Re: [fw-wiz] VPN and XP Firewall GPO settings

We have our GPO's set to have the firewall on, with the only exception being tcp port 139 and 445 can be accessed by our domain controllers. Would a setup like this not work?

All of our VPN clients work with the Microsoft XP firewall turned on without issue. We use the Cisco IPSec client as well as the AnyConnect VPN client. No issues with either.

The XP firewall by default allows any outgoing traffic, and no incoming unless you so specify. I'm not sure why it would be blocking your outgoing VPN traffic originating from your workstations. If it is, you should be able to make an exception related to the actual VPN executable allowing it outgoing access, and leave the firewall on all the time, regardless of what network it's connected to.

---- Paul Hutchings <paul@xxxxxxxxxxx> wrote:
Folks hoping for a little input here:

We have a Juniper SSL VPN that has Network Connect functionality. We
have our Group Policies configured so that when onsite XP firewall is
disabled, when offsite XP firewall is enabled.

It seems what's happening when people use the Network Connect
functionality of the VPN is that XP is detecting that it has
connectivity to the LAN and the domain controllers/DNS boxes and is
switching from the "Standard Profile" to the "Domain Profile" and
dropping the firewall, which is of course unacceptable (I accept it's
behaving by design so it's not really a criticism of Microsoft).

What do people do to work around this kind of issue? I guess a group
policy for laptops that enables the firewall even when on the domain
is one option, and I've opened a case with JTAC in case I'm missing
something on the SA config.

firewall-wizards mailing list

firewall-wizards mailing list