Firewall Rules User Guide
Each Room in Tehama has its own set of firewall rules, defined by the Room's connected organization.
Tehama’s policy is that, by default, remote applications/services cannot be accessed from a Room’s Desktops.
If the Room's connected organization wants Desktop users to be able to access a particular remote application/service, they must add a firewall rule to the Room to allow access.
IMPORTANT: DNS Filtering is an optional Tehama feature that provides a layer of access control on top of a Room's firewall rules. It is available in 'Multi-Path' Rooms (Rooms with network access set to 'Multi-Path'). Follow the instructions in the section View Allowed Domains in the DNS Filtering guide to see what domains are allowed in your Multi-Path Room.
The Room's firewall rules are controlled by the Org Admin user and the Org/Room Managers of the Room's connected organization (owner+connected or connected-only). Users with these roles can perform the actions described below. Check the description of your custom role, to see if you can perform these actions.
If the Room's connected organization has set the Room's 'Network Access' to:
- 'Tehama Gateway', then the Room's Desktops' access to both the cloud and to a private network is managed through the Room's Tehama Gateway which runs in the connected organization's private network (or the Room's two Tehama Gateways, if the Room has the 'Multiple Gateways' option enabled for redundancy). The Tehama Gateway will only allow access to the Desktops from remote applications/services which it can access and for which the Room has firewall access rules defined.
- 'Internet Only', then the Room's Desktops' access to the cloud is managed through the Room's infrastructure, which will only allow access to the Desktops from remote applications/services for which the Room has firewall access rules defined.
- Note that when 'Network Access' is set to 'Internet Only', Tehama denies all UDP traffic apart from DNS lookup.
- Note that when 'Network Access' is set to 'Internet Only', Tehama denies all UDP traffic apart from DNS lookup.
- 'Multi-Path', then the Room's Desktops' access to the cloud is managed through the Room's infrastructure, and access to private network(s) is managed through the Room's VPN IPSec connections which connect to the connected organization's private network(s). Again, similar to the other two network access types, access to the Desktops is only allowed from remote applications/services which it can access and for which the Room has firewall access rules defined.
IMPORTANT: 'Multi-Path' Rooms (Rooms with network access set to 'Multi-Path') offer an additional, optional layer of internet access control - DNS Filtering. This feature uses the Domain Name System (DNS) to filter website access, before applying any of the firewall rules defined in the Room.
If The Room's DNS Filtering feature has at least one domain in its list of allowed domains, then DNS Filtering is active; users of Desktops in the Room will be denied access any domain that is not in this list, regardless of the firewall rules in the Room; access to a domain in the list continues to depend on the existing firewall rules. Deactivate DNS Filtering by removing all domains from this list.
DNS Filtering provides a simple way for a Room with completely restricted internet access to allow Windows Updates for those Windows Desktops in the Room that have set up the Windows Server Update Services (WSUS).
There are two types of firewall rules.
Custom Rules
Custom rules are firewall exceptions added and removed explicitly by the user through the firewall rules 'custom' interface.
Custom rules are not typically associated with a particular Room asset. Such rules should be added as an inferred rule.
The rules can be managed (added/removed) from the custom firewall rules interface in the Tehama Web UI and viewed from the custom firewall rules interface in both the Tehama Web UI and the Desktop Agent running in a Desktop session.
View Custom Rules
View the custom firewall rules from:
Desktop custom firewall rules interface:
- Connect to a Desktop session.
- Open the Desktop Agent application.
- Click on the FIREWALL RULES tab.
- Click on CUSTOM.
Tehama Web UI custom firewall rules interface:
- Log in to the Tehama Web UI.
- Click on the ROOMS tab.
- Click on the name of the Room you want to access custom firewall rules in. You will see the user interface for the Room.
- Click on the Room's CONNECTION tab.
- Select the FIREWALL RULES sidebar item.
- If necessary, click on the SHOW CUSTOM RULES button.
Add Custom Rule
NOTE: Be aware of the DNS Filtering feature that is available in Multi-Path Rooms. If this feature is active, access to the internet will be blocked to any domain not included in the DNS filtering feature's list of allowed domains, regardless of the firewall rules you have added by following the instructions below. Be sure to add any domain(s) related to the applications or services pertaining to your firewall rules to the DNS Filtering feature's list of allowed domains.
To add a custom rule do the following:
- View the custom firewall rules page.
- Click on the ADD RULES dropdown to open it.
- Select "Add Custom Rule". The ADD RULE dialog will appear.
- Enter the following information:
- Rule Name: the name you wish the rule to appear under.
- IPv4 CIDR block: this must take the form "127.0.0.1/32".
- Protocol: the protocol supported by the rule (TCP or UDP).
- Port: this can be a single port, a port-range (e.g.: minimum 32 to maximum 63) or all ports between 0 and 65535.
- Click CREATE. The rule will appear in the list.
Import Custom Rules
NOTE: Be aware of the DNS Filtering feature that is available in Multi-Path Rooms. If this feature is active, access to the internet will be blocked to any domain not included in the DNS filtering feature's list of allowed domains, regardless of the firewall rules you have imported by following the instructions below. Be sure to add any domain(s) related to the applications or services pertaining to your firewall rules to the DNS Filtering feature's list of allowed domains.
To import multiple (up to 300) custom rules from a Comma Separated File (CSV) file, do the following:
A. Construct a spreadsheet with the following format:
name | cidr | protocol | port |
---|---|---|---|
FWR 1 | 0.0.0.0/0 | UDP | 6431 |
FWR 2 | 127.0.0.1/0 | TCP | 3368 |
FWR 3 | 0.0.0.0/0 | TCP | 32-63 |
FWR 4 | 127.0.0.1/32 | TCP | All |
- name: The rule name you wish the rule to appear under. The names must be unique.
