-2

One windows server 2016 running on some ip address 1.2.3.0. It has Apache server on port 80, DNS Server and running MySql server and so on and connecting through RDP client.

My requirement is to add an additional IP address 1.2.3.1 on the same windows server and separate the ip address for my application servers for apache, mysql due to security reasons and not expose main server ip.

The main ip address 1.2.3.0 should only connect to RDP and server services and the other ip should only connect to Apache and Mysql ports and not connect RDP.

I was able to add the additional ip address to the server and add a firewall inbound rule to block all the ports for 1.2.3.1 ip address. It worked. Now I opened apache port 80 on this 1.2.3.1 ip address, it does not work. What might be the issue ?

ideeps
  • 1
  • 2

2 Answers2

0

You say that you've blocked all of the ports inbound to the 1.2.3.1 IP address. As expected, that prevents traffic on port 80 from reaching Apache. You'll need to use that same firewall to open port 80 (and probably 443) inbound to 1.2.3.1.

Doug Deden
  • 1,844
  • 7
  • 10
  • Did you mean to add a new inbound firewall rule for port 80 after the first rule that blocks all the ports? I did that and it did not work. – ideeps Jan 08 '19 at 19:03
  • You'll need the "allow port 80" rule to be before the "block all ports" rule. – Doug Deden Jan 08 '19 at 19:43
  • How can we add the order or prioritize them? – ideeps Jan 08 '19 at 23:09
  • Ah, I see that the processing order in Windows Firewall is unusual. It processes Block rules before Allow rules. So you'll need to remove your "block all ports" rule, and leave the "allow port 80" rule in place. You shouldn't need the "block all ports" rule anyway, as the default behavior -- processed last -- is to block all inbound connections. See https://social.technet.microsoft.com/wiki/contents/articles/13894.troubleshooting-windows-firewall-with-advanced-security-in-windows-server-2012.aspx#Rules_are_evaluated_in_a_specific_order – Doug Deden Jan 08 '19 at 23:29
  • There is an option in firewall modal where I added a scope to block all the ports for 1.2.3.1 it works fine.When removed this as you said, this ip will open ports to RDP and other services from main ip 1.2.3.0 which doesn't meet the requirement. I need two different ip ports to work independently. Each ip should point to their own ports. – ideeps Jan 09 '19 at 03:05
  • I wish the firewall had except option while blocking all the ports for certain ips. :( – ideeps Jan 09 '19 at 03:08
0

I found a workaround solution since there is no option in windows firewall to add all ports except.

Before

  1. block all ports for 1.2.3.1
  2. Open port 80 for 1.2.3.1

After(Solution)

  1. Block ports for 1.2.3.1 from 1-79
  2. Block ports for 1.2.3.1 from 81-65535
  3. Open port 80 for 1.2.3.1
ideeps
  • 1
  • 2