Well if you really block everything except ePO how are they able to talk to antoher IP-Adress.
How is your current configuration looking?
How about DNS and all the AD stuff in your network? Not needed?
If you really want what you write then it´s: IP-Adress-EPO + Ports needed for communication.
Everything else: block
How are your endpoints accessing your nas? and how do you tell that your firewall rules do not work correctly?
I'm not sure I understand your response.
To clarify - I have managed to achieve the goal of blocking everything, except NAS access.
They access the NAS using mapped shared drives, or by entering the location directly \\NAS\_____
What Daniel_S is getting at is, what you're describing (block all but ePO) is simple to achieve. Create a new firewall rule policy, allow the IP address of your ePO server and the ports it needs, and then put a block any any under that, and you're done. However, then it won't talk to the Internet. Or DNS. Or Active Directory. Or anything.
However, if you have it blocking everything *that you want*, except for your NAS, then we'd need to know more about how clients are accessing the NAS, and what rules are already in place. Easiest case is you create a block rule for the IP address of the NAS in the destination. If there are other things on the NAS they need to access, then we'd need to know what those things are, and what port they access thing on the NAS with.