'm happy to check anything anyone things might be a factor.  The SQL connection string IS referencing the server by name as well, but it did that under our old VPN setup as well.  Is there a different way this should be done?  I figured since we didn't have access to any of the file system on the server, that that was why we couldn't VPN?

 

I hope that all helps.  I want to thank you both again for all of your help.  If you want me to look up anything in particular, please let me know and I'll check it for you.

Link to comment
Share on other sites

  • 0
19 minutes ago, M_Lyons10 said:

DNS Servers 75.75.75.75, 75.75.76.76

That is comcast how would that resolve fqdn of some server at your work?

 

If you can ping it and RDP to it.. But you can not access file shares or sql then that SCREAMS its the servers firewall - fix it... Your problem has nothing to do with your vpn connection since clearly your connected and can talk to this IP..

 

As to dns.. try and ping the servers fqdn - does it resolve to its IP?  If not then you have a dns issue.. Your vpn should point your client to your local dns that resolves all your local stuff at work..  Do you have that?

 

RDP into your server and fix the firewall.. Show us the settings..

 

 

 

 

Link to comment
Share on other sites

  • 0
23 minutes ago, BudMan said:

That is comcast how would that resolve fqdn of some server at your work?

 

If you can ping it and RDP to it.. But you can not access file shares or sql then that SCREAMS its the servers firewall - fix it... Your problem has nothing to do with your vpn connection since clearly your connected and can talk to this IP..

 

As to dns.. try and ping the servers fqdn - does it resolve to its IP?  If not then you have a dns issue.. Your vpn should point your client to your local dns that resolves all your local stuff at work..  Do you have that?

 

RDP into your server and fix the firewall.. Show us the settings..

 

 

 

 

Thank you.  I figured that it probably was the firewall.  Comcast is the internet provider at the office.

I'm genuinely not sure what settings would need to be changed.  Per your request, here are some pictures of the firewall settings.

 

I exported the settings because I wasn't sure how to get everything in a screen grab.

 

