2

Am struggling with Server 2008 R2 NLA and the Windows Firewall.

Currently we are testing rolling out Windows Firewall via GP and have a test server that enables the firewall for Domain, Private and Public. Public and Private are set to lock down while the Domain has the default profile (unsolicited Inbound blocked, Outbound allowed). The settings applied correctly and there was no loss of communication. Everything looking hunk dory.

Latest Windows Updates caused an issue so we reverted to a snapshot (VM running on ESXi 5). Now the firewall is connecting under the Public profile and all communication is broken. Due to GP controlling the policy I cannot disable the policy or reset the policy on the box. The only solution we have found is to stop the firewall service and remove the computer from the GPO. This then allows normal communication.

I had a google and have seen that in Jan 2012 there was a hotfix (KB2524478) that resolved this issue but that is already deployed and the hotfix states it is not needed. I am guessing something in the NLA is incorrectly associating itself with being on a Public connection but I cannot see anyway to override the network location to the Domain profile.

Does anyone have any suggestions about how I might be able to troubleshoot this further? I am loathe to amend the procedure to disable the service, reboot and then re-enable as I feel this is a workaround.

EDIT: Readin up on NLA I notice the following behaviour is thought to be the initial process:

"In all cases, detection starts the same way that it does in Windows XP. If the Connection Specific DNS Name matches the “HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkName” registry key then the machine will attempt to contact a Domain Controller via LDAP. If both these steps succeed, you will get the Domain profile. It is important to note that if the steps succeed, processing stops here. This allows you to roam across multiple access points in the same domain without having to stop and identify each of them individually. "

When I look at that registry key on the server in question, and in fact all the ones I have picked at random as well, I have a blank entry for this. IS this the expected behaviour or should this value hold the forest name?

  • What are your public and private policy's like? Every computer will startup with the public profile. using this profile it will try to connect to the domain. If that fails (e.g. because the public profile tells it that any connection is forbidden) it will not connect to the domain profile. – ZEDA-NL Aug 22 '13 at 06:55
  • Also note that the public profile can mean that there are network problems. e.g. when the computer has no default gateway, the profile will always be Public. – ZEDA-NL Aug 22 '13 at 06:56
  • hmmmmm, I have a default gateway set, this server exists on a static subnet. I have set the Public Profile to Block Incoming and Outgoing. This normally does not seem to be a problem for the other server I have configured as a test server. To that end would the Public profile need to be left wide open to allow the domain connection to be made? Or is it just a case of configuring more pertinent rules on the public profile? –  Aug 22 '13 at 10:19
  • In the public and private profile you should allow outgoing connections to the domain (at least DNS, Kerberos, and LDAP). Blocking all incoming connections is no problem. – ZEDA-NL Aug 23 '13 at 14:11

0 Answers0