I am setting up windows firewall Group Policy. I would like to set up the domain policy for windows firewall for port exceptions to only allow 172.28.2.0/24 ip range to be allowed to use this port and all other users to be blocked. I put the following 5800:TCP:172.28.2.0/24:Enable:TCP5800 and save changes and close GPO. My workstation is on 172.28.2.x address but test box is on 172.28.5.x address. GPO downloaded to test box, rebooted test box and I could vnc into it using port 5800. On the test box I used vnc and was able to vnc into another testbox when vnc should be blocked as the only IP range that should be able to use it is 172.28.2.x address while every is denied this port on local workstation unless your on the 172.28.2.x ip address. Any thoughts?

Its under... Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Profile\Windows Firewall: Define Port Exceptions Its alot like IPTABLES in Linux where you have to write a script. Here is a copy of my script. 3389:UDP.*:enable:RDP Hope this helps.

thats what i put but i dont want the * i need ip address in there for one ip range which i did put in my example in first posting but with my example everyone in any ip rang oe 172.28.x.x has access to use vnc when I only want 172.28.6.x range only to have this port activated while all other users have it blocked. how would i set this up.

Unfortunately Windows GPO is User/Domain based and not Network based. You could use a third party app to allow you to do this through a logon script where you can use an IF to detect the subnet the computer is connected to. http://technet.microsoft.com/en-us/... http://technet.microsoft.com/en-us/...