Sp2 firewall and VPN connection


G

Guest

I posted this on AD Administration site and received zero responses so I
thought I try this site.

I have a GPO that does the following for company laptops: turns off the XP
Sp2
firewall when machines are connected to the domain (Computer Config -> Admin
Templates ->.Network -> Network Connections -> Windows Firewall -> Domain
Profile). The firewall is on for the Standard Profile.

In testing with a Cisco VPN client (ver 4.6) connecting to a Pix 515e, I
find that if I connect to a network outside the domain (from my home in
testing) then the Standard policy is in effect and the firewall is active.
When I then connect to my company domain via VPN then the firewall stays
active. I don't want the firewall to be active in this case since my thinking
is: I need admin access to the remote machines (SMS remote control, Symantec
Anti-virus, etc) and I don't have split-tunneling running so all traffic goes
through the VPN tunnel and my domain is behind the Pix so the VPN connected
machines are protected without the local firewall active).

If I run "gpupdate /target:computer" then the Domain Policy goes into effect
and firewall is de-activated. Running gpupdate changes the setting at
HKLM\Software\Microsoft\Windows\CurrentVersion\GroupPolicy\History\NetworkName
from my local IP range to my company domain name. This key is used by Network
Awareness to decide between the application of Domain and Standard policy.

The above change might also take effect at the 90 minute default
Group Policy refresh interval but I haven't checked this yet.

As far as I have seen in testing, after I run the gpupdate one time I can
disconnect and connect the VPN connection and the firewall settings will
change immediately (VPN = off, NoVpn=on) but I need to automate the process
so that the firewall is off as soon as user's connect via VPN.

I'm unclear why after running the gpupdate then the firewall settings change
immediately based on VPN connection or not since the GPO is a computer config
and my understanding is that a computer config doesn't "work" over VPN.

Another question is why doesn't Network Awareness pick up the change in
"Network Name" at the VPN connection to the domain?

Also, my understanding is that a user policy would have a more immediate
effect, but I don't see any means of settings the Domain/Standard firewall
policies under the User config.

My ultimate need is to have the firewall off when a remote user connects to
my domain via VPN. Anyone know how I can make this happen?

Thanks
 
Ad

Advertisements

B

Buck Rogers

I posted this on AD Administration site and received zero responses so I
thought I try this site.
SNIP

In testing with a Cisco VPN client (ver 4.6) connecting to a Pix 515e, I
find that if I connect to a network outside the domain (from my home in
testing) then the Standard policy is in effect and the firewall is active.
SNIP

My ultimate need is to have the firewall off when a remote user connects to
my domain via VPN. Anyone know how I can make this happen?

Thanks
Hello,

I don't have an answer to your question. However, I have found that
the following newsgroup has been very helpful in solving my Cisco
Pix/VPN questions: comp.dcom.sys.cisco

Check it out and post your question there if no help is forthcoming
here.

HTH YMMV

Buck
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top