Best practices for Firewall policy settings for remote clients

The following table describes scenarios and best-practice recommendations.
Firewall policy best practices
Remote location where users log on without a VPN
  • Assign the strictest security policies to clients that log on remotely without using a VPN.
  • Enable NetBIOS protection.
    Do not enable NetBIOS protection for the location where a remote client is logged on to the corporate network through a VPN. This rule is appropriate only when remote clients are connected to the Internet, not to the corporate network.
  • Block all local TCP traffic on the NetBIOS ports 135, 139, and 445 to increase security.
Remote location where users log on through a VPN
  • Leave as-is all the rules that block traffic on all adapters. Do not change those rules.
  • Leave as-is the rule that allows VPN traffic on all adapters. Do not change that rule.
  • Change the Adapter column from All Adapters to the name of the VPN adapter that you use for all rules that use the action Allow.
  • Enable the rule that blocks all other traffic.
You need to make all of these changes if you want to avoid the possibility of split tunneling through the VPN.
Office locations where users log on through Ethernet or wireless connections
Use your default Firewall policy. For the wireless connection, ensure that the rule to allow wireless EAPOL is enabled. 802.1x uses the Extensible Authentication Protocol over LAN (EAPOL) for connection authentication.
More information