• 0

Configure server firewall to allow remote connections?


Question

M_Lyons10

HI everyone!

 

I was hoping someone could help me with this.

 

I have a Windows Server 2016 device connected to a VPN router.

 

I can connect to the router, but don't have access to anything on the server so I believe this is a firewall issue on the server?

 

Does anyone know what should be configured in the firewall to allow remote / VPN connections?

 

I appreciate everyone's help!

Link to post
Share on other sites

Recommended Posts

  • 0
grunger106

Can you ping anything on the subnet with your server?
What is your VPN config - what exactly are you doing?

Link to post
Share on other sites
  • 0
M_Lyons10
11 minutes ago, grunger106 said:

Can you ping anything on the subnet with your server?
What is your VPN config - what exactly are you doing?

Thank you for your response.

 

I can ping the server from the remote machine. I haven't tried pinging a remote machine from the server but would imagine it would work, but I can try that.

 

I have a server connected to the router and I'm VPN'ing in to the router. I can log into the router remotely and I can ping the server, but I do not have access to SQL Server on the server or any resources on the server (files, directories, etc).

 

So I was assuming firewall but I guess it could be something else? I've confirmed with the router company that that is configured properly.

Link to post
Share on other sites
  • 0
M_Lyons10

HI everyone!

 

I just wanted to post back and see if anyone could help me. I haven't been able to find much that was helpful and I would like to work remotely.

 

Thank you everyone in advance for your help!

Link to post
Share on other sites
  • 0
+BudMan

Your going to have to provide more details.. So you are vpn'd into the router vpn services - from where?  What is this router your running the vpn server on?  Is it openvpn, ipsec? what?

 

So your local network where the server is what say 192.168.1/24, say the server IP is 192.168.1.100 for example, and this server points back to your router lets say 192.168.1.1 for example as its gateway.

 

Now your remote vpn client gets an IP say 192.168.2.X/24  And he can ping 192.168.1.100?

 

If that is the case more than likely the problem is with the local firewall on the server not allowing access to whatever services SQL for example from your vpn IP range 192.168.2/24

Link to post
Share on other sites
  • 0
M_Lyons10
On 3/19/2020 at 9:08 AM, BudMan said:

Your going to have to provide more details.. So you are vpn'd into the router vpn services - from where?  What is this router your running the vpn server on?  Is it openvpn, ipsec? what?

 

So your local network where the server is what say 192.168.1/24, say the server IP is 192.168.1.100 for example, and this server points back to your router lets say 192.168.1.1 for example as its gateway.

 

Now your remote vpn client gets an IP say 192.168.2.X/24  And he can ping 192.168.1.100?

 

If that is the case more than likely the problem is with the local firewall on the server not allowing access to whatever services SQL for example from your vpn IP range 192.168.2/24

Sorry it took me so long, I wanted to get everything together to try to answer all of your questions.

 

1) I am remoting in from home, but we have several people that are attempting to do the same.  We used to do this regularly before we had to upgrade our server & router.

 

2) The router at the office is a Draytek.  It offers several different VPN options, right now I have been playing around with SSL since that worked with our old configuration.

 

3) The office network is 10.0.0.1.  The home network (in this case) is 192.168.1.1.

 

4) When I connect to the VPN, the office network does give the computer an IP address (in this case 10.0.0.11).

 

5) When I'm connected via VPN, I can ping the server's IP address AND log in to the office's router.

 

I understand that it's likely the firewall, but how do I set that up so that I can remote in without making it too exposed?  That's a concern of course.  Also, what if someone tries to connect from a network using a different IP range?  I won't have control over many of these networks and want to be able to have a VPN that works for them wherever they are.

 

And with this current Coronavirus thing, being able to work remotely is increasingly important, so I'm really hoping that I can get this straightened out.

 

I really appreciate all of your help and everything.  I really, REALLY, appreciate it.

Link to post
Share on other sites
  • 0
grunger106

A quick and dirty solution is to disable the Windows Firewall for a couple of minutes and test, that will prove one way or the other if it is the problem.

If your VPN IP pool is in the same subnet as your servers I wouldn't expect it to be an issue though - you are in the server's eyes local to it.

 

You say you can ping the server's IP, can you ping the FQDN?

 

 

Link to post
Share on other sites
  • 0
+BudMan
2 hours ago, M_Lyons10 said:

I understand that it's likely the firewall, but how do I set that up so that I can remote in without making it too exposed?

How would it be exposed?  Its behind your nat router/firewall - you don't forward ports to it right?  Your VPN'd into your network...

 

>When I connect to the VPN, the office network does give the computer an IP address (in this case 10.0.0.11)

 

So your running openvpn client on your remote machine?  You have setup a TAP connection if your getting IP on the same 10 network.  Then if you can ping this server at what IP??  I find it unlikely that it would allow you to ping but block sql, if your on the same network as when your at the office... You can connect to this sql server when your at the office.. Can you RDP to the server?

 

Link to post
Share on other sites
  • 0
grunger106
2 minutes ago, BudMan said:

How would it be exposed?  Its behind your nat router/firewall - you don't forward ports to it right?  Your VPN'd into your network...

 

>When I connect to the VPN, the office network does give the computer an IP address (in this case 10.0.0.11)

 

So your running openvpn client on your remote machine?  You have setup a TAP connection if your getting IP on the same 10 network.  Then if you can ping this server at what IP??  I find it unlikely that it would allow you to ping but block sql, if your on the same network as when your at the office... You can connect to this sql server when your at the office.. Can you RDP to the server?

 

I think the OP is SSL VPN'ing to his Draytek box, slightly unusual to have the SSL VPN client pool in the same subnet as the internal lan in my experience.
I don't know Draytek though.....

 

I agree with you though if it really is the same subnet as the internal resources then it should work if it works internally - it can't not.

 

My guess is DNS resolution over the tunnel is incorrectly configured and that the SQL connection strings are referencing the server by name.

Link to post
Share on other sites
  • 0
+BudMan
1 minute ago, grunger106 said:

My guess is DNS resolution over the tunnel is incorrectly configured and that the SQL connection strings are referencing the server by name.

Yup would be a good guess for sure.

Link to post
Share on other sites
  • 0
grunger106
Just now, BudMan said:

Yup would be a good guess for sure.

And also they've not said, but I'd be willing to bet ADDS is in play, if SQL is using NT auth a tunnel alone isn't going to authenticate you with ActiveDirectory......

Link to post
Share on other sites
  • 0
+BudMan
2 minutes ago, grunger106 said:

have the SSL VPN client pool in the same subnet as the internal lan in my experience.

Yeah it would be - this is TAP vs TUN setup... and very odd.. Could be he setup wrong tunnel network to be the same as his remote network... And when he thinks he is pinging the server IP... He is just pinging something else..

 

If really a L2 setup, then look at your arp table when you ping your server IP... is it the actual mac of the server?

 

Link to post
Share on other sites
  • 0
M_Lyons10

Thank you both for your responses.  I appreciate your help very much.

 

I want to try to answer some of the questions, but I also have a few if you don't mind.

 

@grunger106: By pinging the FQDN, do you mean pinging the hostname that resolves to the Router IP?  I have a DrayDNS-like service running on the server that resolves the IP should it change.

 

@BudMan: I am not forwarding ports to it no.  I appreciate your addressing that concern.

 

@BudMan & @grunger106: I apologize, but I'm not really clear on what you're talking about in your back and forth.  Is there anything I can look up to help narrow the issue down?  I will be in the office tomorrow for a little bit and can check whatever you need.

 

I did check on the router and I am showing as connected via VPN, so I should be on the network. 

 

I took a closer look at ipconfig /all while connected to the VPN network remotely and while the ipv4 is 10.0.0.11 under the VPN Connection, I noticed a few things that may or may not be an issue:

Default Gateway 0.0.0.0

DNS Servers 75.75.75.75, 75.75.76.76

Under Wireless LAN

ipv4: 192.168.1.4

Default Gateway: 192.168.1.1

DHCP Server: 192.168.1.1

DNS Servers: 192.168.1.1

 

When I ping the server, I am pinging it's 10.0.0.x ip address ad it is succeeding.  I'm not sure what else I could be hitting with that ping though as I'm connected to the router and can log into the dashboard.