Name    Group    Profile    Enabled    Action    Override    Program    Local Address    Remote Address    Protocol    Local Port    Remote Port    Authorized Users    Authorized Computers    Authorized Local Principals    Local User Owner    Application Package   
MSMPI-LaunchSvc        All    Yes    Allow    No    C:\Program Files\Microsoft MPI\Bin\msmpilaunchsvc.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any    Any    
MSMPI-MPIEXEC        All    Yes    Allow    No    C:\Program Files\Microsoft MPI\Bin\mpiexec.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any    Any    
MSMPI-SMPD        All    Yes    Allow    No    C:\Program Files\Microsoft MPI\Bin\smpd.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any    Any        
Active Directory Domain Controller -  Echo Request (ICMPv4-In)    Active Directory Domain Services    All    Yes    Allow    No    Any    Any    Any    ICMPv4    Any    Any    Any    Any    Any    Any    Any    
Active Directory Domain Controller -  Echo Request (ICMPv6-In)    Active Directory Domain Services    All    Yes    Allow    No    Any    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Active Directory Domain Controller - LDAP (TCP-In)    Active Directory Domain Services    All    Yes    Allow    No    %systemroot%\System32\lsass.exe    Any    Any    TCP    389    Any    Any    Any    Any    Any    Any    
Active Directory Domain Controller - LDAP (UDP-In)    Active Directory Domain Services    All    Yes    Allow    No    %systemroot%\System32\lsass.exe    Any    Any    UDP    389    Any    Any    Any    Any    Any    Any    
Active Directory Domain Controller - LDAP for Global Catalog (TCP-In)    Active Directory Domain Services    All    Yes    Allow    No    %systemroot%\System32\lsass.exe    Any    Any    TCP    3268    Any    Any    Any    Any    Any    Any    
Active Directory Domain Controller - NetBIOS name resolution (UDP-In)    Active Directory Domain Services    All    Yes    Allow    No    System    Any    Any    UDP    138    Any    Any    Any    Any    Any    Any    
Active Directory Domain Controller - SAM/LSA (NP-TCP-In)    Active Directory Domain Services    All    Yes    Allow    No    System    Any    Any    TCP    445    Any    Any    Any    Any    Any    Any    
Active Directory Domain Controller - SAM/LSA (NP-UDP-In)    Active Directory Domain Services    All    Yes    Allow    No    System    Any    Any    UDP    445    Any    Any    Any    Any    Any    Any    
Active Directory Domain Controller - Secure LDAP (TCP-In)    Active Directory Domain Services    All    Yes    Allow    No    %systemroot%\System32\lsass.exe    Any    Any    TCP    636    Any    Any    Any    Any    Any    Any    
Active Directory Domain Controller - Secure LDAP for Global Catalog (TCP-In)    Active Directory Domain Services    All    Yes    Allow    No    %systemroot%\System32\lsass.exe    Any    Any    TCP    3269    Any    Any    Any    Any    Any    Any    
Active Directory Domain Controller - W32Time (NTP-UDP-In)    Active Directory Domain Services    All    Yes    Allow    No    %systemroot%\System32\svchost.exe    Any    Any    UDP    123    Any    Any    Any    Any    Any    Any    
Active Directory Domain Controller (RPC)    Active Directory Domain Services    All    Yes    Allow    No    %systemroot%\System32\lsass.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Active Directory Domain Controller (RPC-EPMAP)    Active Directory Domain Services    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Active Directory Web Services (TCP-In)    Active Directory Web Services    All    Yes    Allow    No    %systemroot%\ADWS\Microsoft.ActiveDirectory.WebServices.exe    Any    Any    TCP    9389    Any    Any    Any    Any    Any    Any    
AllJoyn Router (TCP-In)    AllJoyn Router    Domain, Private    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    9955    Any    Any    Any    Any    Any    Any    
AllJoyn Router (UDP-In)    AllJoyn Router    Domain, Private    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    UDP    Any    Any    Any    Any    Any    Any    Any    
Border Gateway Protocol (BGP-In)    Border Gateway Protocol (BGP)    All    No    Allow    No    %Systemroot%\system32\svchost.exe    Any    Any    TCP    179    Any    Any    Any    Any    Any    Any    
BranchCache Content Retrieval (HTTP-In)    BranchCache - Content Retrieval (Uses HTTP)    All    No    Allow    No    SYSTEM    Any    Any    TCP    80    Any    Any    Any    Any    Any    Any    
BranchCache Hosted Cache Server (HTTP-In)    BranchCache - Hosted Cache Server (Uses HTTPS)    All    No    Allow    No    SYSTEM    Any    Any    TCP    80, 443    Any    Any    Any    Any    Any    Any    
BranchCache Peer Discovery (WSD-In)    BranchCache - Peer Discovery (Uses WSD)    All    No    Allow    No    %systemroot%\system32\svchost.exe    Any    Local subnet    UDP    3702    Any    Any    Any    Any    Any    Any    
Cast to Device functionality (qWave-TCP-In)    Cast to Device functionality    Private, Public    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    PlayTo Renderers    TCP    2177    Any    Any    Any    Any    Any    Any    
Cast to Device functionality (qWave-UDP-In)    Cast to Device functionality    Private, Public    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    PlayTo Renderers    UDP    2177    Any    Any    Any    Any    Any    Any    
Cast to Device SSDP Discovery (UDP-In)    Cast to Device functionality    Public    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    UDP    PlayTo Discovery    Any    Any    Any    Any    Any    Any    
Cast to Device streaming server (HTTP-Streaming-In)    Cast to Device functionality    Domain    Yes    Allow    No    System    Any    Any    TCP    10246    Any    Any    Any    Any    Any    Any    
Cast to Device streaming server (HTTP-Streaming-In)    Cast to Device functionality    Public    Yes    Allow    No    System    Any    PlayTo Renderers    TCP    10246    Any    Any    Any    Any    Any    Any    
Cast to Device streaming server (HTTP-Streaming-In)    Cast to Device functionality    Private    Yes    Allow    No    System    Any    Local subnet    TCP    10246    Any    Any    Any    Any    Any    Any    
Cast to Device streaming server (RTCP-Streaming-In)    Cast to Device functionality    Private    Yes    Allow    No    %SystemRoot%\system32\mdeserver.exe    Any    Local subnet    UDP    Any    Any    Any    Any    Any    Any    Any    
Cast to Device streaming server (RTCP-Streaming-In)    Cast to Device functionality    Domain    Yes    Allow    No    %SystemRoot%\system32\mdeserver.exe    Any    Any    UDP    Any    Any    Any    Any    Any    Any    Any    
Cast to Device streaming server (RTCP-Streaming-In)    Cast to Device functionality    Public    Yes    Allow    No    %SystemRoot%\system32\mdeserver.exe    Any    PlayTo Renderers    UDP    Any    Any    Any    Any    Any    Any    Any    
Cast to Device streaming server (RTSP-Streaming-In)    Cast to Device functionality    Public    Yes    Allow    No    %SystemRoot%\system32\mdeserver.exe    Any    PlayTo Renderers    TCP    23554, 23555, 23556    Any    Any    Any    Any    Any    Any    
Cast to Device streaming server (RTSP-Streaming-In)    Cast to Device functionality    Domain    Yes    Allow    No    %SystemRoot%\system32\mdeserver.exe    Any    Any    TCP    23554, 23555, 23556    Any    Any    Any    Any    Any    Any    
Cast to Device streaming server (RTSP-Streaming-In)    Cast to Device functionality    Private    Yes    Allow    No    %SystemRoot%\system32\mdeserver.exe    Any    Local subnet    TCP    23554, 23555, 23556    Any    Any    Any    Any    Any    Any    
Cast to Device UPnP Events (TCP-In)    Cast to Device functionality    Public    Yes    Allow    No    System    Any    PlayTo Renderers    TCP    2869    Any    Any    Any    Any    Any    Any    
Certification Authority Enrollment and Management Protocol (CERTSVC-DCOM-IN)    Certification Authority    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    135    Any    Any    Any    Any    Any    Any    
Certification Authority Enrollment and Management Protocol (CERTSVC-RPC-EPMAP-IN)    Certification Authority    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Certification Authority Enrollment and Management Protocol (CERTSVC-RPC-NP-IN)    Certification Authority    All    Yes    Allow    No    System    Any    Any    TCP    445    Any    Any    Any    Any    Any    Any    
Certification Authority Enrollment and Management Protocol (CERTSVC-RPC-TCP-IN)    Certification Authority    All    Yes    Allow    No    %systemroot%\system32\certsrv.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
COM+ Network Access (DCOM-In)    COM+ Network Access    All    No    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    135    Any    Any    Any    Any    Any    Any    
COM+ Remote Administration (DCOM-In)    COM+ Remote Administration    All    No    Allow    No    %systemroot%\system32\dllhost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Core Networking - Destination Unreachable (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Destination Unreachable Fragmentation Needed (ICMPv4-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    ICMPv4    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Dynamic Host Configuration Protocol (DHCP-In)    Core Networking    All    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    UDP    68    67    Any    Any    Any    Any    Any    
Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-In)    Core Networking    All    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    UDP    546    547    Any    Any    Any    Any    Any    
Core Networking - Internet Group Management Protocol (IGMP-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    IGMP    Any    Any    Any    Any    Any    Any    Any    
Core Networking - IPHTTPS (TCP-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    TCP    IPHTTPS    Any    Any    Any    Any    Any    Any    
Core Networking - IPv6 (IPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    IPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Multicast Listener Done (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Local subnet    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Multicast Listener Query (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Local subnet    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Multicast Listener Report (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Local subnet    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Multicast Listener Report v2 (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Local subnet    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Neighbor Discovery Advertisement (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Neighbor Discovery Solicitation (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Packet Too Big (ICMPv6-In)    Core Networking    All    Yes    Allow    No    Any    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Parameter Problem (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Router Advertisement (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    fe80::/64    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Router Solicitation (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Teredo (UDP-In)    Core Networking    All    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    UDP    Edge Traversal    Any    Any    Any    Any    Any    Any    
Core Networking - Time Exceeded (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Cortana    Cortana    All    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    OSRVR\Administrator    microsoft.windows.cortana_cw5n1h2txyewy    
Cortana    Cortana    All    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    OSRVR\ITMGR    microsoft.windows.cortana_cw5n1h2txyewy    
