VPN and XP Firewall GPO settings
|
View:
New views
5 Messages
—
Rating Filter:
Alert me
|
 |
VPN and XP Firewall GPO settings
by Paul Hutchings-2
::
Rate this Message:
Folks hoping for a little input here:
We have a Juniper SSL VPN that has Network Connect functionality. We have our Group Policies configured so that when onsite XP firewall is disabled, when offsite XP firewall is enabled. It seems what's happening when people use the Network Connect functionality of the VPN is that XP is detecting that it has connectivity to the LAN and the domain controllers/DNS boxes and is switching from the "Standard Profile" to the "Domain Profile" and dropping the firewall, which is of course unacceptable (I accept it's behaving by design so it's not really a criticism of Microsoft). What do people do to work around this kind of issue? I guess a group policy for laptops that enables the firewall even when on the domain is one option, and I've opened a case with JTAC in case I'm missing something on the SA config. Thanks. _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: VPN and XP Firewall GPO settings
by Victor Williams-2
::
Rate this Message:
We have our GPO's set to have the firewall on, with the only exception being tcp port 139 and 445 can be accessed by our domain controllers. Would a setup like this not work?
All of our VPN clients work with the Microsoft XP firewall turned on without issue. We use the Cisco IPSec client as well as the AnyConnect VPN client. No issues with either. The XP firewall by default allows any outgoing traffic, and no incoming unless you so specify. I'm not sure why it would be blocking your outgoing VPN traffic originating from your workstations. If it is, you should be able to make an exception related to the actual VPN executable allowing it outgoing access, and leave the firewall on all the time, regardless of what network it's connected to. ---- Paul Hutchings <paul@...> wrote: > Folks hoping for a little input here: > > We have a Juniper SSL VPN that has Network Connect functionality. We > have our Group Policies configured so that when onsite XP firewall is > disabled, when offsite XP firewall is enabled. > > It seems what's happening when people use the Network Connect > functionality of the VPN is that XP is detecting that it has > connectivity to the LAN and the domain controllers/DNS boxes and is > switching from the "Standard Profile" to the "Domain Profile" and > dropping the firewall, which is of course unacceptable (I accept it's > behaving by design so it's not really a criticism of Microsoft). > > What do people do to work around this kind of issue? I guess a group > policy for laptops that enables the firewall even when on the domain > is one option, and I've opened a case with JTAC in case I'm missing > something on the SA config. > > Thanks. > _______________________________________________ > firewall-wizards mailing list > firewall-wizards@... > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: VPN and XP Firewall GPO settings
by Paul Hutchings-2
::
Rate this Message:
Sorry, I may have explained badly so just to clarify:
Our default GPO is set to enable the XP Firewall when the laptops are on "Standard Profile" and disable it when using "Domain Profile" (going from "netsh firewall show currentprofile"). What seems to happen is laptop is using public wi-fi, so it's on "Standard Profile", firewall is enabled. User connects using Network Connect. XP does a GPUpdate and because it can reach the domain controllers seems to assume "Oh I'm on the domain" and switches to Domain Profile and switches off the firewall on the client. I could configure a GPO just for laptops that keeps the firewall on regardless, but I'm trying to ascertain whether what I'm seeing is normal or not? Also what (if any) mitigation does disabling split tunnelling so the VPN client can't see/be seen even on the local subnet have? Cheers, Paul On 22 Jun 2009, at 17:01, Victor Williams wrote: > We have our GPO's set to have the firewall on, with the only > exception being tcp port 139 and 445 can be accessed by our domain > controllers. Would a setup like this not work? > > All of our VPN clients work with the Microsoft XP firewall turned > on without issue. We use the Cisco IPSec client as well as the > AnyConnect VPN client. No issues with either. > > The XP firewall by default allows any outgoing traffic, and no > incoming unless you so specify. I'm not sure why it would be > blocking your outgoing VPN traffic originating from your > workstations. If it is, you should be able to make an exception > related to the actual VPN executable allowing it outgoing access, > and leave the firewall on all the time, regardless of what network > it's connected to. > > > ---- Paul Hutchings <paul@...> wrote: >> Folks hoping for a little input here: >> >> We have a Juniper SSL VPN that has Network Connect functionality. We >> have our Group Policies configured so that when onsite XP firewall is >> disabled, when offsite XP firewall is enabled. >> >> It seems what's happening when people use the Network Connect >> functionality of the VPN is that XP is detecting that it has >> connectivity to the LAN and the domain controllers/DNS boxes and is >> switching from the "Standard Profile" to the "Domain Profile" and >> dropping the firewall, which is of course unacceptable (I accept it's >> behaving by design so it's not really a criticism of Microsoft). >> >> What do people do to work around this kind of issue? I guess a group >> policy for laptops that enables the firewall even when on the domain >> is one option, and I've opened a case with JTAC in case I'm missing >> something on the SA config. >> >> Thanks. >> _______________________________________________ >> firewall-wizards mailing list >> firewall-wizards@... >> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: VPN and XP Firewall GPO settings
by Victor Williams-2
::
Rate this Message:
Isn't the catch-all to just leave it on all the time? What is the value of not having it on if the laptop is connected to your immediate network?