- cidr: The IPv4 CIDR block - this must take the form "127.0.0.1/32".
- protocol: The protocol supported by the rule (TCP or UDP).
- port: The port(s) supported. This can be a single port, a port-range (minimum and maximum separated by a dash: e.g.: 32-63), or all ports between 0 and 65535 ("All").
The maximum number of rules that can be imported at once is 300.
B. Generate a CSV file from the spreadsheet.
C. Import the CSV file:
- View the custom firewall rules page.
- Click on the ADD RULES dropdown to open it.
- Select "Import Firewall Rules". The IMPORT FIREWALL RULES dialog will appear.
- Click IMPORT FIREWALL RULES.
- Select your CSV file from the file selection dialog and click Open. The rules in the CSV file will begin to be imported asynchronously. A dialog will appear to let you know the process has started.
- Click CLOSE to dismiss the dialog.
- Track the progress of the import through the Activity Stream. Once the selected firewall rules have been processed, they will appear in the list of rules on custom firewall rules page. You may need to refresh the page to see them.
Allow Web Access
NOTE: Be aware of the DNS Filtering feature that is available in Multi-Path Rooms. If this feature is active, access to the web will be blocked to any domain not included in the DNS filtering feature's list of allowed domains, even if you "allow web access" by following the instructions below. Be sure to add any domain(s) for websites you wish to access to the DNS Filtering feature's list of allowed domains, or deactivate DNS filtering.
Access to the web requires access to all TCP endpoints over HTTP and HTTPS. Add the firewall exceptions for web access as follows:
- View the custom firewall rules page.
- Click on the ADD RULES dropdown to open it.
- Select "Allow Web Access". The ALLOW WEB ACCESS dialog will appear.
- Click YES to approve the addition of the shown endpoints. The rules will appear in the list.
ASIDE: The above instructions provide your Room with complete web access, but in Multi-Path Rooms, you can use this "Allow Web Access" capability in conjunction with DNS Filtering to configure a Room to have completely restricted internet access apart from access to allow Windows Updates for those Windows Desktops in the Room that have set up the Windows Server Update Services (WSUS). See section 'Allow Windows Updates' in the DNS Filtering guide for more details.
Allow Full Access
NOTE: Be aware of the DNS Filtering feature that is available in Multi-Path Rooms. If this feature is active, access to the internet will be blocked to any domain not included in the DNS filtering feature's list of allowed domains, even if you "allow full access" by following the instructions below. Be sure to add any domain(s) you wish to access to the DNS Filtering feature's list of allowed domains, or deactivate DNS filtering.
Full access requires access to all TCP endpoints. Add the firewall exceptions for full access as follows:
- View the custom firewall rules page.
- Click on the ADD RULES dropdown to open it.
- Select "Allow Full Access". The ALLOW FULL ACCESS dialog will appear.
- Click YES to approve the addition of the shown endpoint. The rule will appear in the list.
Remove Custom Rule(s)
Remove a custom firewall rule as follows:
- View the custom firewall rules page.
- Locate the entry you wish to remove.
- Click on the three vertical dots under the Actions column in the entry. A drop-down list of actions will appear.
- Select "Remove". The DELETE FIREWALL RULE dialog will appear.
- Click DELETE. The rule will no longer appear in the list.
Remove multiple (up to 300) custom firewall rules at once as follows:
- View the custom firewall rules page.
- Locate the entries you wish to remove.
- Select each of them by clicking in the checkboxes found to their left.
After at least one entry has been selected, a banner will appear at the bottom of the page. You can click on the SELECT button in the banner to select all of the entries. Unselect an entry by clicking again on its checked checkbox. A maximum of 300 selected rules will be processed. - Click on the trash-can icon () found in the banner at the bottom of the page. The DELETE FIREWALL RULES dialog will appear.
- Click DELETE. The selected rules will begin to be deleted asynchronously. A dialog will appear to let you know the process has started.
- Click CLOSE to dismiss the dialog.
- Track the progress of the deletion through the Activity Stream. Once the selected firewall rules have been processed, they will no longer appear in the list of rules on custom firewall rules page. You may need to refresh the page to see the change in the list.
Inferred Rules
Inferred rules are firewall exceptions that are linked to assets configured in the secrets vault.
An inferred firewall exception rule may be added to the list of inferred rules when an asset is added to the secrets vault.
When an asset that specifies a firewall exception is removed from the secrets vault its associated inferred firewall exception rule is removed from the list of inferred rules.
If there is no firewall exception specified in the vault for an asset, then Tehama will not allow that asset to be accessed. (Unless there is a custom firewall rule that provides an equivalent exception. It is preferred to manage exceptions for an asset from the entry for the asset in the secrets vault.)
View Inferred Rules
View the inferred firewall rules from:
- the Desktop inferred firewall rules interface, or
- the Tehama Web UI inferred firewall rules interface
Desktop inferred firewall rules interface:
- Connect to a Desktop session.
- Open the Desktop Agent application.
- Click on the FIREWALL RULES tab.
- Click on INFERRED.
Tehama Web UI inferred firewall rules interface:
- Log in to the Tehama Web UI.
- Click on the ROOMS tab.
- Click on the name of the Room you want to access inferred firewall rules in. You will see the user interface for the Room.
- Click on the Room's CONNECTION tab.
- Select the FIREWALL RULES sidebar item.
- If necessary, click on the SHOW INFERRED RULES button.