Of Stack

win2008 R2 The reason why the web site is slow to open inside the server after IP security policy is set or external web sites cannot be accessed

  • 2020-06-12 11:16:43
  • OfStack

win2008R2 there are only a few reasons why KB is slow to open a website within a server after setting the IP security policy

Because the IP security policy in the closing policy set the original address "any IP" to the target address "any IP" any UDP any port closed;

Change to the original address "my IP address" to the target address "any IP" UDP any port will be closed, then open UDP 53 port, my IP to IP DNS is ok! This is to resolve the domain name with!

Operation idea: All users are forbidden to access port 1433, only individual IP are allowed to access. (The priority allowed in the security policy is greater than the prohibition)

1. Add "IP filter" rule
The IP filter rules are used to set which IP needs to be restricted.
Open "Management Tools", click "Local Security Policy", and select "IP Security Policy, local Computer".
Right-click on the menu and select manage IP filter list and Filter operations
1) Add a rule of "All IP" to access port 1433, name: prohibit all IP to access port 1433
2) Add another rule for "specific IP" to access port 1433, name: allow specific IP to access port 1433

2. Add the filter Action rule
The filter operation is a complement to the IP filter rule to determine whether to release or intercept IP, which is already restricted.
In the IP Security Policy, on local computer, right-click the menu and select Manage IP Filter List and Filter Operations, and select Manage Filter Operations
Establish two rules, one for release and one for interception.

3. Create "IP Security Policy" entry
With the IP filter and action rules created, we now need to combine them.
The "IP Security Policy" is the container that contains these rules.
In "IP Security Policy on local computer", right-click the menu and select "Create IP Security Policy", name: Guardian IP Policy

4. Add IP filtering rules to "IP Security Policy"
1) Add the filter rule of "disable all IP access to 1433" and select intercept mode.
2) Add the filter rule "allow specific IP access to 1433" and select the release mode.

After filtering rules are added, enabling the security policy takes effect.

If you need more restrictive rules, set up the IP filtering rules as in Process 1, and then add them to the "IP Security Policy" entry as in Process 4.

Related articles: