Skip to content Skip to site navigation

How Do I Configure Firewalls for a Privileged Access Workstation (PAW)?

The Privileged Access Workstation (PAW) service relies on proper configuration of the firewalls protecting your servers and applications. To be protected by a PAW, configure your firewalls to only allow management access to systems from your group's assigned range of PAW IP numbers. By restricting the source address to that of the PAW VPN you know that only PAWs are accessing the servers.

For PAWs using the IDG5540 PAW VPN, configure your firewalls to only allow management access from your group's assigned range of IP numbers.

For PAWs using the newer SU-SecOps-VPN, configure your firewalls to allow access from the entire range of PAW IP addresses (171.67.52.0/23). Then use the SUNAC/UserID field in the firewall request to restrict access to your servers based on membership in a workgroup you control.

PAW VPN firewall example

See the table below for a list of common administration ports that should be restricted. For web applications, you can restrict access to management interfaces either through the web server software or via a web application firewall.

Common Management Firewall Rules

Service Port
Dell OpenManage 1311t
File and Printer Sharing (NetBIOS, SMB), Remote Event Log Management, other Windows management 137-138u, 139t, 445t
Windows Remote Management 5986t
DCOM-In (used for Hyper-V Management, Performance Logs and Alerts, etc) 135t
Remote Desktop Protocol - User Mode 3389t/u
SSH 22t
Last modified April 26, 2017