DFS Management (DCOM-In)    DFS Management    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    135    Any    Any    Any    Any    Any    Any    
DFS Management (SMB-In)    DFS Management    All    Yes    Allow    No    System    Any    Any    TCP    445    Any    Any    Any    Any    Any    Any    
DFS Management (TCP-In)    DFS Management    All    Yes    Allow    No    %systemroot%\system32\dfsfrsHost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
DFS Management (WMI-In)    DFS Management    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
DFS Replication (RPC-EPMAP)    DFS Replication    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
DFS Replication (RPC-In)    DFS Replication    All    Yes    Allow    No    %SystemRoot%\system32\dfsrs.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
DHCPv4 Relay Agent [Client] (UDP-In)    DHCP Relay Agent    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    UDP    67    Any    Any    Any    Any    Any    Any    
DHCP Server v4 (UDP-In)    DHCP Server    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    UDP    67    Any    Any    Any    Any    Any    Any    
DHCP Server v4 (UDP-In)    DHCP Server    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    UDP    68    Any    Any    Any    Any    Any    Any    
DHCP Server v6 (UDP-In)    DHCP Server    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    UDP    546    Any    Any    Any    Any    Any    Any    
DHCP Server v6 (UDP-In)    DHCP Server    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    UDP    547    Any    Any    Any    Any    Any    Any    
DHCP Server - Remote Service Management using SCM (RPC-in)    DHCP Server Management    All    Yes    Allow    No    %systemroot%\system32\services.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
DHCP Server (RPC-In)    DHCP Server Management    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
DHCP Server (RPCSS-In)    DHCP Server Management    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
DHCP Server (SMB-In)    DHCP Server Management    All    Yes    Allow    No    System    Any    Any    TCP    445    Any    Any    Any    Any    Any    Any    
DHCP Server Failover (TCP-In)    DHCP Server Management    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    647    Any    Any    Any    Any    Any    Any    
DHCPv6 Relay Agent [Server] (UDP-In)    DHCPv6 Relay Agent    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    UDP    547    Any    Any    Any    Any    Any    Any    
DIAL protocol server (HTTP-In)    DIAL protocol server    Domain    Yes    Allow    No    System    Any    Any    TCP    10247    Any    Any    Any    Any    Any    Any    
DIAL protocol server (HTTP-In)    DIAL protocol server    Private    Yes    Allow    No    System    Any    Local subnet    TCP    10247    Any    Any    Any    Any    Any    Any    
Distributed Transaction Coordinator (RPC)    Distributed Transaction Coordinator    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Distributed Transaction Coordinator (RPC-EPMAP)    Distributed Transaction Coordinator    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Distributed Transaction Coordinator (TCP-In)    Distributed Transaction Coordinator    All    No    Allow    No    %SystemRoot%\system32\msdtc.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
DNS (TCP, Incoming)    DNS Service    All    Yes    Allow    No    %systemroot%\System32\dns.exe    Any    Any    TCP    53    Any    Any    Any    Any    Any    Any    
DNS (UDP, Incoming)    DNS Service    All    Yes    Allow    No    %systemroot%\System32\dns.exe    Any    Any    UDP    53    Any    Any    Any    Any    Any    Any    
RPC (TCP, Incoming)    DNS Service    All    Yes    Allow    No    %systemroot%\System32\dns.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
RPC Endpoint Mapper (TCP, Incoming)    DNS Service    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (Echo Request - ICMPv4-In)    File and Printer Sharing    All    Yes    Allow    No    Any    Any    Any    ICMPv4    Any    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (Echo Request - ICMPv6-In)    File and Printer Sharing    All    Yes    Allow    No    Any    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (LLMNR-UDP-In)    File and Printer Sharing    All    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    5355    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (NB-Datagram-In)    File and Printer Sharing    All    Yes    Allow    No    System    Any    Any    UDP    138    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (NB-Name-In)    File and Printer Sharing    All    Yes    Allow    No    System    Any    Any    UDP    137    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (NB-Session-In)    File and Printer Sharing    All    Yes    Allow    No    System    Any    Any    TCP    139    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (SMB-In)    File and Printer Sharing    All    Yes    Allow    No    System    Any    Any    TCP    445    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (Spooler Service - RPC)    File and Printer Sharing    All    Yes    Allow    No    %SystemRoot%\system32\spoolsv.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (Spooler Service - RPC-EPMAP)    File and Printer Sharing    All    Yes    Allow    No    Any    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
File and Printer Sharing over SMBDirect (iWARP-In)    File and Printer Sharing over SMBDirect    All    No    Allow    No    System    Any    Any    TCP    5445    Any    Any    Any    Any    Any    Any    
File Replication (RPC)    File Replication    All    Yes    Allow    No    %SystemRoot%\system32\NTFRS.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
File Replication (RPC-EPMAP)    File Replication    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
File Server Remote Management (DCOM-In)    File Server Remote Management    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    135    Any    Any    Any    Any    Any    Any    
File Server Remote Management (SMB-In)    File Server Remote Management    All    Yes    Allow    No    System    Any    Any    TCP    445    Any    Any    Any    Any    Any    Any    
File Server Remote Management (WMI-In)    File Server Remote Management    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
iSCSI Service (TCP-In)    iSCSI Service    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
Kerberos Key Distribution Center - PCR (TCP-In)    Kerberos Key Distribution Center    All    Yes    Allow    No    %systemroot%\System32\lsass.exe    Any    Any    TCP    464    Any    Any    Any    Any    Any    Any    
Kerberos Key Distribution Center - PCR (UDP-In)    Kerberos Key Distribution Center    All    Yes    Allow    No    %systemroot%\System32\lsass.exe    Any    Any    UDP    464    Any    Any    Any    Any    Any    Any    
Kerberos Key Distribution Center (TCP-In)    Kerberos Key Distribution Center    All    Yes    Allow    No    %systemroot%\System32\lsass.exe    Any    Any    TCP    88    Any    Any    Any    Any    Any    Any    
Kerberos Key Distribution Center (UDP-In)    Kerberos Key Distribution Center    All    Yes    Allow    No    %systemroot%\System32\lsass.exe    Any    Any    UDP    88    Any    Any    Any    Any    Any    Any    
Key Management Service (TCP-In)    Key Management Service    All    No    Allow    No    %SystemRoot%\system32\sppextcomobj.exe    Any    Any    TCP    1688    Any    Any    Any    Any    Any    Any    
mDNS (UDP-In)    mDNS    All    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    UDP    Any    Any    Any    Any    Any    Any    Any    
Microsoft Key Distribution Service    Microsoft Key Distribution Service    All    Yes    Allow    No    %systemroot%\system32\lsass.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Microsoft Key Distribution Service    Microsoft Key Distribution Service    All    Yes    Allow    No    %systemroot%\system32\lsass.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Netlogon Service (NP-In)    Netlogon Service    All    No    Allow    No    System    Any    Any    TCP    445    Any    Any    Any    Any    Any    Any    
Netlogon Service Authz (RPC)    Netlogon Service    All    No    Allow    No    %SystemRoot%\System32\lsass.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Network Discovery (LLMNR-UDP-In)    Network Discovery    Domain, Public    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    5355    Any    Any    Any    Any    Any    Any    
Network Discovery (LLMNR-UDP-In)    Network Discovery    Private    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    5355    Any    Any    Any    Any    Any    Any    
Network Discovery (NB-Datagram-In)    Network Discovery    Private    Yes    Allow    No    System    Any    Any    UDP    138    Any    Any    Any    Any    Any    Any    
Network Discovery (NB-Datagram-In)    Network Discovery    Domain, Public    Yes    Allow    No    System    Any    Any    UDP    138    Any    Any    Any    Any    Any    Any    
Network Discovery (NB-Name-In)    Network Discovery    Domain, Public    Yes    Allow    No    System    Any    Any    UDP    137    Any    Any    Any    Any    Any    Any    
Network Discovery (NB-Name-In)    Network Discovery    Private    Yes    Allow    No    System    Any    Any    UDP    137    Any    Any    Any    Any    Any    Any    
Network Discovery (Pub-WSD-In)    Network Discovery    Private    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    3702    Any    Any    Any    Any    Any    Any    
Network Discovery (Pub-WSD-In)    Network Discovery    Domain, Public    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    3702    Any    Any    Any    Any    Any    Any    
Network Discovery (SSDP-In)    Network Discovery    Domain, Public    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    1900    Any    Any    Any    Any    Any    Any    
Network Discovery (SSDP-In)    Network Discovery    Private    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    1900    Any    Any    Any    Any    Any    Any    
Network Discovery (UPnP-In)    Network Discovery    Private    Yes    Allow    No    System    Any    Any    TCP    2869    Any    Any    Any    Any    Any    Any    
Network Discovery (UPnP-In)    Network Discovery    Domain, Public    Yes    Allow    No    System    Any    Any    TCP    2869    Any    Any    Any    Any    Any    Any    
Network Discovery (WSD Events-In)    Network Discovery    Domain, Public    Yes    Allow    No    System    Any    Any    TCP    5357    Any    Any    Any    Any    Any    Any    
Network Discovery (WSD Events-In)    Network Discovery    Private    Yes    Allow    No    System    Any    Any    TCP    5357    Any    Any    Any    Any    Any    Any    
Network Discovery (WSD EventsSecure-In)    Network Discovery    Domain, Public    Yes    Allow    No    System    Any    Any    TCP    5358    Any    Any    Any    Any    Any    Any    
Network Discovery (WSD EventsSecure-In)    Network Discovery    Private    Yes    Allow    No    System    Any    Any    TCP    5358    Any    Any    Any    Any    Any    Any    
Network Discovery (WSD-In)    Network Discovery    Private    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    3702    Any    Any    Any    Any    Any    Any    
Network Discovery (WSD-In)    Network Discovery    Domain, Public    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    3702    Any    Any    Any    Any    Any    Any    
Performance Logs and Alerts (DCOM-In)    Performance Logs and Alerts    Domain    No    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    135    Any    Any    Any    Any    Any    Any    
Performance Logs and Alerts (DCOM-In)    Performance Logs and Alerts    Private, Public    No    Allow    No    %systemroot%\system32\svchost.exe    Any    Local subnet    TCP    135    Any    Any    Any    Any    Any    Any    
