With the use the Kaseya Application Firewall - it's no longer possible to just block ports 80 & 443 to restrict access to the UI - because you can just go through https://kaseya.mycompany.com:5721 to get to the UI. You also can no longer restrict IP addresses in IIS like the old days because everything goes through the loopback. We tried using AuthAnvil to secure the UI - but it doesn't properly see the incoming IP addresses (most are blank or wrong) - so we had to find another way to restrict the UI after the Kaseya breach a few months ago.
Install a 3rd party component called "URL Rewrite" to IIS and set a rule based on the HTTP_Referer for the wildcard *:5721*
It doesn't matter what you ask it to do when it hits that rule because the KAF will still try to intercept the call - but that will effectively cut off outside access to your VSA.
If anyone has found other ways to secure their VSA, I'd love to hear it - but this seems to be working well for us.
You can use an on-premise WAF.