Latest posts by Michael Pietroforte (see all)
- Result of the 4sysops 2016 topic poll - Tue, Apr 5 2016
- New free eBooks for SysAdmins and DevOps – VMware NSX, Windows 10, SQL Server 2016 - Mon, Mar 14 2016
- Introducing the 4sysops IT pro network - Tue, Mar 1 2016
You probably know that Windows distinguishes between Public, Home, and Work networks. Whenever you connect to a new network, Windows will ask what type of network it is. Each network has its own firewall profile, which allows you to configure different firewall rules depending on the security requirements of the user’s locations. You can use the Windows Firewall with Advanced Security’s snap-in filter to display only rules for specific locations. The corresponding firewall rule sets are Public (Public), Private (Home / Work), and Domain (when a domain-joined workstation detects a domain controller) (see comment below).
This works fine as long as you are only connected to one network at a time. As a matter of fact, more and more users now have their own networks at home. The problem is that once they connect to the corpnet, the Domain firewall rule set becomes active, which will break homegroup connections. The solution to this problem seems to be to work with multiple NICs. However, in Windows Vista, only one profile can be active on the computer at a time. Windows Sever 2008 machines that are connected to multiple networks suffer the same problem. In this case, the profile with the most restrictive settings is applied to all adapters on the computer.
Windows 7’s multiple active firewall profiles are the solution to this problem. It is now possible to assign each firewall profile to specific NICs. You can configure this feature in the Windows Firewall properties (right click on the root folder Windows Firewall with Advanced Security snap-in). This allows you to work with a different firewall profile for each network interface. If the computer is connected to multiple networks at a time, Windows Firewall will use the different rule sets for each NIC.
Note that this feature can’t be configured via Group Policy. At least the Group Policy settings of Windows Server 2008 R2 Beta don’t offer a corresponding option. The problem is that you can’t know in advance, for all external computers, which NIC is connected to the home network and which to the domain network. I guess that’s why you will have to configure this manually for each computer.