Performance Logs and Alerts (TCP-In)    Performance Logs and Alerts    Domain    No    Allow    No    %systemroot%\system32\plasrv.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
Performance Logs and Alerts (TCP-In)    Performance Logs and Alerts    Private, Public    No    Allow    No    %systemroot%\system32\plasrv.exe    Any    Local subnet    TCP    Any    Any    Any    Any    Any    Any    Any    
Remote Access Management (DCOM-In)    Remote Access    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Remote Access Management (NP-In)    Remote Access    All    Yes    Allow    No    System    Any    Any    TCP    445    Any    Any    Any    Any    Any    Any    
Remote Access Management (NPS-RPC-In)    Remote Access    All    Yes    Allow    No    %systemroot%\system32\iashost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Access Management (RRAS-RPC-In)    Remote Access    All    Yes    Allow    No    %systemroot%\system32\remrras.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Access Management (Services-RPC-In)    Remote Access    All    Yes    Allow    No    %systemroot%\system32\services.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Access Management (WMI-In)    Remote Access    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Access Quarantine (TCP-In)    Remote Access Quarantine    All    Yes    Allow    No    %systemroot%\system32\rqs.exe    Any    Any    TCP    7250    Any    Any    Any    Any    Any    Any    
Remote Desktop - Shadow (TCP-In)    Remote Desktop    All    Yes    Allow    No    %SystemRoot%\system32\RdpSa.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
Remote Desktop - User Mode (TCP-In)    Remote Desktop    All    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    3389    Any    Any    Any    Any    Any    Any    
Remote Desktop - User Mode (UDP-In)    Remote Desktop    All    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    UDP    3389    Any    Any    Any    Any    Any    Any    
Remote Event Log Management (NP-In)    Remote Event Log Management    All    No    Allow    No    System    Any    Any    TCP    445    Any    Any    Any    Any    Any    Any    
Remote Event Log Management (RPC)    Remote Event Log Management    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Event Log Management (RPC-EPMAP)    Remote Event Log Management    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Remote Event Monitor (RPC)    Remote Event Monitor    All    No    Allow    No    %SystemRoot%\system32\NetEvtFwdr.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Event Monitor (RPC-EPMAP)    Remote Event Monitor    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Remote Scheduled Tasks Management (RPC)    Remote Scheduled Tasks Management    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Scheduled Tasks Management (RPC-EPMAP)    Remote Scheduled Tasks Management    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Remote Service Management (NP-In)    Remote Service Management    All    No    Allow    No    System    Any    Any    TCP    445    Any    Any    Any    Any    Any    Any    
Remote Service Management (RPC)    Remote Service Management    All    No    Allow    No    %SystemRoot%\system32\services.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Service Management (RPC-EPMAP)    Remote Service Management    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Inbound Rule for Remote Shutdown (RPC-EP-In)    Remote Shutdown    All    No    Allow    No    %systemroot%\system32\wininit.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Inbound Rule for Remote Shutdown (TCP-In)    Remote Shutdown    All    No    Allow    No    %systemroot%\system32\wininit.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Volume Management - Virtual Disk Service (RPC)    Remote Volume Management    All    No    Allow    No    %SystemRoot%\system32\vds.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Volume Management - Virtual Disk Service Loader (RPC)    Remote Volume Management    All    No    Allow    No    %SystemRoot%\system32\vdsldr.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Volume Management (RPC-EPMAP)    Remote Volume Management    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Routing and Remote Access (GRE-In)    Routing and Remote Access    All    Yes    Allow    No    System    Any    Any    GRE    Any    Any    Any    Any    Any    Any    Any    
Routing and Remote Access (L2TP-In)    Routing and Remote Access    All    Yes    Allow    No    System    Any    Any    UDP    1701    Any    Any    Any    Any    Any    Any    
Routing and Remote Access (PPTP-In)    Routing and Remote Access    All    Yes    Allow    No    System    Any    Any    TCP    1723    Any    Any    Any    Any    Any    Any    
Routing Information Protocol (RIP-In)    Routing Information Protocol (RIP)    All    No    Allow    No    %Systemroot%\system32\svchost.exe    Any    Any    UDP    520    Any    Any    Any    Any    Any    Any    
Secure Socket Tunneling Protocol (SSTP-In)    Secure Socket Tunneling Protocol    All    Yes    Allow    No    System    Any    Any    TCP    443    Any    Any    Any    Any    Any    Any    
World Wide Web Services (HTTPS Traffic-In)    Secure World Wide Web Services (HTTPS)    All    Yes    Allow    No    System    Any    Any    TCP    443    Any    Any    Any    Any    Any    Any    
SNMP Trap Service (UDP In)    SNMP Trap    Private, Public    No    Allow    No    %SystemRoot%\system32\snmptrap.exe    Any    Local subnet    UDP    162    Any    Any    Any    Any    Any    Any    
SNMP Trap Service (UDP In)    SNMP Trap    Domain    No    Allow    No    %SystemRoot%\system32\snmptrap.exe    Any    Any    UDP    162    Any    Any    Any    Any    Any    Any    
TPM Virtual Smart Card Management (DCOM-In)    TPM Virtual Smart Card Management    Private, Public    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    TCP    135    Any    Any    Any    Any    Any    Any    
TPM Virtual Smart Card Management (DCOM-In)    TPM Virtual Smart Card Management    Domain    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    135    Any    Any    Any    Any    Any    Any    
TPM Virtual Smart Card Management (TCP-In)    TPM Virtual Smart Card Management    Private, Public    No    Allow    No    %SystemRoot%\system32\RmtTpmVscMgrSvr.exe    Any    Local subnet    TCP    Any    Any    Any    Any    Any    Any    Any    
TPM Virtual Smart Card Management (TCP-In)    TPM Virtual Smart Card Management    Domain    No    Allow    No    %SystemRoot%\system32\RmtTpmVscMgrSvr.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
Virtual Machine Monitoring (DCOM-In)    Virtual Machine Monitoring    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    135    Any    Any    Any    Any    Any    Any    
Virtual Machine Monitoring (Echo Request - ICMPv4-In)    Virtual Machine Monitoring    All    No    Allow    No    Any    Any    Any    ICMPv4    Any    Any    Any    Any    Any    Any    Any    
Virtual Machine Monitoring (Echo Request - ICMPv6-In)    Virtual Machine Monitoring    All    No    Allow    No    Any    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Virtual Machine Monitoring (NB-Session-In)    Virtual Machine Monitoring    All    No    Allow    No    Any    Any    Any    TCP    139    Any    Any    Any    Any    Any    Any    
Virtual Machine Monitoring (RPC)    Virtual Machine Monitoring    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Windows Backup (RPC)    Windows Backup    All    Yes    Allow    No    %systemroot%\system32\wbengine.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Windows Backup (RPC-EPMAP)    Windows Backup    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Windows Firewall Remote Management (RPC)    Windows Firewall Remote Management    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Windows Firewall Remote Management (RPC-EPMAP)    Windows Firewall Remote Management    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Windows Management Instrumentation (ASync-In)    Windows Management Instrumentation (WMI)    All    Yes    Allow    No    %systemroot%\system32\wbem\unsecapp.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
Windows Management Instrumentation (DCOM-In)    Windows Management Instrumentation (WMI)    All    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    135    Any    Any    Any    Any    Any    Any    
Windows Management Instrumentation (WMI-In)    Windows Management Instrumentation (WMI)    All    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
Windows Media Player (UDP-In)    Windows Media Player    All    No    Allow    No    %ProgramFiles%\Windows Media Player\wmplayer.exe    Any    Any    UDP    Any    Any    Any    Any    Any    Any    Any    
Windows Media Player x86 (UDP-In)    Windows Media Player    All    No    Allow    No    %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe    Any    Any    UDP    Any    Any    Any    Any    Any    Any    Any    
Windows Remote Management (HTTP-In)    Windows Remote Management    Domain, Private    Yes    Allow    No    System    Any    Any    TCP    5985    Any    Any    Any    Any    Any    Any    
Windows Remote Management (HTTP-In)    Windows Remote Management    Public    Yes    Allow    No    System    Any    Local subnet    TCP    5985    Any    Any    Any    Any    Any    Any    
Windows Remote Management - Compatibility Mode (HTTP-In)    Windows Remote Management (Compatibility)    All    No    Allow    No    System    Any    Any    TCP    80    Any    Any    Any    Any    Any    Any    
Windows Server Essentials Certificate Web Service    Windows Server Essentials    All    Yes    Allow    No    System    Any    Any    TCP    65500    Any    Any    Any    Any    Any    Any    
Windows Server Essentials Computer Backup    Windows Server Essentials    All    Yes    Allow    No    Any    Any    Any    TCP    8912    Any    Any    Any    Any    Any    Any    
Windows Server Essentials Connect Computer Web site    Windows Server Essentials    All    Yes    Allow    No    System    Any    Any    TCP    80, 443    Any    Any    Any    Any    Any    Any    
Windows Server Essentials Discovery    Windows Server Essentials    All    Yes    Allow    No    Any    Any    Any    UDP    8912    Any    Any    Any    Any    Any    Any    
Windows Server Essentials Mac Web Service    Windows Server Essentials    All    Yes    Allow    No    Any    Any    Any    TCP    65520    Any    Any    Any    Any    Any    Any    
Windows Server Essentials Provider Framework    Windows Server Essentials    All    Yes    Allow    No    Any    Any    Any    TCP    6602    Any    Any    Any    Any    Any    Any    
Work or school account    Work or school account    Domain, Private    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    OSRVR\Administrator    microsoft.aad.brokerplugin_cw5n1h2txyewy    
Work or school account    Work or school account    Domain, Private    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    OSRVR\ITMGR    microsoft.aad.brokerplugin_cw5n1h2txyewy    
Work or school account    Work or school account    Domain, Private    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    OSRVR\Administrator    microsoft.aad.brokerplugin_cw5n1h2txyewy    
World Wide Web Services (HTTP Traffic-In)    World Wide Web Services (HTTP)    All    Yes    Allow    No    System    Any    Any    TCP    80    Any    Any    Any    Any    Any    Any    
Your account    Your account    Domain, Private    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    OSRVR\ITMGR    microsoft.windows.cloudexperiencehost_cw5n1h2txyewy    
Your account    Your account    Domain, Private    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    OSRVR\Administrator    microsoft.windows.cloudexperiencehost_cw5n1h2txyewy    
Your account    Your account    Domain, Private    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    OSRVR\Administrator    microsoft.windows.cloudexperiencehost_cw5n1h2txyewy    