 

I also CAN connect to the server via RDP.  So I'm definitely connected to the network.  But, I cannot access SQL Server via the remote computer OR any of the file system.  So, for instance, I can't access shared folders / files on the server.

 

How would I confirm that the DNS resolution over the tunnel is configured properly?  Draytek did take a look at the setup and told me it was correct, but we all may have missed something so I'm happy to check anything anyone things might be a factor.  The SQL connection string IS referencing the server by name as well, but it did that under our old VPN setup as well.  Is there a different way this should be done?  I figured since we didn't have access to any of the file system on the server, that that was why we couldn't VPN?

 

I hope that all helps.  I want to thank you both again for all of your help.  If you want me to look up anything in particular, please let me know and I'll check it for you.

Link to post
Share on other sites
  • 0
+BudMan
19 minutes ago, M_Lyons10 said:

DNS Servers 75.75.75.75, 75.75.76.76

That is comcast how would that resolve fqdn of some server at your work?

 

If you can ping it and RDP to it.. But you can not access file shares or sql then that SCREAMS its the servers firewall - fix it... Your problem has nothing to do with your vpn connection since clearly your connected and can talk to this IP..

 

As to dns.. try and ping the servers fqdn - does it resolve to its IP?  If not then you have a dns issue.. Your vpn should point your client to your local dns that resolves all your local stuff at work..  Do you have that?

 

RDP into your server and fix the firewall.. Show us the settings..

 

 

 

 

Link to post
Share on other sites
  • 0
M_Lyons10
Posted (edited)
23 minutes ago, BudMan said:

That is comcast how would that resolve fqdn of some server at your work?

 

If you can ping it and RDP to it.. But you can not access file shares or sql then that SCREAMS its the servers firewall - fix it... Your problem has nothing to do with your vpn connection since clearly your connected and can talk to this IP..

 

As to dns.. try and ping the servers fqdn - does it resolve to its IP?  If not then you have a dns issue.. Your vpn should point your client to your local dns that resolves all your local stuff at work..  Do you have that?

 

RDP into your server and fix the firewall.. Show us the settings..

 

 

 

 

Thank you.  I figured that it probably was the firewall.  Comcast is the internet provider at the office.

I'm genuinely not sure what settings would need to be changed.  Per your request, here are some pictures of the firewall settings.

 

I exported the settings because I wasn't sure how to get everything in a screen grab.

 