I leave ours on all the time. We don't allow workstations/laptops to share files or printers...all that is handled on our servers. So, it works well for us. Again, what is the value of turning the firewall off when the laptop enters your network? ---- Paul Hutchings <paul@...> wrote: > Sorry, I may have explained badly so just to clarify: > > Our default GPO is set to enable the XP Firewall when the laptops are > on "Standard Profile" and disable it when using "Domain > Profile" (going from "netsh firewall show currentprofile"). > > What seems to happen is laptop is using public wi-fi, so it's on > "Standard Profile", firewall is enabled. > > User connects using Network Connect. > > XP does a GPUpdate and because it can reach the domain controllers > seems to assume "Oh I'm on the domain" and switches to Domain Profile > and switches off the firewall on the client. > > I could configure a GPO just for laptops that keeps the firewall on > regardless, but I'm trying to ascertain whether what I'm seeing is > normal or not? > > Also what (if any) mitigation does disabling split tunnelling so the > VPN client can't see/be seen even on the local subnet have? > > Cheers, > Paul > > On 22 Jun 2009, at 17:01, Victor Williams wrote: > > > We have our GPO's set to have the firewall on, with the only > > exception being tcp port 139 and 445 can be accessed by our domain > > controllers. Would a setup like this not work? > > > > All of our VPN clients work with the Microsoft XP firewall turned > > on without issue. We use the Cisco IPSec client as well as the > > AnyConnect VPN client. No issues with either. > > > > The XP firewall by default allows any outgoing traffic, and no > > incoming unless you so specify. I'm not sure why it would be > > blocking your outgoing VPN traffic originating from your > > workstations. If it is, you should be able to make an exception > > related to the actual VPN executable allowing it outgoing access, > > and leave the firewall on all the time, regardless of what network > > it's connected to. > > > > > > ---- Paul Hutchings <paul@...> wrote: > >> Folks hoping for a little input here: > >> > >> We have a Juniper SSL VPN that has Network Connect functionality. We > >> have our Group Policies configured so that when onsite XP firewall is > >> disabled, when offsite XP firewall is enabled. > >> > >> It seems what's happening when people use the Network Connect > >> functionality of the VPN is that XP is detecting that it has > >> connectivity to the LAN and the domain controllers/DNS boxes and is > >> switching from the "Standard Profile" to the "Domain Profile" and > >> dropping the firewall, which is of course unacceptable (I accept it's > >> behaving by design so it's not really a criticism of Microsoft). > >> > >> What do people do to work around this kind of issue? I guess a group > >> policy for laptops that enables the firewall even when on the domain > >> is one option, and I've opened a case with JTAC in case I'm missing > >> something on the SA config. > >> > >> Thanks. > >> _______________________________________________ > >> firewall-wizards mailing list > >> firewall-wizards@... > >> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > > > _______________________________________________ > firewall-wizards mailing list > firewall-wizards@... > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
|
Some parts of this message have been removed.
Learn more about Nabble's | Free embeddable forum powered by Nabble | Forum Help |