 

Is this what you needed?  Those are the inbound rules.  Thank you again.

Link to comment
Share on other sites

  • 0

^ Exactlty (Budman)

 

You have a non-domain joined device with a VPN connection, the  VPN aspect appears to be functional

You may find no issues with your internal firewall as you are local in networking terms

 

In real terms what you're doing is rocking up to your office with a unknown device and plugging it into your local network but with DNS servers configured that have no ability to resolve local host names.

Unless 'yourserver.yourdomain.local' is resolvable by 75.75.75.75 any query to it will fail.

You need a config on the VPN device where it knows yourdomain.local, and knows to forward any DNS queries to yourdomain.local to your internal DNS

 

I suspect if you attempt to ping your server by FQDN - server1.yourdomain.local (or whatever) it will fail, I suspect your app that talks to SQL will be looking for SQLserver.yourdomain.local and won't be able to resolve it.

 

This is pretty easy to resolve (ahem pun not intended)

 

However what is less trivial is if your SQL server is using NTLM for authentication, as your non-domain joined devices will not be logging on to your domain, even if the DNS resolves correctly

Attempts to connect to a shared drive will prompt for a login, and will work.

SQL won't and will likely throw a SSPI context failure.

 

EDIT: I don't see SQL in there at all, does it work internally?

Link to comment
Share on other sites

  • 0
7 minutes ago, grunger106 said:

^ Exactlty (Budman)

 

You have a non-domain joined device with a VPN connection, the  VPN aspect appears to be functional

You may find no issues with your internal firewall as you are local in networking terms

 

In real terms what you're doing is rocking up to your office with a unknown device and plugging it into your local network but with DNS servers configured that have no ability to resolve local host names.

Unless 'yourserver.yourdomain.local' is resolvable by 75.75.75.75 any query to it will fail.

You need a config on the VPN device where it knows yourdomain.local, and knows to forward any DNS queries to yourdomain.local to your internal DNS

 

I suspect if you attempt to ping your server by FQDN - server1.yourdomain.local (or whatever) it will fail, I suspect your app that talks to SQL will be looking for SQLserver.yourdomain.local and won't be able to resolve it.

 

This is pretty easy to resolve (ahem pun not intended)

 

However what is less trivial is if your SQL server is using NTLM for authentication, as your non-domain joined devices will not be logging on to your domain, even if the DNS resolves correctly

Attempts to connect to a shared drive will prompt for a login, and will work.