Name    Group    Profile    Enabled    Action    Override    Program    Local Address    Remote Address    Protocol    Local Port    Remote Port    Authorized Users    Authorized Computers    Authorized Local Principals    Local User Owner    Application Package   
MSMPI-LaunchSvc        All    Yes    Allow    No    C:\Program Files\Microsoft MPI\Bin\msmpilaunchsvc.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any    Any    
MSMPI-MPIEXEC        All    Yes    Allow    No    C:\Program Files\Microsoft MPI\Bin\mpiexec.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any    Any    
MSMPI-SMPD        All    Yes    Allow    No    C:\Program Files\Microsoft MPI\Bin\smpd.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any    Any        
Active Directory Domain Controller -  Echo Request (ICMPv4-In)    Active Directory Domain Services    All    Yes    Allow    No    Any    Any    Any    ICMPv4    Any    Any    Any    Any    Any    Any    Any    
Active Directory Domain Controller -  Echo Request (ICMPv6-In)    Active Directory Domain Services    All    Yes    Allow    No    Any    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Active Directory Domain Controller - LDAP (TCP-In)    Active Directory Domain Services    All    Yes    Allow    No    %systemroot%\System32\lsass.exe    Any    Any    TCP    389    Any    Any    Any    Any    Any    Any    
Active Directory Domain Controller - LDAP (UDP-In)    Active Directory Domain Services    All    Yes    Allow    No    %systemroot%\System32\lsass.exe    Any    Any    UDP    389    Any    Any    Any    Any    Any    Any    
Active Directory Domain Controller - LDAP for Global Catalog (TCP-In)    Active Directory Domain Services    All    Yes    Allow    No    %systemroot%\System32\lsass.exe    Any    Any    TCP    3268    Any    Any    Any    Any    Any    Any    
Active Directory Domain Controller - NetBIOS name resolution (UDP-In)    Active Directory Domain Services    All    Yes    Allow    No    System    Any    Any    UDP    138    Any    Any    Any    Any    Any    Any    
Active Directory Domain Controller - SAM/LSA (NP-TCP-In)    Active Directory Domain Services    All    Yes    Allow    No    System    Any    Any    TCP    445    Any    Any    Any    Any    Any    Any    
Active Directory Domain Controller - SAM/LSA (NP-UDP-In)    Active Directory Domain Services    All    Yes    Allow    No    System    Any    Any    UDP    445    Any    Any    Any    Any    Any    Any    
Active Directory Domain Controller - Secure LDAP (TCP-In)    Active Directory Domain Services    All    Yes    Allow    No    %systemroot%\System32\lsass.exe    Any    Any    TCP    636    Any    Any    Any    Any    Any    Any    
Active Directory Domain Controller - Secure LDAP for Global Catalog (TCP-In)    Active Directory Domain Services    All    Yes    Allow    No    %systemroot%\System32\lsass.exe    Any    Any    TCP    3269    Any    Any    Any    Any    Any    Any    
Active Directory Domain Controller - W32Time (NTP-UDP-In)    Active Directory Domain Services    All    Yes    Allow    No    %systemroot%\System32\svchost.exe    Any    Any    UDP    123    Any    Any    Any    Any    Any    Any    
Active Directory Domain Controller (RPC)    Active Directory Domain Services    All    Yes    Allow    No    %systemroot%\System32\lsass.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Active Directory Domain Controller (RPC-EPMAP)    Active Directory Domain Services    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Active Directory Web Services (TCP-In)    Active Directory Web Services    All    Yes    Allow    No    %systemroot%\ADWS\Microsoft.ActiveDirectory.WebServices.exe    Any    Any    TCP    9389    Any    Any    Any    Any    Any    Any    
AllJoyn Router (TCP-In)    AllJoyn Router    Domain, Private    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    9955    Any    Any    Any    Any    Any    Any    
AllJoyn Router (UDP-In)    AllJoyn Router    Domain, Private    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    UDP    Any    Any    Any    Any    Any    Any    Any    
Border Gateway Protocol (BGP-In)    Border Gateway Protocol (BGP)    All    No    Allow    No    %Systemroot%\system32\svchost.exe    Any    Any    TCP    179    Any    Any    Any    Any    Any    Any    
BranchCache Content Retrieval (HTTP-In)    BranchCache - Content Retrieval (Uses HTTP)    All    No    Allow    No    SYSTEM    Any    Any    TCP    80    Any    Any    Any    Any    Any    Any    
BranchCache Hosted Cache Server (HTTP-In)    BranchCache - Hosted Cache Server (Uses HTTPS)    All    No    Allow    No    SYSTEM    Any    Any    TCP    80, 443    Any    Any    Any    Any    Any    Any    
BranchCache Peer Discovery (WSD-In)    BranchCache - Peer Discovery (Uses WSD)    All    No    Allow    No    %systemroot%\system32\svchost.exe    Any    Local subnet    UDP    3702    Any    Any    Any    Any    Any    Any    
Cast to Device functionality (qWave-TCP-In)    Cast to Device functionality    Private, Public    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    PlayTo Renderers    TCP    2177    Any    Any    Any    Any    Any    Any    
Cast to Device functionality (qWave-UDP-In)    Cast to Device functionality    Private, Public    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    PlayTo Renderers    UDP    2177    Any    Any    Any    Any    Any    Any    
Cast to Device SSDP Discovery (UDP-In)    Cast to Device functionality    Public    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    UDP    PlayTo Discovery    Any    Any    Any    Any    Any    Any    
Cast to Device streaming server (HTTP-Streaming-In)    Cast to Device functionality    Domain    Yes    Allow    No    System    Any    Any    TCP    10246    Any    Any    Any    Any    Any    Any    
Cast to Device streaming server (HTTP-Streaming-In)    Cast to Device functionality    Public    Yes    Allow    No    System    Any    PlayTo Renderers    TCP    10246    Any    Any    Any    Any    Any    Any    
Cast to Device streaming server (HTTP-Streaming-In)    Cast to Device functionality    Private    Yes    Allow    No    System    Any    Local subnet    TCP    10246    Any    Any    Any    Any    Any    Any    
Cast to Device streaming server (RTCP-Streaming-In)    Cast to Device functionality    Private    Yes    Allow    No    %SystemRoot%\system32\mdeserver.exe    Any    Local subnet    UDP    Any    Any    Any    Any    Any    Any    Any    
Cast to Device streaming server (RTCP-Streaming-In)    Cast to Device functionality    Domain    Yes    Allow    No    %SystemRoot%\system32\mdeserver.exe    Any    Any    UDP    Any    Any    Any    Any    Any    Any    Any    
Cast to Device streaming server (RTCP-Streaming-In)    Cast to Device functionality    Public    Yes    Allow    No    %SystemRoot%\system32\mdeserver.exe    Any    PlayTo Renderers    UDP    Any    Any    Any    Any    Any    Any    Any    
Cast to Device streaming server (RTSP-Streaming-In)    Cast to Device functionality    Public    Yes    Allow    No    %SystemRoot%\system32\mdeserver.exe    Any    PlayTo Renderers    TCP    23554, 23555, 23556    Any    Any    Any    Any    Any    Any    
Cast to Device streaming server (RTSP-Streaming-In)    Cast to Device functionality    Domain    Yes    Allow    No    %SystemRoot%\system32\mdeserver.exe    Any    Any    TCP    23554, 23555, 23556    Any    Any    Any    Any    Any    Any    
Cast to Device streaming server (RTSP-Streaming-In)    Cast to Device functionality    Private    Yes    Allow    No    %SystemRoot%\system32\mdeserver.exe    Any    Local subnet    TCP    23554, 23555, 23556    Any    Any    Any    Any    Any    Any    
Cast to Device UPnP Events (TCP-In)    Cast to Device functionality    Public    Yes    Allow    No    System    Any    PlayTo Renderers    TCP    2869    Any    Any    Any    Any    Any    Any    
Certification Authority Enrollment and Management Protocol (CERTSVC-DCOM-IN)    Certification Authority    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    135    Any    Any    Any    Any    Any    Any    
Certification Authority Enrollment and Management Protocol (CERTSVC-RPC-EPMAP-IN)    Certification Authority    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Certification Authority Enrollment and Management Protocol (CERTSVC-RPC-NP-IN)    Certification Authority    All    Yes    Allow    No    System    Any    Any    TCP    445    Any    Any    Any    Any    Any    Any    
Certification Authority Enrollment and Management Protocol (CERTSVC-RPC-TCP-IN)    Certification Authority    All    Yes    Allow    No    %systemroot%\system32\certsrv.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
COM+ Network Access (DCOM-In)    COM+ Network Access    All    No    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    135    Any    Any    Any    Any    Any    Any    
COM+ Remote Administration (DCOM-In)    COM+ Remote Administration    All    No    Allow    No    %systemroot%\system32\dllhost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Core Networking - Destination Unreachable (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Destination Unreachable Fragmentation Needed (ICMPv4-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    ICMPv4    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Dynamic Host Configuration Protocol (DHCP-In)    Core Networking    All    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    UDP    68    67    Any    Any    Any    Any    Any    
Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-In)    Core Networking    All    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    UDP    546    547    Any    Any    Any    Any    Any    
Core Networking - Internet Group Management Protocol (IGMP-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    IGMP    Any    Any    Any    Any    Any    Any    Any    
Core Networking - IPHTTPS (TCP-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    TCP    IPHTTPS    Any    Any    Any    Any    Any    Any    
Core Networking - IPv6 (IPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    IPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Multicast Listener Done (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Local subnet    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Multicast Listener Query (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Local subnet    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Multicast Listener Report (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Local subnet    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Multicast Listener Report v2 (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Local subnet    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Neighbor Discovery Advertisement (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Neighbor Discovery Solicitation (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Packet Too Big (ICMPv6-In)    Core Networking    All    Yes    Allow    No    Any    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Parameter Problem (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Router Advertisement (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    fe80::/64    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Router Solicitation (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Teredo (UDP-In)    Core Networking    All    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    UDP    Edge Traversal    Any    Any    Any    Any    Any    Any    
Core Networking - Time Exceeded (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Cortana    Cortana    All    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    OSRVR\Administrator    microsoft.windows.cortana_cw5n1h2txyewy    
Cortana    Cortana    All    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    OSRVR\ITMGR    microsoft.windows.cortana_cw5n1h2txyewy    
