Firewall on Domain

[Bad boy Warrior]

Just been reading a few articles on WS2008 and firewalls, NAP etc. Im just wondering if anyone has enabled the default WS2008 firewall on a domain and successfully allowed clients to authenticate etc without huge problems? OR would you say its still not recomended enabling a FW on a domain controller?

If you have what ports are you opening? Im curious to know as WS2008 seems to have a lot of useful and neat features available.

Thanks

[fizban2]

i would say enabling the FW on the DC will cause you more issues then help. The internal domain should be safeguarded at the entries from the intranet to internet or anywhere that you would deem as no safe or control on your intranet. NAP + 802.1X authentication is amazing btw

[cluberti]

I've firewalled DCs at the host level before, but fizban is right - you have to make a LOT of holes to get it to work. A better solution is hardware firewalls throughout the network, IPSec between all domain hosts, 802.1x+Radius/IAC at switch ports and your wireless access points, and good monitoring for anomalies. Host-based firewalls are good for clients, but can be a pain on servers. I've found that 802.1x+Radius, IPSec, and hardware firewalls and DMZs where appropriate are a far better solution to keeping your network from being crunchy on the ouside and chewy on the inside.

[Bad boy Warrior]

I think NAP has got me started on this as i like the idea of how it works. I think i have a good month's worth of reading on IPSEC as that seems the way to go forward at the moment.

If you guys do have any video links on IPSEC please let me know?

[cluberti]

I don't know about video, but technet always has good information.

[Bad boy Warrior]

Ok finally how does SCW fit into all this? Im under the impression that its just an XML file that allows you to define a firewall policy - is this correct?