SQL won't and will likely throw a SSPI context failure.

 

EDIT: I don't see SQL in there at all, does it work internally?

Yes, SQL works internally.  That was just the inbound rules.  I assumed that would be what was needed, but I can post the rest if need be.

 

I have to apologize on a lot of the rest that you posted because much of it is over my head...  So, I'm sorry if I don't quite understand certain things.

Link to comment
Share on other sites

  • 0

When you say SQL - how does this work, you have an application that connects to SQL server I assume, how exactly does it know what to connect to and how to auth?

I'm assuming your internal machines are domain joined? As in you login to them and this login is processed by a domain controller.

 

I suspect your current issue is a lack of internal DNS resolution over your tunnel - as in your VPN client devices cannot resolve your internal machine names - this is solvable.

 

What is the internal DNS server pushed to client devices - it can either be the DNS server you use internally or can be the VPN device as long as it has a forwarder to your internal DNS for lookups on the internal domain name.

Whatever and however your VPN clients need to be able to resolve yourserver.yourinternaldomain.com

 

Solving that is step 1, fix that first.

 

However once you solve that I suspect your will have different issues as your client devices will not have been authenticated.

 

For example you login to a local domain joined PC with UserA@yourdomain - AD auths you via a domain controller (DC), and SQL knows AD and auths you too, all is well.

If you were to plug in some random laptop, your login would be whatever was local to that laptop. You'd get internet access (as based on the description I doubt there'd be anything to stop you getting an IP and Gateway) but you've never authenticated with the DC, so SQL will not know who you are and will fail to auth you.

 

 

Edit: If your SQL app is using SQL authentication rather than NTLM authentication it will be work-roundable (although not something I do)

Link to comment
Share on other sites

  • 0
15 hours ago, grunger106 said:

When you say SQL - how does this work, you have an application that connects to SQL server I assume, how exactly does it know what to connect to and how to auth?

I'm assuming your internal machines are domain joined? As in you login to them and this login is processed by a domain controller.

 

I suspect your current issue is a lack of internal DNS resolution over your tunnel - as in your VPN client devices cannot resolve your internal machine names - this is solvable.

 

What is the internal DNS server pushed to client devices - it can either be the DNS server you use internally or can be the VPN device as long as it has a forwarder to your internal DNS for lookups on the internal domain name.

Whatever and however your VPN clients need to be able to resolve yourserver.yourinternaldomain.com

 

Solving that is step 1, fix that first.

 

However once you solve that I suspect your will have different issues as your client devices will not have been authenticated.

 

For example you login to a local domain joined PC with UserA@yourdomain - AD auths you via a domain controller (DC), and SQL knows AD and auths you too, all is well.

If you were to plug in some random laptop, your login would be whatever was local to that laptop. You'd get internet access (as based on the description I doubt there'd be anything to stop you getting an IP and Gateway) but you've never authenticated with the DC, so SQL will not know who you are and will fail to auth you.

 

 

Edit: If your SQL app is using SQL authentication rather than NTLM authentication it will be work-roundable (although not something I do)

Thank you.

 

From what you're describing it doesn't sound like the workstations are joined because we don't log in with a User@yourdomain.  We log into Windows normally and then it connects to the network.  I believe when it was being set up they went to a network drive and logged into the server when prompted, saving those credentials on the workstation.  I'm not sure why they chose to set it up that way now, but I remember there being a reason...

 

We have several programs that rely on SQL databases.  They all use a connection string to connect to the SQL server and to the designated database.  This works flawlessly in the office and used to work flawlessly over VPN as well until we upgraded everything.

 

With regards to the DNS issue, would that allow me to connect and RDP to the server, but not allow the computers to access network resources?  How would I correct that and would that need to be corrected on the router, the server, or the workstation?  I can reach out to Draytek also for some clarification and to ask if they could look at that for me.

 

Thank you again for your help.

Link to comment
Share on other sites

  • 0
30 minutes ago, grunger106 said:

What is the SQL server name in the connection string?

 

Ping that from your VPN joined machine, does it work?

There are a couple of SQL Servers on the server.  The one I've been working on here is called "SQLServer". 

 

I tried pinging the named instance of SQL Server from the remote machine but didn't have any luck.  That isn't something I've ever done before, so I did look up some examples and tried them all.  Here's what I tried:

 

ping 10.0.0.x\SQLServer

ping Server\SQLServer

ping 10.0.0.x,1433

 

If the examples I saw online were wrong and you want me to try something specific, please let me know.

 

I also checked in the SQL Server logs to see what TCP port SQL was using and I created a rule in the firewall allowing access to that port, but still can't connect to SQL Server with the remote machine.  Though that won't of course have any affect on access to files and folders on the server...

 

Thank you again,

Link to comment
Share on other sites

  • 0
52 minutes ago, grunger106 said:

Ping the machine, not the SQL instance name.

 

Post the results of an IPConfig /all from the server

 

 

Sure, here you go.  Please let me know if you need anything else.

 

Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Users\ITMGR>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : OSRVR
   Primary Dns Suffix  . . . . . . . : DISBLAS.local
   Node Type . . . . . . . . . . . . : Mixed
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : DISBLAS.local

Ethernet adapter NIC2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #2
   Physical Address. . . . . . . . . : 50-9A-4C-8C-12-69
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter NIC1:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 50-9A-4C-8C-12-68
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.0.0.20(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.0.1
   DNS Servers . . . . . . . . . . . : 10.0.0.20
                                       10.10.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{5034AC14-6B56-4398-B24C-B3A2C443B43F}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{D3821009-0C82-4ECE-BABF-1EECE6E28568}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

C:\Users\ITMGR>

Link to comment
Share on other sites

  • 0
30 minutes ago, grunger106 said:

Can you ping OSRVR.DISBLAS.local from your VPN connected machine?

I tried pinging from the VPN connected machine and it failed.

Link to comment
Share on other sites

  • 0

But if you ping 10.0.0.20 it works? If so you have a DNS issue over the tunnel.

I suspect the issue you're actually chasing.

If your SQL connection strings are pointing at something the machine can't resolve it ain't going to work.

 

There are some strange configs at play here.

I assume 10.0.0.1 is your Draytek device

I suspect this server is also a Domain Controller and DNS server, as well as a SQL Server (not recommended)

If I am correct that it's a DC then it's the DNS server settings on the NIC are incorrect, it should not be pointing to your Draytek device as a DNS server, even if it's just a member server and the DC is elsewhere it still shouldn't be pointing at a non-domain integrated DNS server.

However someone might have stuck that there to make it 'work'

 

It sounds like you have a domain controller, but people logging into workstations with local accounts, mapping drives and then authenticating at that point.

And your SQL Authentication method is unknown, but based on the rest of this guesswork I'd bet it was SQLAuth.

 

This may 'function' but it's not right.

 

TBH there is enough wrong here that I don't think you're going to get this sorted over a forum post, did you set this up or did you have someone do it for you?

 

  • Like 1
Link to comment
Share on other sites

This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By News Staff
      Price Dropped: Get 5-years of torrent-friendly AdGuard VPN for only $29.99
      by Steven Parker

      Today's highlighted deal comes via our Apps + Software section of the Neowin Deals store, where you can save $247.26 (85%) off a 5-Year subscription to AdGuard VPN. Surf securely and access your favorite content on unlimited devices using torrent-friendly servers.