DFS Management (DCOM-In)    DFS Management    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    135    Any    Any    Any    Any    Any    Any    
DFS Management (SMB-In)    DFS Management    All    Yes    Allow    No    System    Any    Any    TCP    445    Any    Any    Any    Any    Any    Any    
DFS Management (TCP-In)    DFS Management    All    Yes    Allow    No    %systemroot%\system32\dfsfrsHost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
DFS Management (WMI-In)    DFS Management    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
DFS Replication (RPC-EPMAP)    DFS Replication    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
DFS Replication (RPC-In)    DFS Replication    All    Yes    Allow    No    %SystemRoot%\system32\dfsrs.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
DHCPv4 Relay Agent [Client] (UDP-In)    DHCP Relay Agent    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    UDP    67    Any    Any    Any    Any    Any    Any    
DHCP Server v4 (UDP-In)    DHCP Server    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    UDP    67    Any    Any    Any    Any    Any    Any    
DHCP Server v4 (UDP-In)    DHCP Server    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    UDP    68    Any    Any    Any    Any    Any    Any    
DHCP Server v6 (UDP-In)    DHCP Server    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    UDP    546    Any    Any    Any    Any    Any    Any    
DHCP Server v6 (UDP-In)    DHCP Server    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    UDP    547    Any    Any    Any    Any    Any    Any    
DHCP Server - Remote Service Management using SCM (RPC-in)    DHCP Server Management    All    Yes    Allow    No    %systemroot%\system32\services.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
DHCP Server (RPC-In)    DHCP Server Management    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
DHCP Server (RPCSS-In)    DHCP Server Management    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
DHCP Server (SMB-In)    DHCP Server Management    All    Yes    Allow    No    System    Any    Any    TCP    445    Any    Any    Any    Any    Any    Any    
DHCP Server Failover (TCP-In)    DHCP Server Management    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    647    Any    Any    Any    Any    Any    Any    
DHCPv6 Relay Agent [Server] (UDP-In)    DHCPv6 Relay Agent    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    UDP    547    Any    Any    Any    Any    Any    Any    
DIAL protocol server (HTTP-In)    DIAL protocol server    Domain    Yes    Allow    No    System    Any    Any    TCP    10247    Any    Any    Any    Any    Any    Any    
DIAL protocol server (HTTP-In)    DIAL protocol server    Private    Yes    Allow    No    System    Any    Local subnet    TCP    10247    Any    Any    Any    Any    Any    Any    
Distributed Transaction Coordinator (RPC)    Distributed Transaction Coordinator    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Distributed Transaction Coordinator (RPC-EPMAP)    Distributed Transaction Coordinator    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Distributed Transaction Coordinator (TCP-In)    Distributed Transaction Coordinator    All    No    Allow    No    %SystemRoot%\system32\msdtc.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
DNS (TCP, Incoming)    DNS Service    All    Yes    Allow    No    %systemroot%\System32\dns.exe    Any    Any    TCP    53    Any    Any    Any    Any    Any    Any    
DNS (UDP, Incoming)    DNS Service    All    Yes    Allow    No    %systemroot%\System32\dns.exe    Any    Any    UDP    53    Any    Any    Any    Any    Any    Any    
RPC (TCP, Incoming)    DNS Service    All    Yes    Allow    No    %systemroot%\System32\dns.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
RPC Endpoint Mapper (TCP, Incoming)    DNS Service    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (Echo Request - ICMPv4-In)    File and Printer Sharing    All    Yes    Allow    No    Any    Any    Any    ICMPv4    Any    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (Echo Request - ICMPv6-In)    File and Printer Sharing    All    Yes    Allow    No    Any    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (LLMNR-UDP-In)    File and Printer Sharing    All    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    5355    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (NB-Datagram-In)    File and Printer Sharing    All    Yes    Allow    No    System    Any    Any    UDP    138    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (NB-Name-In)    File and Printer Sharing    All    Yes    Allow    No    System    Any    Any    UDP    137    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (NB-Session-In)    File and Printer Sharing    All    Yes    Allow    No    System    Any    Any    TCP    139    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (SMB-In)    File and Printer Sharing    All    Yes    Allow    No    System    Any    Any    TCP    445    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (Spooler Service - RPC)    File and Printer Sharing    All    Yes    Allow    No    %SystemRoot%\system32\spoolsv.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (Spooler Service - RPC-EPMAP)    File and Printer Sharing    All    Yes    Allow    No    Any    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
File and Printer Sharing over SMBDirect (iWARP-In)    File and Printer Sharing over SMBDirect    All    No    Allow    No    System    Any    Any    TCP    5445    Any    Any    Any    Any    Any    Any    
File Replication (RPC)    File Replication    All    Yes    Allow    No    %SystemRoot%\system32\NTFRS.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
File Replication (RPC-EPMAP)    File Replication    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
File Server Remote Management (DCOM-In)    File Server Remote Management    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    135    Any    Any    Any    Any    Any    Any    
File Server Remote Management (SMB-In)    File Server Remote Management    All    Yes    Allow    No    System    Any    Any    TCP    445    Any    Any    Any    Any    Any    Any    
File Server Remote Management (WMI-In)    File Server Remote Management    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
iSCSI Service (TCP-In)    iSCSI Service    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
Kerberos Key Distribution Center - PCR (TCP-In)    Kerberos Key Distribution Center    All    Yes    Allow    No    %systemroot%\System32\lsass.exe    Any    Any    TCP    464    Any    Any    Any    Any    Any    Any    
Kerberos Key Distribution Center - PCR (UDP-In)    Kerberos Key Distribution Center    All    Yes    Allow    No    %systemroot%\System32\lsass.exe    Any    Any    UDP    464    Any    Any    Any    Any    Any    Any    
Kerberos Key Distribution Center (TCP-In)    Kerberos Key Distribution Center    All    Yes    Allow    No    %systemroot%\System32\lsass.exe    Any    Any    TCP    88    Any    Any    Any    Any    Any    Any    
Kerberos Key Distribution Center (UDP-In)    Kerberos Key Distribution Center    All    Yes    Allow    No    %systemroot%\System32\lsass.exe    Any    Any    UDP    88    Any    Any    Any    Any    Any    Any    
Key Management Service (TCP-In)    Key Management Service    All    No    Allow    No    %SystemRoot%\system32\sppextcomobj.exe    Any    Any    TCP    1688    Any    Any    Any    Any    Any    Any    
mDNS (UDP-In)    mDNS    All    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    UDP    Any    Any    Any    Any    Any    Any    Any    
Microsoft Key Distribution Service    Microsoft Key Distribution Service    All    Yes    Allow    No    %systemroot%\system32\lsass.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Microsoft Key Distribution Service    Microsoft Key Distribution Service    All    Yes    Allow    No    %systemroot%\system32\lsass.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Netlogon Service (NP-In)    Netlogon Service    All    No    Allow    No    System    Any    Any    TCP    445    Any    Any    Any    Any    Any    Any    
Netlogon Service Authz (RPC)    Netlogon Service    All    No    Allow    No    %SystemRoot%\System32\lsass.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Network Discovery (LLMNR-UDP-In)    Network Discovery    Domain, Public    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    5355    Any    Any    Any    Any    Any    Any    
Network Discovery (LLMNR-UDP-In)    Network Discovery    Private    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    5355    Any    Any    Any    Any    Any    Any    
Network Discovery (NB-Datagram-In)    Network Discovery    Private    Yes    Allow    No    System    Any    Any    UDP    138    Any    Any    Any    Any    Any    Any    
Network Discovery (NB-Datagram-In)    Network Discovery    Domain, Public    Yes    Allow    No    System    Any    Any    UDP    138    Any    Any    Any    Any    Any    Any    
Network Discovery (NB-Name-In)    Network Discovery    Domain, Public    Yes    Allow    No    System    Any    Any    UDP    137    Any    Any    Any    Any    Any    Any    
Network Discovery (NB-Name-In)    Network Discovery    Private    Yes    Allow    No    System    Any    Any    UDP    137    Any    Any    Any    Any    Any    Any    
Network Discovery (Pub-WSD-In)    Network Discovery    Private    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    3702    Any    Any    Any    Any    Any    Any    
Network Discovery (Pub-WSD-In)    Network Discovery    Domain, Public    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    3702    Any    Any    Any    Any    Any    Any    
Network Discovery (SSDP-In)    Network Discovery    Domain, Public    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    1900    Any    Any    Any    Any    Any    Any    
Network Discovery (SSDP-In)    Network Discovery    Private    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    1900    Any    Any    Any    Any    Any    Any    
Network Discovery (UPnP-In)    Network Discovery    Private    Yes    Allow    No    System    Any    Any    TCP    2869    Any    Any    Any    Any    Any    Any    
Network Discovery (UPnP-In)    Network Discovery    Domain, Public    Yes    Allow    No    System    Any    Any    TCP    2869    Any    Any    Any    Any    Any    Any    
Network Discovery (WSD Events-In)    Network Discovery    Domain, Public    Yes    Allow    No    System    Any    Any    TCP    5357    Any    Any    Any    Any    Any    Any    
Network Discovery (WSD Events-In)    Network Discovery    Private    Yes    Allow    No    System    Any    Any    TCP    5357    Any    Any    Any    Any    Any    Any    
Network Discovery (WSD EventsSecure-In)    Network Discovery    Domain, Public    Yes    Allow    No    System    Any    Any    TCP    5358    Any    Any    Any    Any    Any    Any    
Network Discovery (WSD EventsSecure-In)    Network Discovery    Private    Yes    Allow    No    System    Any    Any    TCP    5358    Any    Any    Any    Any    Any    Any    
Network Discovery (WSD-In)    Network Discovery    Private    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    3702    Any    Any    Any    Any    Any    Any    
Network Discovery (WSD-In)    Network Discovery    Domain, Public    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    3702    Any    Any    Any    Any    Any    Any    
Performance Logs and Alerts (DCOM-In)    Performance Logs and Alerts    Domain    No    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    135    Any    Any    Any    Any    Any    Any    
Performance Logs and Alerts (DCOM-In)    Performance Logs and Alerts    Private, Public    No    Allow    No    %systemroot%\system32\svchost.exe    Any    Local subnet    TCP    135    Any    Any    Any    Any    Any    Any    
