Click Here!
Results 1 to 6 of 6

Thread: Windows Firewall / Group Policy Configuration

  1. #1
    Waiting for the night Creeping Death's Avatar




    Join Date
    Apr 2001
    Posts
    7,411
    Liked
    182 times
    Karma
    1040100
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quoted
    12 Post(s)

    Default Windows Firewall / Group Policy Configuration

    Here is an issue I am having at work that I thought Id share with some of the IT folks out there. I am implementing a group policy object on our business laptops. When a user is in the office, the Windows firewall will turn off, and allow our network firewall to protect the laptop. However, when the user takes the laptop out of the office, the group policy will enable the firewall and keep the laptop protected.

    When we try testing VPN however, the firewall is still staying active. Once connected to VPN, it should see our domain controller and use the appropriate group policy. However, the firewall is staying active. I checked to make sure ICMP allowed in the group policy and made sure the policy was configured correctly. I am going to put a call into microsoft to help resolve this issue, but I figured Id put it out there for the IT folks around here to see if anyone had any input. Once I get a resolution from microsoft, I'll make sure to post it in here.
    And thats how you get ants!

  2. #2
    #!/bin/bash quix's Avatar




    Join Date
    Jul 2004
    Posts
    4,342
    Liked
    22 times
    Karma
    1000000
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quoted
    0 Post(s)

    Default

    Quote Originally Posted by Creeping Death View Post
    Here is an issue I am having at work that I thought Id share with some of the IT folks out there. I am implementing a group policy object on our business laptops. When a user is in the office, the Windows firewall will turn off, and allow our network firewall to protect the laptop. However, when the user takes the laptop out of the office, the group policy will enable the firewall and keep the laptop protected.

    When we try testing VPN however, the firewall is still staying active. Once connected to VPN, it should see our domain controller and use the appropriate group policy. However, the firewall is staying active. I checked to make sure ICMP allowed in the group policy and made sure the policy was configured correctly. I am going to put a call into microsoft to help resolve this issue, but I figured Id put it out there for the IT folks around here to see if anyone had any input. Once I get a resolution from microsoft, I'll make sure to post it in here.
    Have you looked at your Event Viewer on the client to see if it generates any helpful error codes? I'm guessing that there may be an issue with DNS here.

  3. #3
    Still here.... DRice's Avatar




    Join Date
    Apr 2001
    Posts
    3,966
    Liked
    400 times
    Karma
    5000000
    Mentioned
    6 Post(s)
    Tagged
    0 Thread(s)
    Quoted
    45 Post(s)

    Default

    I'm spitballing here, but wouldn't VPN still be considered 'outside' the network since you're physically not 'inside'?
    LA Kings Hockey - Disappointing Kings fans since 1967!

    LA Kings Hockey - 2012 Stanley Cup Champions!

  4. #4
    Muffisher mudfisher's Avatar




    Join Date
    Dec 2006
    Posts
    1,716
    Liked
    522 times
    Karma
    1100000
    Images
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quoted
    65 Post(s)

    Default

    DRice,

    Once connected to the network via VPN the Remote machine is considered a machine inside the domain. The problem is disabling the windows firewall when connected to the domain via VPN. Then activating the windows firewall once disconnected from the VPN. The goal is single firewall protection when connected and disconnected from the VPN.

  5. #5
    Socrates
    Guest

    Default

    The policy settings are kind of slow sometimes to catch up that it's back on the domain once it's been off - vpn or no vpn, sometimes you have to run a gpupdate to trigger it to switch back.

    Having said that, you might consider just making the VPN connection "disabled" in the firewall so that even if firewall is on, the VPN connection will be unaffected (under the advanced tab in the firewall settings, uncheck the VPN connection in question - for XP). I mean if you have someone sitting in a Starbucks, I don't think you want the whole firewall down anyway, you'd want the firewall to protect the wifi connection, but let traffic through the VPN.

    And actually I'm not even sure if being on the domain via VPN qualifies it to turn off as far as policy is concerned. That might be intentional behavior because of what I mentioned above.
    Last edited by Socrates; May 9th, 2008 at 11:28 PM.

  6. #6
    the Power in Powerplay HeShootsNScores's Avatar




    Join Date
    Sep 2005
    Posts
    1,994
    Liked
    40 times
    Karma
    1020100
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quoted
    39 Post(s)

    Default

    you try having the user logon to the domain post VPN? Perhaps after that you can implement a logon script or something that will enable the policy.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84