      Connecting to a VPN gives you an encrypted connection to the Internet. This allows you to stay private, stay secure, and access the online content you want — no matter where you are. AdGuard VPN is a virtual private network (VPN), which is a secure tunnel between two or more devices. This VPN is your ultimate solution for safe internet without restrictions from a trusted developer. A must-have when you need uncompromising online privacy protection. Zero-logging policy and advanced encryption algorithm guarantee that your personal data is not collected and your traffic stays private at all times.

      40+ locations worldwide, check complete list of servers here Own security protocol to provide faster and safer VPN connection Possibility to add websites to exclusions Pings screen to show closest and fastest servers Possibility to choose DNS server (to block ads/trackers) Up to 5 devices connected simultaneously Zero-logging policy guarantees personal data security Trusted developer you can rely on
      Here's the deal:
      Five years of AdGuard VPN normally costs $359, but it can be yours for a Price Dropped $29.99, a saving of $319.01 off. For full terms, specifications, and license info please click the link below.

      There are also discounted 1, and 3 year deals available.

      Get 5 years of AdGuard VPN for just $29.99
      Save 18% off XVIDA Magnetic Wireless Power Bank
      Get 25% More Energy & 50% Faster Charging from This Portable Power Supply Fitted with Apple-Certified MagSafe Magnets

      Get the XVIDA Magnetic Wireless Power Bank for $39.99 (list price $49)

      Not for you?
      That's OK, there are other deals on offer you can check out here.

      Ivacy VPN - 5 years at 87% off NordVPN - 2 years at up to 68% off Private Internet Access VPN - subscriptions at up to 79% off Unlocator VPN or SmartDNS - unblock Geoblock with 7-day free trial Subscribe to Neowin - for $14 a year, or $28 a year for Ad-Free experience Giveaways: Apple Giveaway | Gaming Giveaway | Amazon Giveaway Neowin Deals · Free eBooks · Neowin Store

      Disclosure: This is a StackCommerce deal or giveaway in partnership with Neowin; an account at StackCommerce is required to participate in any deals or giveaways. For a full description of StackCommerce's privacy guidelines, go here. Neowin benefits from shared revenue of each sale made through our branded deals site, and it all goes toward the running costs.


    • By Usama Jawad96
      Windows Server 2022 has hit general availability
      by Usama Jawad

      At its Ignite conference in March, Microsoft announced that Windows Server 2022 is available in preview. Prior to that, the OS was already being tested by Windows Insiders but the preview version was meant to be the near-final version of the SKU. Fast-forward to today and Microsoft has announced the general availability of Windows Server 2022.



      With Windows Server 2022, Microsoft is touting a bunch of enhancements and features. At the forefront is advanced multi-layered security via secured connectivity and Secured-core server. The former is focused on providing more security during transport through enhanced encrypted HTTPS and AES-256 encryption with support for the server message block (SMB) protocol. Meanwhile, Secured-core server enables IT teams to utilize security measures applied by Microsoft's hardware partners across a variety of hardware, firmware, and virtualization layers.

      The second advantage touted by Windows Server 2022 is the ability to connect the on-premises SKU with Azure using Azure Arc. Windows Admin Center now supports server management capabilities for Azure-connected use-cases too. Furthermore, SMB compression can be leveraged to compress a file while it is in transit over the network.

      Finally, demanding applications can utilize scalability enhancements on Windows Server 2022 as it supports up to 48TB of memory and 2,048 logical cores running on 64 physical sockets. The OS also builds upon app compatibility features of Windows containers, supports IPv6 and dual-stack, and HostProcess containers for the configuration of nodes. The company is also collaborating with the Kubernetes community to enable new features on Azure Kubernetes Service (AKS) and AKS on Azure Stack HCI.

      In a statement to Neowin, Microsoft went on to say that:

      It is important to note that Windows Server 2022 will be the next Long-Term Servicing Channel (LTSC) release for server customers. However, unlike with the Windows 10-inspired release schedule, there will no longer be any semi-annual updates to the server OS. Microsoft will release a new version of the OS once in two to three years, which will be LTSC releases – that the firm calls the "one primary release channel". Additionally, these releases, unlike client LTSC versions, will receive 10 years of support that includes five years of mainstream support, followed by five years of extended support. You can head over to the dedicated page here to find out about the pricing details of Windows Server 2022.

    • By anmol112
      Parliamentary Committee asks the Indian government to ban VPN services in the country
      by Anmol Mehrotra



      The Parliamentary Standing Committee on Home Affairs has filed a report with the Indian government urging it to ban all kinds of VPN (Virtual Private Networks) services in the country.

      In the report (via Medianama) titled, “Action Taken By Government on the Recommendations/ Observations Contained in the 233rd Report on the Atrocities And Crimes Against Women And Children”, the committee notes that VPN services are used by bad actors to execute cybercrimes and has asked the government to develop a “coordination mechanism” with international agencies to ban VPN services in the country. This is a follow-up to the initial report that was tabled back in March this year. Furthermore, the report also encouraged the Home Ministry to work with Ministry of Electronics and Information Technology (MeitY) to actively detect and block VPNs in the country.

      This comes just months after the Department of Telecommunications (DoT) scrapped the IT rules surrounding the use of VPNs in IT businesses and call centres. The move was aimed to help employees work from home during the pandemic.

      The MeitY has responded to the report mentioning the various powers under which the government can block public access of information. This includes, "interest of sovereignty and integrity of India; defence of India; security of the State; friendly relations with foreign States or; public order or, for preventing incitement to the commission of any cognizable offence relating to above." The Ministry further told the committee that if a request to block services is received through Section 69A of the IT Act, the Ministry can initiate the process as per the rules stated in the section. The section allows the Central Government to ban information in the interest of sovereignty of India and has been used in the past to ban certain apps.

      The committee was not happy with the reply and gave the following response:

      Lastly, the committee has also recommended setting up more cyber forensic laboratories and asked the Home Ministry to “to empower all State Police and law enforcement agencies (LEAs) to take appropriate action regardless of State boundaries while examining a cybercrime.”

    • By News Staff
      Get lifetime subscriptions to SelectTV & KeepSolid VPN Unlimited at 85% off
      by Steven Parker

      Today's highlighted deal comes via our Apps + Software section of the Neowin Deals store, where you can save 97% off Lifetime Subscriptions to SelectTV & KeepSolid VPN Unlimited. Travel stream any content you want while protecting your online activity and browsing unrestrictedly for life through these incredible digital tools.



      SelectTV makes it easier than ever to watch TV shows, movies, events, and more online by organizing all of the web's entertainment into the world's most comprehensive digital media guide. Its guide searches, updates, and manages over 2 million video links every day, so you can spend less time searching and more time watching. It collects and organizes millions of movies and TV shows from multiple video streaming providers and puts them all in one place for you to enjoy. Whether you're looking for the latest episode of your favorite TV show, a fun movie for the whole family, or a live stream of tonight's big game, it's all just a click away - with SelectTV.

