Re: [fw-wiz] VPN and XP Firewall GPO settings



We have our GPO's set to have the firewall on, with the only exception being tcp port 139 and 445 can be accessed by our domain controllers. Would a setup like this not work?

All of our VPN clients work with the Microsoft XP firewall turned on without issue. We use the Cisco IPSec client as well as the AnyConnect VPN client. No issues with either.

The XP firewall by default allows any outgoing traffic, and no incoming unless you so specify. I'm not sure why it would be blocking your outgoing VPN traffic originating from your workstations. If it is, you should be able to make an exception related to the actual VPN executable allowing it outgoing access, and leave the firewall on all the time, regardless of what network it's connected to.


---- Paul Hutchings <paul@xxxxxxxxxxx> wrote:
Folks hoping for a little input here:

We have a Juniper SSL VPN that has Network Connect functionality. We
have our Group Policies configured so that when onsite XP firewall is
disabled, when offsite XP firewall is enabled.

It seems what's happening when people use the Network Connect
functionality of the VPN is that XP is detecting that it has
connectivity to the LAN and the domain controllers/DNS boxes and is
switching from the "Standard Profile" to the "Domain Profile" and
dropping the firewall, which is of course unacceptable (I accept it's
behaving by design so it's not really a criticism of Microsoft).

What do people do to work around this kind of issue? I guess a group
policy for laptops that enables the firewall even when on the domain
is one option, and I've opened a case with JTAC in case I'm missing
something on the SA config.

Thanks.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: How To Force LDAP Queries Through One Domain?
    ... In any case, my focus wasn't on whether a firewall was necessary, but more ... Other white papers on the topic of isolating domain controllers behind ... Windows 2003 that documents behavior between two forests in a trust, ... >> When you login to a domain on a computer that is a member server in the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows firewall for domain controllers
    ... So, if the Windows Firewall on the Domain Controllers is blocking the authentication requests, you will get the symptoms your users report. ... It is quite possible that the Firewall Policy you configured for the Domain has different settings for the Standard Profile than for the Domain Profile in the Windows Firewall part of the GPO. ...
    (microsoft.public.windows.group_policy)
  • Re: Stand Alone DHCP Servers and Windows 2000
    ... but I stand by the statement that a firewall limits ... client network from domain controllers by an ISA Server 2004 firewall, ... RPC, and that is solved by ISA Server 2004. ... Every virus I have ever been hit with would not have even been slowed down ...
    (microsoft.public.windows.server.networking)
  • Re: 3rd Party Firewalls on Domain Controllers.
    ... I would - were money not an issue - opt for a Hardware solution. ... I would be very hesitant to run any Firewall on a Domain Controller. ... > Domain Controllers right now, but eventually on Windows 2003 server Domain ... > - What 3rd party firewall software has worked on Domain Controllers. ...
    (microsoft.public.win2000.active_directory)
  • Re: XP Firewall setting for AD
    ... Generally you don't configure the Windows Firewall on the domain controllers ... computers used for domain administration and domain controllers if you are ... > Without configuration, Group Policies aren't being applied, WSUS also ...
    (microsoft.public.windowsxp.security_admin)