Performance Logs and Alerts (TCP-In)    Performance Logs and Alerts    Domain    No    Allow    No    %systemroot%\system32\plasrv.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
Performance Logs and Alerts (TCP-In)    Performance Logs and Alerts    Private, Public    No    Allow    No    %systemroot%\system32\plasrv.exe    Any    Local subnet    TCP    Any    Any    Any    Any    Any    Any    Any    
Remote Access Management (DCOM-In)    Remote Access    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Remote Access Management (NP-In)    Remote Access    All    Yes    Allow    No    System    Any    Any    TCP    445    Any    Any    Any    Any    Any    Any    
Remote Access Management (NPS-RPC-In)    Remote Access    All    Yes    Allow    No    %systemroot%\system32\iashost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Access Management (RRAS-RPC-In)    Remote Access    All    Yes    Allow    No    %systemroot%\system32\remrras.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Access Management (Services-RPC-In)    Remote Access    All    Yes    Allow    No    %systemroot%\system32\services.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Access Management (WMI-In)    Remote Access    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Access Quarantine (TCP-In)    Remote Access Quarantine    All    Yes    Allow    No    %systemroot%\system32\rqs.exe    Any    Any    TCP    7250    Any    Any    Any    Any    Any    Any    
Remote Desktop - Shadow (TCP-In)    Remote Desktop    All    Yes    Allow    No    %SystemRoot%\system32\RdpSa.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
Remote Desktop - User Mode (TCP-In)    Remote Desktop    All    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    3389    Any    Any    Any    Any    Any    Any    
Remote Desktop - User Mode (UDP-In)    Remote Desktop    All    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    UDP    3389    Any    Any    Any    Any    Any    Any    
Remote Event Log Management (NP-In)    Remote Event Log Management    All    No    Allow    No    System    Any    Any    TCP    445    Any    Any    Any    Any    Any    Any    
Remote Event Log Management (RPC)    Remote Event Log Management    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Event Log Management (RPC-EPMAP)    Remote Event Log Management    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Remote Event Monitor (RPC)    Remote Event Monitor    All    No    Allow    No    %SystemRoot%\system32\NetEvtFwdr.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Event Monitor (RPC-EPMAP)    Remote Event Monitor    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Remote Scheduled Tasks Management (RPC)    Remote Scheduled Tasks Management    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Scheduled Tasks Management (RPC-EPMAP)    Remote Scheduled Tasks Management    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Remote Service Management (NP-In)    Remote Service Management    All    No    Allow    No    System    Any    Any    TCP    445    Any    Any    Any    Any    Any    Any    
Remote Service Management (RPC)    Remote Service Management    All    No    Allow    No    %SystemRoot%\system32\services.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Service Management (RPC-EPMAP)    Remote Service Management    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Inbound Rule for Remote Shutdown (RPC-EP-In)    Remote Shutdown    All    No    Allow    No    %systemroot%\system32\wininit.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Inbound Rule for Remote Shutdown (TCP-In)    Remote Shutdown    All    No    Allow    No    %systemroot%\system32\wininit.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Volume Management - Virtual Disk Service (RPC)    Remote Volume Management    All    No    Allow    No    %SystemRoot%\system32\vds.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Volume Management - Virtual Disk Service Loader (RPC)    Remote Volume Management    All    No    Allow    No    %SystemRoot%\system32\vdsldr.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Volume Management (RPC-EPMAP)    Remote Volume Management    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Routing and Remote Access (GRE-In)    Routing and Remote Access    All    Yes    Allow    No    System    Any    Any    GRE    Any    Any    Any    Any    Any    Any    Any    
Routing and Remote Access (L2TP-In)    Routing and Remote Access    All    Yes    Allow    No    System    Any    Any    UDP    1701    Any    Any    Any    Any    Any    Any    
Routing and Remote Access (PPTP-In)    Routing and Remote Access    All    Yes    Allow    No    System    Any    Any    TCP    1723    Any    Any    Any    Any    Any    Any    
Routing Information Protocol (RIP-In)    Routing Information Protocol (RIP)    All    No    Allow    No    %Systemroot%\system32\svchost.exe    Any    Any    UDP    520    Any    Any    Any    Any    Any    Any    
Secure Socket Tunneling Protocol (SSTP-In)    Secure Socket Tunneling Protocol    All    Yes    Allow    No    System    Any    Any    TCP    443    Any    Any    Any    Any    Any    Any    
World Wide Web Services (HTTPS Traffic-In)    Secure World Wide Web Services (HTTPS)    All    Yes    Allow    No    System    Any    Any    TCP    443    Any    Any    Any    Any    Any    Any    
SNMP Trap Service (UDP In)    SNMP Trap    Private, Public    No    Allow    No    %SystemRoot%\system32\snmptrap.exe    Any    Local subnet    UDP    162    Any    Any    Any    Any    Any    Any    
SNMP Trap Service (UDP In)    SNMP Trap    Domain    No    Allow    No    %SystemRoot%\system32\snmptrap.exe    Any    Any    UDP    162    Any    Any    Any    Any    Any    Any    
TPM Virtual Smart Card Management (DCOM-In)    TPM Virtual Smart Card Management    Private, Public    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    TCP    135    Any    Any    Any    Any    Any    Any    
TPM Virtual Smart Card Management (DCOM-In)    TPM Virtual Smart Card Management    Domain    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    135    Any    Any    Any    Any    Any    Any    
TPM Virtual Smart Card Management (TCP-In)    TPM Virtual Smart Card Management    Private, Public    No    Allow    No    %SystemRoot%\system32\RmtTpmVscMgrSvr.exe    Any    Local subnet    TCP    Any    Any    Any    Any    Any    Any    Any    
TPM Virtual Smart Card Management (TCP-In)    TPM Virtual Smart Card Management    Domain    No    Allow    No    %SystemRoot%\system32\RmtTpmVscMgrSvr.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
Virtual Machine Monitoring (DCOM-In)    Virtual Machine Monitoring    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    135    Any    Any    Any    Any    Any    Any    
Virtual Machine Monitoring (Echo Request - ICMPv4-In)    Virtual Machine Monitoring    All    No    Allow    No    Any    Any    Any    ICMPv4    Any    Any    Any    Any    Any    Any    Any    
Virtual Machine Monitoring (Echo Request - ICMPv6-In)    Virtual Machine Monitoring    All    No    Allow    No    Any    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Virtual Machine Monitoring (NB-Session-In)    Virtual Machine Monitoring    All    No    Allow    No    Any    Any    Any    TCP    139    Any    Any    Any    Any    Any    Any    
Virtual Machine Monitoring (RPC)    Virtual Machine Monitoring    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Windows Backup (RPC)    Windows Backup    All    Yes    Allow    No    %systemroot%\system32\wbengine.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Windows Backup (RPC-EPMAP)    Windows Backup    All    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Windows Firewall Remote Management (RPC)    Windows Firewall Remote Management    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Windows Firewall Remote Management (RPC-EPMAP)    Windows Firewall Remote Management    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Windows Management Instrumentation (ASync-In)    Windows Management Instrumentation (WMI)    All    Yes    Allow    No    %systemroot%\system32\wbem\unsecapp.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
Windows Management Instrumentation (DCOM-In)    Windows Management Instrumentation (WMI)    All    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    135    Any    Any    Any    Any    Any    Any    
Windows Management Instrumentation (WMI-In)    Windows Management Instrumentation (WMI)    All    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
Windows Media Player (UDP-In)    Windows Media Player    All    No    Allow    No    %ProgramFiles%\Windows Media Player\wmplayer.exe    Any    Any    UDP    Any    Any    Any    Any    Any    Any    Any    
Windows Media Player x86 (UDP-In)    Windows Media Player    All    No    Allow    No    %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe    Any    Any    UDP    Any    Any    Any    Any    Any    Any    Any    
Windows Remote Management (HTTP-In)    Windows Remote Management    Domain, Private    Yes    Allow    No    System    Any    Any    TCP    5985    Any    Any    Any    Any    Any    Any    
Windows Remote Management (HTTP-In)    Windows Remote Management    Public    Yes    Allow    No    System    Any    Local subnet    TCP    5985    Any    Any    Any    Any    Any    Any    
Windows Remote Management - Compatibility Mode (HTTP-In)    Windows Remote Management (Compatibility)    All    No    Allow    No    System    Any    Any    TCP    80    Any    Any    Any    Any    Any    Any    
Windows Server Essentials Certificate Web Service    Windows Server Essentials    All    Yes    Allow    No    System    Any    Any    TCP    65500    Any    Any    Any    Any    Any    Any    
Windows Server Essentials Computer Backup    Windows Server Essentials    All    Yes    Allow    No    Any    Any    Any    TCP    8912    Any    Any    Any    Any    Any    Any    
Windows Server Essentials Connect Computer Web site    Windows Server Essentials    All    Yes    Allow    No    System    Any    Any    TCP    80, 443    Any    Any    Any    Any    Any    Any    
Windows Server Essentials Discovery    Windows Server Essentials    All    Yes    Allow    No    Any    Any    Any    UDP    8912    Any    Any    Any    Any    Any    Any    
Windows Server Essentials Mac Web Service    Windows Server Essentials    All    Yes    Allow    No    Any    Any    Any    TCP    65520    Any    Any    Any    Any    Any    Any    
Windows Server Essentials Provider Framework    Windows Server Essentials    All    Yes    Allow    No    Any    Any    Any    TCP    6602    Any    Any    Any    Any    Any    Any    
Work or school account    Work or school account    Domain, Private    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    OSRVR\Administrator    microsoft.aad.brokerplugin_cw5n1h2txyewy    
Work or school account    Work or school account    Domain, Private    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    OSRVR\ITMGR    microsoft.aad.brokerplugin_cw5n1h2txyewy    
Work or school account    Work or school account    Domain, Private    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    OSRVR\Administrator    microsoft.aad.brokerplugin_cw5n1h2txyewy    
World Wide Web Services (HTTP Traffic-In)    World Wide Web Services (HTTP)    All    Yes    Allow    No    System    Any    Any    TCP    80    Any    Any    Any    Any    Any    Any    
Your account    Your account    Domain, Private    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    OSRVR\ITMGR    microsoft.windows.cloudexperiencehost_cw5n1h2txyewy    
Your account    Your account    Domain, Private    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    OSRVR\Administrator    microsoft.windows.cloudexperiencehost_cw5n1h2txyewy    
Your account    Your account    Domain, Private    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    OSRVR\Administrator    microsoft.windows.cloudexperiencehost_cw5n1h2txyewy    