      Watch over 150 live channels Access exclusive entertainment libraries Enjoy 500,000+ TV shows & movies Find the best deals on pay-per-view movies Manage all of your streaming services in one location so you never miss a show Discover your next favorite show across all streaming providers Access local channels (in available markets only) Spanish channels available Best prices on video-on-demand movies & shows

      Whether you're using a private internet connection or public Wi-Fi, your online privacy and security are far from guaranteed. With top-rated solution VPN Unlimited, you can regain control over your digital life with full security and anonymity online. There are no speed or bandwidth limits, so you'll still enjoy full browsing speeds, without the dangers of leaving your data exposed or the geographic restrictions set on certain websites abroad. More than 10 million customers globally have entrusted their online protection to KeepSolid VPN Unlimited, and the reviews speak for themselves. Add it to your cybersecurity toolkit, and enjoy a massive selection of servers worldwide, a rich variety of VPN protocols, and much more to keep hackers out of your sensitive data.

      Reliably protect your data on any public WiFi Surf with no speed or bandwidth limits Access 500+ VPN servers with 80+ locations globally, including the USA, the UK, Canada, Australia & Hong Kong. Check the list here Surf on a variety of VPN protocols, like IKEv2, OpenVPN, L2TP/IPSec & KeepSolid Wise Access servers for US Netflix, BBC iPlayer, Hulu, ESPN+ & HBO Now Enjoy a better browsing experience with handy features, like Trusted Networks, Ping Tests & Favorite Servers Easily configure your VPN connection on your router. Enjoy convenient management of connected devices Access torrent-friendly (P2P) servers Get extra protection with a kill switch on iOS, macOS, Android, and Windows platforms Surf with military-grade AES 256-bit encryption Enjoy extra peace of mind with a zero log policy Access proprietary apps for all platforms Browse with unlimited traffic & connection speeds Get your questions answered with 24/7 customer support Here's the deal:
      Lifetime Subscriptions to SelectTV & KeepSolid VPN Unlimited normally costs $677, but this bundle can be yours for just $99 for a limited time, a saving of $578. For specifications, and license info please click the link below.

      Get a Lifetime of SelectTV & KeepSolid VPN Unlimited
      25% off 15A Smart Home WiFi Outlet (4-Pack)
      Voice Recognition, Companion App, Compact Design & More — Make Smart Devices at Home with This Mini Socket.

      Get the 15A Smart Home WiFi Outlet (4-Pack) for $19.99 (list price $26)

      Not for you?
      That's OK, there are other deals on offer you can check out here.

      Ivacy VPN - 5 years at 87% off NordVPN - 2 years at up to 68% off Private Internet Access VPN - subscriptions at up to 79% off Unlocator VPN or SmartDNS - unblock Geoblock with 7-day free trial Subscribe to Neowin - for $14 a year, or $28 a year for Ad-Free experience Giveaways: Apple Giveaway | Gaming Giveaway | Amazon Giveaway Neowin Deals · Free eBooks · Neowin Store

      Disclosure: This is a StackCommerce deal or giveaway in partnership with Neowin; an account at StackCommerce is required to participate in any deals or giveaways. For a full description of StackCommerce's privacy guidelines, go here. Neowin benefits from shared revenue of each sale made through our branded deals site, and it all goes toward the running costs.

    • By News Staff
      Save 89% off Lifetime Plans to uTalk (2 languages) & KeepSolid VPN Unlimited
      by Steven Parker

      Today's highlighted deal comes via our Apps + Software section of the Neowin Deals store, where you can save 89% off Lifetime Plans to uTalk (2 languages) & KeepSolid VPN Unlimited. Enjoy absolute online freedom and keep your data secured with lifetime access to the best-selling KeepSolid VPN Unlimited and learn 2 languages of your choice with a lifetime of uTalk.



      Everyday computer users are juggling huge amounts of data, so it makes sense that you're taking care of that data responsibly. With Degoo you get 3TB of supremely secured cloud storage from which to manage and share files with awesome simplicity. With high-speed transfers from a database that offers more storage than Dropbox, OneDrive, and Google Drive combined, you'll love how easy it is to keep tabs on all of your valuable data.

      Send files easily to friends via email or link Store up to 10TB of data under ultra-secure 256-bit AES encryption Replicate your backup as you perform it, giving you extra peace of mind Perform backup to all of your devices Get more storage space than Dropbox, OneDrive, & Google Drive combined Keep your backup automatically up to date thanks to automatic file change detection

      Whether you're using a private internet connection or public Wi-Fi, your online privacy and security are far from guaranteed. With top-rated solution VPN Unlimited, you can regain control over your digital life with full security and anonymity online. There are no speed or bandwidth limits, so you'll still enjoy full browsing speeds, without the dangers of leaving your data exposed or the geographic restrictions set on certain websites abroad. More than 10 million customers globally have entrusted their online protection to KeepSolid VPN Unlimited, and the reviews speak for themselves. Add it to your cybersecurity toolkit, and enjoy a massive selection of servers worldwide, a rich variety of VPN protocols, and much more to keep hackers out of your sensitive data.

      Reliably protect your data on any public WiFi Surf with no speed or bandwidth limits Access 500+ VPN servers with 80+ locations globally, including the USA, the UK, Canada, Australia & Hong Kong. Check the list here Surf on a variety of VPN protocols, like IKEv2, OpenVPN, L2TP/IPSec & KeepSolid Wise Access servers for US Netflix, BBC iPlayer, Hulu, ESPN+ & HBO Now Enjoy a better browsing experience with handy features, like Trusted Networks, Ping Tests & Favorite Servers Easily configure your VPN connection on your router. Enjoy convenient management of connected devices Access torrent-friendly (P2P) servers Get extra protection with a kill switch on iOS, macOS, Android, and Windows platforms Surf with military-grade AES 256-bit encryption Enjoy extra peace of mind with a zero log policy Access proprietary apps for all platforms Browse with unlimited traffic & connection speeds Get your questions answered with 24/7 customer support Here's the deal:
      These Lifetime Plans to uTalk (2 languages) & KeepSolid VPN Unlimited represents an overall recommended retail pricing of $283, but it can be yours for just $39.99 for a limited time, a saving of $243.01. For specifications, and license info please click the link below.

      Get a Lifetime of uTalk (2 languages) & KeepSolid VPN Unlimited
      Not for you?
      That's OK, there are other deals on offer you can check out here.

      Ivacy VPN - 5 years at 87% off NordVPN - 2 years at up to 68% off Private Internet Access VPN - subscriptions at up to 79% off Unlocator VPN or SmartDNS - unblock Geoblock with 7-day free trial Subscribe to Neowin - for $14 a year, or $28 a year for Ad-Free experience Giveaways: Apple Giveaway | Gaming Giveaway | Amazon Giveaway Neowin Deals · Free eBooks · Neowin Store

      Disclosure: This is a StackCommerce deal or giveaway in partnership with Neowin; an account at StackCommerce is required to participate in any deals or giveaways. For a full description of StackCommerce's privacy guidelines, go here. Neowin benefits from shared revenue of each sale made through our branded deals site, and it all goes toward the running costs.