Thread: Windows Firewall / Group Policy Configuration

Here is an issue I am having at work that I thought Id share with some of the IT folks out there. I am implementing a group policy object on our business laptops. When a user is in the office, the Windows firewall will turn off, and allow our network firewall to protect the laptop. However, when the user takes the laptop out of the office, the group policy will enable the firewall and keep the laptop protected.

When we try testing VPN however, the firewall is still staying active. Once connected to VPN, it should see our domain controller and use the appropriate group policy. However, the firewall is staying active. I checked to make sure ICMP allowed in the group policy and made sure the policy was configured correctly. I am going to put a call into microsoft to help resolve this issue, but I figured Id put it out there for the IT folks around here to see if anyone had any input. Once I get a resolution from microsoft, I'll make sure to post it in here.

Originally Posted by Creeping Death

Here is an issue I am having at work that I thought Id share with some of the IT folks out there. I am implementing a group policy object on our business laptops. When a user is in the office, the Windows firewall will turn off, and allow our network firewall to protect the laptop. However, when the user takes the laptop out of the office, the group policy will enable the firewall and keep the laptop protected.

When we try testing VPN however, the firewall is still staying active. Once connected to VPN, it should see our domain controller and use the appropriate group policy. However, the firewall is staying active. I checked to make sure ICMP allowed in the group policy and made sure the policy was configured correctly. I am going to put a call into microsoft to help resolve this issue, but I figured Id put it out there for the IT folks around here to see if anyone had any input. Once I get a resolution from microsoft, I'll make sure to post it in here.

Have you looked at your Event Viewer on the client to see if it generates any helpful error codes? I'm guessing that there may be an issue with DNS here.

I'm spitballing here, but wouldn't VPN still be considered 'outside' the network since you're physically not 'inside'?

DRice,

Once connected to the network via VPN the Remote machine is considered a machine inside the domain. The problem is disabling the windows firewall when connected to the domain via VPN. Then activating the windows firewall once disconnected from the VPN. The goal is single firewall protection when connected and disconnected from the VPN.

The policy settings are kind of slow sometimes to catch up that it's back on the domain once it's been off - vpn or no vpn, sometimes you have to run a gpupdate to trigger it to switch back.

Having said that, you might consider just making the VPN connection "disabled" in the firewall so that even if firewall is on, the VPN connection will be unaffected (under the advanced tab in the firewall settings, uncheck the VPN connection in question - for XP). I mean if you have someone sitting in a Starbucks, I don't think you want the whole firewall down anyway, you'd want the firewall to protect the wifi connection, but let traffic through the VPN.

And actually I'm not even sure if being on the domain via VPN qualifies it to turn off as far as policy is concerned. That might be intentional behavior because of what I mentioned above.