 

Is this what you needed?  Those are the inbound rules.  Thank you again.

Link to post
Share on other sites
  • 0
grunger106

^ Exactlty (Budman)

 

You have a non-domain joined device with a VPN connection, the  VPN aspect appears to be functional

You may find no issues with your internal firewall as you are local in networking terms

 

In real terms what you're doing is rocking up to your office with a unknown device and plugging it into your local network but with DNS servers configured that have no ability to resolve local host names.

Unless 'yourserver.yourdomain.local' is resolvable by 75.75.75.75 any query to it will fail.

You need a config on the VPN device where it knows yourdomain.local, and knows to forward any DNS queries to yourdomain.local to your internal DNS

 

I suspect if you attempt to ping your server by FQDN - server1.yourdomain.local (or whatever) it will fail, I suspect your app that talks to SQL will be looking for SQLserver.yourdomain.local and won't be able to resolve it.

 

This is pretty easy to resolve (ahem pun not intended)

 

However what is less trivial is if your SQL server is using NTLM for authentication, as your non-domain joined devices will not be logging on to your domain, even if the DNS resolves correctly

Attempts to connect to a shared drive will prompt for a login, and will work.

SQL won't and will likely throw a SSPI context failure.

 

EDIT: I don't see SQL in there at all, does it work internally?

Link to post
Share on other sites
  • 0
M_Lyons10
7 minutes ago, grunger106 said:

^ Exactlty (Budman)

 

You have a non-domain joined device with a VPN connection, the  VPN aspect appears to be functional

You may find no issues with your internal firewall as you are local in networking terms

 

In real terms what you're doing is rocking up to your office with a unknown device and plugging it into your local network but with DNS servers configured that have no ability to resolve local host names.

Unless 'yourserver.yourdomain.local' is resolvable by 75.75.75.75 any query to it will fail.

You need a config on the VPN device where it knows yourdomain.local, and knows to forward any DNS queries to yourdomain.local to your internal DNS

 

I suspect if you attempt to ping your server by FQDN - server1.yourdomain.local (or whatever) it will fail, I suspect your app that talks to SQL will be looking for SQLserver.yourdomain.local and won't be able to resolve it.

 

This is pretty easy to resolve (ahem pun not intended)

 

However what is less trivial is if your SQL server is using NTLM for authentication, as your non-domain joined devices will not be logging on to your domain, even if the DNS resolves correctly

Attempts to connect to a shared drive will prompt for a login, and will work.

SQL won't and will likely throw a SSPI context failure.

 

EDIT: I don't see SQL in there at all, does it work internally?

Yes, SQL works internally.  That was just the inbound rules.  I assumed that would be what was needed, but I can post the rest if need be.

 

I have to apologize on a lot of the rest that you posted because much of it is over my head...  So, I'm sorry if I don't quite understand certain things.

Link to post
Share on other sites
  • 0
grunger106

When you say SQL - how does this work, you have an application that connects to SQL server I assume, how exactly does it know what to connect to and how to auth?

I'm assuming your internal machines are domain joined? As in you login to them and this login is processed by a domain controller.

 

I suspect your current issue is a lack of internal DNS resolution over your tunnel - as in your VPN client devices cannot resolve your internal machine names - this is solvable.

 

What is the internal DNS server pushed to client devices - it can either be the DNS server you use internally or can be the VPN device as long as it has a forwarder to your internal DNS for lookups on the internal domain name.

Whatever and however your VPN clients need to be able to resolve yourserver.yourinternaldomain.com

 

Solving that is step 1, fix that first.

 

However once you solve that I suspect your will have different issues as your client devices will not have been authenticated.

 

For example you login to a local domain joined PC with UserA@yourdomain - AD auths you via a domain controller (DC), and SQL knows AD and auths you too, all is well.

If you were to plug in some random laptop, your login would be whatever was local to that laptop. You'd get internet access (as based on the description I doubt there'd be anything to stop you getting an IP and Gateway) but you've never authenticated with the DC, so SQL will not know who you are and will fail to auth you.

 

 

Edit: If your SQL app is using SQL authentication rather than NTLM authentication it will be work-roundable (although not something I do)

Link to post
Share on other sites
  • 0
M_Lyons10
15 hours ago, grunger106 said:

When you say SQL - how does this work, you have an application that connects to SQL server I assume, how exactly does it know what to connect to and how to auth?

I'm assuming your internal machines are domain joined? As in you login to them and this login is processed by a domain controller.

 

I suspect your current issue is a lack of internal DNS resolution over your tunnel - as in your VPN client devices cannot resolve your internal machine names - this is solvable.

 

What is the internal DNS server pushed to client devices - it can either be the DNS server you use internally or can be the VPN device as long as it has a forwarder to your internal DNS for lookups on the internal domain name.

Whatever and however your VPN clients need to be able to resolve yourserver.yourinternaldomain.com

 

Solving that is step 1, fix that first.

 

However once you solve that I suspect your will have different issues as your client devices will not have been authenticated.

 

For example you login to a local domain joined PC with UserA@yourdomain - AD auths you via a domain controller (DC), and SQL knows AD and auths you too, all is well.

If you were to plug in some random laptop, your login would be whatever was local to that laptop. You'd get internet access (as based on the description I doubt there'd be anything to stop you getting an IP and Gateway) but you've never authenticated with the DC, so SQL will not know who you are and will fail to auth you.

 

 

Edit: If your SQL app is using SQL authentication rather than NTLM authentication it will be work-roundable (although not something I do)

Thank you.

 

From what you're describing it doesn't sound like the workstations are joined because we don't log in with a User@yourdomain.  We log into Windows normally and then it connects to the network.  I believe when it was being set up they went to a network drive and logged into the server when prompted, saving those credentials on the workstation.  I'm not sure why they chose to set it up that way now, but I remember there being a reason...

 

We have several programs that rely on SQL databases.  They all use a connection string to connect to the SQL server and to the designated database.  This works flawlessly in the office and used to work flawlessly over VPN as well until we upgraded everything.

 

With regards to the DNS issue, would that allow me to connect and RDP to the server, but not allow the computers to access network resources?  How would I correct that and would that need to be corrected on the router, the server, or the workstation?  I can reach out to Draytek also for some clarification and to ask if they could look at that for me.

 

Thank you again for your help.

Link to post
Share on other sites
  • 0
grunger106

What is the SQL server name in the connection string?

 

Ping that from your VPN joined machine, does it work?

Link to post
Share on other sites
  • 0
M_Lyons10
30 minutes ago, grunger106 said:

What is the SQL server name in the connection string?

 

Ping that from your VPN joined machine, does it work?

There are a couple of SQL Servers on the server.  The one I've been working on here is called "SQLServer". 

 

I tried pinging the named instance of SQL Server from the remote machine but didn't have any luck.  That isn't something I've ever done before, so I did look up some examples and tried them all.  Here's what I tried:

 

ping 10.0.0.x\SQLServer

ping Server\SQLServer

ping 10.0.0.x,1433

 

If the examples I saw online were wrong and you want me to try something specific, please let me know.

 

I also checked in the SQL Server logs to see what TCP port SQL was using and I created a rule in the firewall allowing access to that port, but still can't connect to SQL Server with the remote machine.  Though that won't of course have any affect on access to files and folders on the server...

 

Thank you again,

Link to post
Share on other sites
  • 0
grunger106

Ping the machine, not the SQL instance name.

 

Post the results of an IPConfig /all from the server

 

 

Link to post
Share on other sites
  • 0
M_Lyons10
52 minutes ago, grunger106 said:

Ping the machine, not the SQL instance name.

 

Post the results of an IPConfig /all from the server

 

 

Sure, here you go.  Please let me know if you need anything else.

