Skip Navigation
 Search | Directories | Reference Tools
UW Home > UWIN > Admin Gateway > Introduction to Nebula 

Firewalls on Nebula Bronze Workstation and Local Servers

Topics on this page

On November 1, 2005, Nebula policy will be changed to permit firewalls on bronze workstations and local servers provided they meet the criteria documented here. The intent of this criteria is to provide access for remote manageability by Nebula support staff, as well as compliance with the UW minimum security standards. The "no firewall" policy remains in effect for kiosks, gold workstations and managed servers. These systems are protected by other means.

We strongly encourage clients to use the Windows firewall if they feel they need a firewall, but they can choose any firewall product they like. Nebula (or one of our UW Technology partners) will provide limited support if they choose any of the following:

Other products are unsupported.

Policy Changes

On November 1, the 'no firewall' group policy will be removed for bronze workstations and local servers. Bronze or local servers running a workstation OS will immediately have a Windows Firewall that is on. This is default behavior for workstation-class computers in a domain when group policy isn't set to turn Windows Firewall off. Those running a server OS will not see the same default behavior. A new group policy that allows limited configuration of the Windows Firewall will simultaneously be put in place for these systems.

Bronze workstation and local server clients should be prepared to either turn off the Windows firewall or configure it to their needs.

Using Windows Firewall

Because we are administratively configuring the settings of the Windows firewall for specific ports to provide access for Nebula support staff, the client will be unable to configure the ports documented in the criteria here. For instance, this means that the client won't be able to add their home computer to the scope of the RDP port, tcp 3389. They'll receive an error message similar to: "Windows Firewall cannot add the port 'TCP 3389 (rdp)' to the list of exceptions, possibly because the port you are trying to add is already included in a service, such as File and Printer Sharing." However, because we've included the network segment where the Nebula VPN servers live, any computer using the Nebula VPN has access to the ports automatically configured. This is a failing in the design of the Windows Firewall product which will hopefully be addressed in future versions. In the meantime, the VPN is a good workaround that should meet all client needs for access to those ports.

Using IPSec Filtering

IPSec filtering is permitted if the configurations meet the criteria listed below.

Using the UW Technology Logical Firewall

More information on using the UW Technology logical firewall is found here. This firewall is permitted if the configurations meet the criteria listed below.

The criteria for being in compliance

From networks with IP addresses assigned of the form:

Some firewall products do not understand the 'slash' notation, so it may be necessary to also provide the corresponding subnet masks:

These ports should be open:

Scanning for Compliance

Nebula will scan to see if bronze/local servers meet the firewall criteria. When a computer is found to not meet the criteria, the owner will be notified of the need to come into compliance with the criteria documented within this policy. The owner will have a period of 2 weeks to come into compliance. If the computer isn't in compliance by the end of that period, it will be removed from the domain. The computer can return to Nebula when it's brought into compliance.

If you have questions or suggestions, please forward them to nebula-support at cac.washington.edu.