How to identify and differentiate networks so I can set location?

Question

I am a developer and know just whatever sysadmin/networking/etc stuff I've picked up over a lifetime of computing and developing (not an inconsiderable amount, but I am very far from an expert on any of this).

I'm setting up 3 new (hosted, dedicated) Windows Server 2012 boxes (not in a domain) and I cannot figure out how to set the internal network's location to private (it seems this would be easiest and sufficiently secure, as far as firewall configuration for the various inter-server communication).

For connections, I have the Primary NIC which is setup on the external IP's, Secondary NIC on the private subnet IP, and a VIP connection that is setup on the load balancer's external IP's (adapter is Microsoft KM-TEST Loopback Adapter).

Only the Primary NIC connection has a gateway specified, and from what I read this appears to be why the other 2 connections are listed as Unidentified.

I've tried going into Local Security Policy under Network List Manager Policies and allowing users to change location for All Networks, but it appears to have no effect. Again, from what I read, even if it did have effect, if Windows cannot identify the network it cannot reapply the location after changes like a reboot or disconnection.

I cannot force all unidentified networks to be private because that would include the VIP connection which is for public traffic coming in through the load balancer.

EDIT: I've also tried two suggestions from technet, adding a DNS suffix for the connection which had no effect I could discern, and editing the registry to disable NLA on the adapter, which had some odd consequences - the connection was no longer in the network and sharing center at all and I could not tell how it was classifying the connection.

Perhaps if I added a gateway to the VIP or Secondary connections I could then differentiate them and apply the private location to just the Secondary, but I'm not sure what problems this might raise other than seeing it isn't recommended.

I'd rather not go through and configure each and every little firewall hole I need for the 3 servers on the internal network but perhaps this is what I should actually do? How else could I make the Secondary NIC connection only private?

Answer 1

I am unable to add comments at present, so here's a comment in the form of an answer...

You mention adding a gateway to one of the other NICs. Don't do this. Only one NIC should have a default gateway; all other traffic should be guided (routed) using static route statements.

Set the default gateway on the NIC that's going to have the most remote target networks. This way, you minimise the number of static routes you need to define. In a situation like yours, you'd normally set the default gateway on the public NIC, 'cause this could be talking to numerous "unknown" networks. You then set static routes for your well-known/well-understood internal address range(s).

Hope this makes sense.

Alternatively, don't specify any default gateways, and do everything through static routes (ill-advised!).

But back to your original question, it's the Network Location Awareness (NLA) aspect of Windows you need help with. Some aspects of this can be configured using NETSH, but I'd have to Google this myself, so not much help there, I'm afraid.

Answer 2

I did find a way to identify secondary networks here https://superuser.com/a/218509/36752.

Basically, you have to give the connection a default gateway for Windows to identify it and giving the route a higher metric avoids issues with multiple default gateways.

To add a default gateway with a higher route metric use the command line to enter a command as so:

route -p add 0.0.0.0 mask 0.0.0.0 10.1.1.1 metric 50 if 15

Replace the IP address 10.1.1.1 with the address of another device on the connection/network you want to identify (windows uses the mac address of the gateway as an identifier). Use a metric value that is higher than the other default route and use the appropriate if # (both if #'s and current route metrics can be viewed with route print -4).