 

Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Users\ITMGR>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : OSRVR
   Primary Dns Suffix  . . . . . . . : DISBLAS.local
   Node Type . . . . . . . . . . . . : Mixed
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : DISBLAS.local

Ethernet adapter NIC2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #2
   Physical Address. . . . . . . . . : 50-9A-4C-8C-12-69
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter NIC1:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 50-9A-4C-8C-12-68
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.0.0.20(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.0.1
   DNS Servers . . . . . . . . . . . : 10.0.0.20
                                       10.10.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{5034AC14-6B56-4398-B24C-B3A2C443B43F}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{D3821009-0C82-4ECE-BABF-1EECE6E28568}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

C:\Users\ITMGR>

Link to post
Share on other sites
  • 0
grunger106

Can you ping OSRVR.DISBLAS.local from your VPN connected machine?

Link to post
Share on other sites
  • 0
M_Lyons10
30 minutes ago, grunger106 said:

Can you ping OSRVR.DISBLAS.local from your VPN connected machine?

I tried pinging from the VPN connected machine and it failed.

Link to post
Share on other sites
  • 0
grunger106

But if you ping 10.0.0.20 it works? If so you have a DNS issue over the tunnel.

I suspect the issue you're actually chasing.

If your SQL connection strings are pointing at something the machine can't resolve it ain't going to work.

 

There are some strange configs at play here.

I assume 10.0.0.1 is your Draytek device

I suspect this server is also a Domain Controller and DNS server, as well as a SQL Server (not recommended)

If I am correct that it's a DC then it's the DNS server settings on the NIC are incorrect, it should not be pointing to your Draytek device as a DNS server, even if it's just a member server and the DC is elsewhere it still shouldn't be pointing at a non-domain integrated DNS server.

However someone might have stuck that there to make it 'work'

 

It sounds like you have a domain controller, but people logging into workstations with local accounts, mapping drives and then authenticating at that point.

And your SQL Authentication method is unknown, but based on the rest of this guesswork I'd bet it was SQLAuth.

 

This may 'function' but it's not right.

 

TBH there is enough wrong here that I don't think you're going to get this sorted over a forum post, did you set this up or did you have someone do it for you?

 

  • Like 1
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By News Staff
      Save 94% off this Internet Privacy & Security lifetime subscription bundle
      by Steven Parker

      Today's highlighted deal comes from our Apps & Software section of the Neowin Deals store, where you can save 94% off this Internet Privacy & Security Lifetime Subscription Bundle. Stay private online and keep your passwords organized and protected with these highly reviewed, top of the line apps.



      This bundle consists of the following items:

      Ivacy VPN: Lifetime Subscription
      Give Yourself Complete Online Protection Without Slowing Your Browsing Down Password Boss Premium: Lifetime Subscription
      Total Organization, Total Security: One Master Password to Rule Them All ThunderDrive Personal Plan: Lifetime Subscription
      Safely & Easily Manage Your Files with a Cloud Service That's 6x Faster Than Amazon Storage AdGuard: Lifetime Subscription
      Get Rid of Annoying, Intrusive Ads and Protect Your Device from Malware with This Advanced Ad Blocking App Timelinr Personal Plan: Lifetime Subscription
      Rapid Road Maps & Smart Timelines Make for the Ultimate Collaboration Tool Good to know
      Length of access: lifetime Updates included Redemption deadline: redeem your code within 30 days of purchase For specifications per item and license info please click here.

      What's the benefit?
      This Internet Privacy & Security Lifetime Subscription Bundle normally costs $1,738, but it can be yours for just $89 for a limited time, that's a saving of $1,649 (94%) off for you!

      >> Get this deal, or learn more about it here <<
      See all of our current Apps & Software and VPN deals This is a time-limited deal.
      Get $1 credit for every $25 spent · Give $10, Get $10 · 10% off for first-time buyers.

      Not for you?
      That's OK, there are other deals on offer you can check out here, but be aware that these are all time-limited offers. If you are uncomfortable sharing your details with a third-party sponsor, we understand. Check out the Neowin Store for our preferred partners.



      The Win Your Dream 2020 Tesla Model 3 Giveaway Ivacy VPN - 5 year subscription for just $1 per month NordVPN - 2-year plan 68% off +3 months for free (total of 27 months) Private Internet Access VPN - 3 year plan at 86% off ($2.19/month) Unlocator VPN or SmartDNS - unblock Geoblock with 7-day free trial Subscribe to Neowin - for $14 a year, or $28 a year for Ad-Free experience Disable Sponsored posts · Neowin Deals · Free eBooks · Neowin Store

      Disclosure: This is a StackCommerce deal or giveaway in partnership with Neowin; an account at StackCommerce is required to participate in any deals or giveaways. For a full description of StackCommerce's privacy guidelines, go here. Neowin benefits from shared revenue of each sale made through our branded deals site, and it all goes toward the running costs.

    • By News Staff
      Save $300 off a 2-year subscription bundle to NordVPN and NordPass
      by Steven Parker

      Today's highlighted deal comes from our Apps & Software section of the Neowin Deals store, where you can save 75% off a 2-year subscription bundle to NordVPN and NordPass. Stay private online and keep your passwords organized and protected with these highly reviewed, top of the line apps.



      NordVPN: 2-Yr Subscription

      There's no shortage of VPNs on the market, but few can match the ratings that NordVPN brings to the table. Earning an extremely rare "Outstanding" rating from PC Mag, this bulletproof security solution lets you say goodbye to Internet browsing restrictions and hello to private, unrestricted access. All data sent through NordVPN’s private tunnels is double encrypted (double data SSL-based 2048-bit encryption), keeping you anonymous and hiding your information. And, with zero logs recorded, you can surf with absolute peace of mind.

      Secure any Internet connection: public Wi-Fi hotspots, cellular networks & more Bypass content restrictions & stay anonymous Rest easy knowing that your activity is not recorded anywhere (no log policy) Get online access anywhere w/ 3,521 worldwide server locations in 61 different countries Enjoy high speed connections for streaming video & content access Automatically shut down your site as soon as the VPN connection drops, so no data is revealed NordPass Premium: 2-Year Subscription

      Passwords are the front line for your online account security. However, they should work for you and not the other way round. Get NordPass and let it do the job for you - remember and autosave all your complex passwords, autofill online forms, generate strong passwords when needed, and more. With all-account sync, NordPass lets you access your online accounts whenever you need them. Worried about data phishing, hacking, and other threats? Following the latest security practices and industry standards, including XChaCha20, zero-knowledge architecture, master password, backups & sync, and two-factor authentication, NordPass makes sure your data stays safe.

      Remembers & autosaves all your complex passwords, auto-fill online forms, generates strong passwords when needed, and more Saves your passwords once & syncs across all devices and platforms you use Follows the latest security practices & industry standards Offers friendly award-winning customer support team to answer any questions 24/7 Good to know
      Length of access: 2 years This plan is only available to new users Updates included Redemption deadline: redeem your code within 30 days of purchase For specifications and license info please click here.

      What's the benefit?
      A 2-year subscription bundle to NordVPN and NordPass normally costs $406, but it can be yours for just $99.99 for a limited time, that's a saving of $306.01 (75%) off for you!

      >> Get this deal, or learn more about it here <<
      See all of our current Apps & Software and VPN deals This is a time-limited deal.
      Get $1 credit for every $25 spent · Give $10, Get $10 · 10% off for first-time buyers.

      Not for you?
      That's OK, there are other deals on offer you can check out here, but be aware that these are all time-limited offers. If you are uncomfortable sharing your details with a third-party sponsor, we understand. Check out the Neowin Store for our preferred partners.



      The Win Your Dream 2020 Tesla Model 3 Giveaway Ivacy VPN - 5 year subscription for just $1 per month NordVPN - 2-year plan 68% off +3 months for free (total of 27 months) Private Internet Access VPN - 3 year plan at 86% off ($2.19/month) Unlocator VPN or SmartDNS - unblock Geoblock with 7-day free trial Subscribe to Neowin - for $14 a year, or $28 a year for Ad-Free experience Disable Sponsored posts · Neowin Deals · Free eBooks · Neowin Store

      Disclosure: This is a StackCommerce deal or giveaway in partnership with Neowin; an account at StackCommerce is required to participate in any deals or giveaways. For a full description of StackCommerce's privacy guidelines, go here. Neowin benefits from shared revenue of each sale made through our branded deals site, and it all goes toward the running costs.

