R
RJ
Hi - Posted late yesterday same issue, but thinking it was Windows
Update hotfix related. It isn't. I can't post an update to the
thread as Google is erroring...!
But - now been able to perform more tests.
Basically, XPsp2 firewall settings set via GPO. On Domain, (DOMAIN
settings) firewall is off. Away from Domain (STANDARD settings)
firewall is on.
IPAutoConfiguration is DISABLED via GPO (e.g. laptops retain DHCP
address unless another DHCP server gives it new details. However, in
testing this we have tried with this both enabled and disabled, and to
be honest, doesn't make any differnce.
We thought XPsp2 detected whether to run in DOMAIN/STANDARD profile by
talking to a DC - but it just seems to check if the suffix domain name
is correct. We can prove this by setting IP manually, and then
setting connection specific suffix to "anyoldname.com" (STANDARD
Profile - firewall on) - and then to "mycompany.com" (DOMAIN Profile -
firewall off)
So as you can see, our thoughts of XPsp2 being clever to
enable/disable the firewall by itself isn't accurate enough to trust
(unless we are doing something wrong).
Machine "Primary DNS Suffix" is set via GPO to "mycompany.com"
The firewall is INCORRECTLY DISABLED under the following conditions
(proved by checking state and seeing it is running in DOMAIN mode)
* Plugged onto "private LAN" without DHCP server away from network.
IPAutoConfiguration being disabled means old DHCP settings are
retained, including DNS suffix - so firewall turns off. (okay - admit
this should not cause too many issues!)
* Plugged onto "private LAN" with DHCP server configured - but
publishing IP/SNM/GW only - not DNS suffix. With a blank DNS suffix
the client "defaults" to the "mycompany.com" suffix and hence disables
the firewall. (how? Does it default to Primary DNS Suffix?)
Any suggestions on how to sort this out? Clearly there may be (are!)
networks out there which do not publish a DNS suffix via DHCP (default
on some home use hardware firewalls)
PS - Having firewall enabled whilst on corporate LAN is not an option
THANKS!
Update hotfix related. It isn't. I can't post an update to the
thread as Google is erroring...!
But - now been able to perform more tests.
Basically, XPsp2 firewall settings set via GPO. On Domain, (DOMAIN
settings) firewall is off. Away from Domain (STANDARD settings)
firewall is on.
IPAutoConfiguration is DISABLED via GPO (e.g. laptops retain DHCP
address unless another DHCP server gives it new details. However, in
testing this we have tried with this both enabled and disabled, and to
be honest, doesn't make any differnce.
We thought XPsp2 detected whether to run in DOMAIN/STANDARD profile by
talking to a DC - but it just seems to check if the suffix domain name
is correct. We can prove this by setting IP manually, and then
setting connection specific suffix to "anyoldname.com" (STANDARD
Profile - firewall on) - and then to "mycompany.com" (DOMAIN Profile -
firewall off)
So as you can see, our thoughts of XPsp2 being clever to
enable/disable the firewall by itself isn't accurate enough to trust
(unless we are doing something wrong).
Machine "Primary DNS Suffix" is set via GPO to "mycompany.com"
The firewall is INCORRECTLY DISABLED under the following conditions
(proved by checking state and seeing it is running in DOMAIN mode)
* Plugged onto "private LAN" without DHCP server away from network.
IPAutoConfiguration being disabled means old DHCP settings are
retained, including DNS suffix - so firewall turns off. (okay - admit
this should not cause too many issues!)
* Plugged onto "private LAN" with DHCP server configured - but
publishing IP/SNM/GW only - not DNS suffix. With a blank DNS suffix
the client "defaults" to the "mycompany.com" suffix and hence disables
the firewall. (how? Does it default to Primary DNS Suffix?)
Any suggestions on how to sort this out? Clearly there may be (are!)
networks out there which do not publish a DNS suffix via DHCP (default
on some home use hardware firewalls)
PS - Having firewall enabled whilst on corporate LAN is not an option
THANKS!