    • By Steven P.
      Get 5 years of Ivacy VPN at just $1 per month
      by Steven Parker



      If you use the internet, you likely know how important it is to protect your data in an increasingly dangerous cyber environment. But like other essential tasks that tend to be tedious (like filing taxes early and brushing your teeth for the full two minutes), most installing and running a VPN can sound unappealing to many: sure, they encrypt your internet traffic and hide your location — but they can also run frustratingly slowly, delaying the way you’d usually use the internet for entertainment and work.

      That’s where Ivacy VPN is different: not only will the speedy service let you browse and stream lag-free, it also offers real-time threat detection technology, removing malware and viruses at the server level. It ensures that all your downloads and devices stay totally secure, so you can stay safe online without being inconvenienced. In addition, all plans allow 10 simultaneous logins and unblocks BBC iPlayer, Disney+, Hulu, and major Netflix regions including U.S., France, Japan, UK, Australia, Germany, and Canada.



      With Ivacy, you can enjoy protection anywhere by connecting to 1,000+ servers in hundreds of locations. You’ll have unrestricted access to your favorite apps and websites, no matter where you are in the world. There’s also a dedicated secure downloading feature using P2P optimized servers, and useful extensions available across browsers and platforms, whether you’re an Android or iOS user, with split-tunneling available for both.

      And unlike other players in the digital security space, Ivacy VPN has a decade of experience delivering excellence, receiving a 4.7/5 TrustPilot rating and a 99.8% crash-free performance. You can protect your data with two different Ivacy VPN subscriptions:

      Get a five-year subscription to Ivacy VPN for just $1 per month. (offer ends Nov 30th).

      As an Ivacy affiliate, Neowin may earn commission from qualifying purchases.

    • By News Staff
      Save 75% off a 2-year subscription bundle to NordVPN and NordPass
      by Steven Parker

      Today's highlighted deal comes from our Apps & Software section of the Neowin Deals store, where you can save 75% off a 2-year subscription bundle to NordVPN and NordPass. Stay private online and keep your passwords organized and protected with these highly reviewed, top of the line apps.



      NordVPN: 2-Yr Subscription

      There's no shortage of VPNs on the market, but few can match the ratings that NordVPN brings to the table. Earning an extremely rare "Outstanding" rating from PC Mag, this bulletproof security solution lets you say goodbye to Internet browsing restrictions and hello to private, unrestricted access. All data sent through NordVPN’s private tunnels is double encrypted (double data SSL-based 2048-bit encryption), keeping you anonymous and hiding your information. And, with zero logs recorded, you can surf with absolute peace of mind.

      Secure any Internet connection: public Wi-Fi hotspots, cellular networks & more Bypass content restrictions & stay anonymous Rest easy knowing that your activity is not recorded anywhere (no log policy) Get online access anywhere w/ 3,521 worldwide server locations in 61 different countries Enjoy high speed connections for streaming video & content access Automatically shut down your site as soon as the VPN connection drops, so no data is revealed NordPass Premium: 2-Year Subscription

      Passwords are the front line for your online account security. However, they should work for you and not the other way round. Get NordPass and let it do the job for you - remember and autosave all your complex passwords, autofill online forms, generate strong passwords when needed, and more. With all-account sync, NordPass lets you access your online accounts whenever you need them. Worried about data phishing, hacking, and other threats? Following the latest security practices and industry standards, including XChaCha20, zero-knowledge architecture, master password, backups & sync, and two-factor authentication, NordPass makes sure your data stays safe.

      Remembers & autosaves all your complex passwords, auto-fill online forms, generates strong passwords when needed, and more Saves your passwords once & syncs across all devices and platforms you use Follows the latest security practices & industry standards Offers friendly award-winning customer support team to answer any questions 24/7 Good to know
      Length of access: 2 years This plan is only available to new users Updates included Redemption deadline: redeem your code within 30 days of purchase For specifications and license info please click here.

      What's the benefit?
      A 2-year subscription bundle to NordVPN and NordPass normally costs $406, but it can be yours for just $99.99 for a limited time, that's a saving of $306.01 (75%) off for you!

      >> Get this deal, or learn more about it here <<
      See all of our current Apps & Software and VPN deals This is a time-limited deal.
      Get $1 credit for every $25 spent · Give $10, Get $10 · 10% off for first-time buyers.

      Not for you?
      That's OK, there are other deals on offer you can check out here, but be aware that these are all time-limited offers. If you are uncomfortable sharing your details with a third-party sponsor, we understand. Check out the Neowin Store for our preferred partners.



      The Win Your Dream 2020 Tesla Model 3 Giveaway Ivacy VPN - 5 year subscription for just $1 per month NordVPN - 2-year plan 68% off +3 months for free (total of 27 months) Private Internet Access VPN - 3 year plan at 86% off ($2.19/month) Unlocator VPN or SmartDNS - unblock Geoblock with 7-day free trial Subscribe to Neowin - for $14 a year, or $28 a year for Ad-Free experience Disable Sponsored posts · Neowin Deals · Free eBooks · Neowin Store

      Disclosure: This is a StackCommerce deal or giveaway in partnership with Neowin; an account at StackCommerce is required to participate in any deals or giveaways. For a full description of StackCommerce's privacy guidelines, go here. Neowin benefits from shared revenue of each sale made through our branded deals site, and it all goes toward the running costs.

    • By News Staff
      Get 1 year of channel bonding Speedify VPN for only $29.99
      by Steven Parker

      Today's highlighted deal comes via our Apps + Software, VPN section of the Neowin Deals store, where you can save up to 58% off subscriptions to Speedify VPN. Connectivity reimagined — this VPN features multiple internet channel bonding, data encryption, app unblocking and more.



      Whether at home, work, or on-the-go, Speedify is the only connectivity tool and VPN that allows you to use all of your Internet connections at once. It uses channel bonding technology that distributes your online traffic across all available connections for optimal performance. Everything including uploads, downloads, web browsing, and streaming videos can be accelerated by using Speedify. It also gets you more stable connectivity: if you get disconnected from one of your connections, Speedify will seamlessly failover to your other working Internet connection(s) without skipping a beat, wherever you are. Plus, it secures your data using VPN-grade encryption, delivering more than twice the performance of conventional VPNs. It protects you from unsecure networks and helps you unlock restricted content without compromising on speed.

      Channel Bonding. Use multiple internet connections at the same time to optimize performance Encryption. Keep your information private. Protect yourself from prying eyes & unsecure networks Connection stability. Stay online if one of your connections drops, even in the middle of an important file transfer or while live streaming Zero logging. No tracking of online activity and no sharing of any personal information with any third parties Accessibility. Unblock your favorite apps & services while at work, school, or anywhere else Good to know
      Max Nr of Devices: 5 Plan(s) only available to new users Updates included License deadline: redeem within 30 days of purchase For terms, specifications, and license info please click here.

      Here's the deal:
      For example: A 1-year subscription to Speedify VPN normally costs* $71, but it can be yours for just $29.99 for a limited time, that's a saving of $41.01 (58%) off!

      There are also 2- and 3-year subscription plans available.

      >> Get this deal, or learn more about it <<
      See all of our current VPN deals. This is a limited-time sale!
      Get $1 credit for every $25 spent · Give $10, Get $10 · 10% off for first-time buyers.

      Not for you?
      That's OK, there are other deals on offer you can check out here, but be aware that these are all time-limited offers. If you are uncomfortable sharing your details with a third-party sponsor, we understand. Check out the Neowin Store for our preferred partners.



      The Win Your Dream 2020 Tesla Model 3 Giveaway Ivacy VPN - 5 year subscription for just $1 per month NordVPN - 2 year subscription at up to 68% off Private Internet Access VPN - subscriptions at up to 71% off Unlocator VPN or SmartDNS - unblock Geoblock with 7-day free trial Subscribe to Neowin - for $14 a year, or $28 a year for Ad-Free experience Disable Sponsored posts · Neowin Deals · Free eBooks · Neowin Store

      Disclosure: This is a StackCommerce deal or giveaway in partnership with Neowin; an account at StackCommerce is required to participate in any deals or giveaways. For a full description of StackCommerce's privacy guidelines, go here. Neowin benefits from shared revenue of each sale made through our branded deals site, and it all goes toward the running costs.