Re: [fw-wiz] VPN and XP Firewall GPO settings



Isn't the catch-all to just leave it on all the time? What is the value of not having it on if the laptop is connected to your immediate network?

I leave ours on all the time. We don't allow workstations/laptops to share files or printers...all that is handled on our servers. So, it works well for us. Again, what is the value of turning the firewall off when the laptop enters your network?


---- Paul Hutchings <paul@xxxxxxxxxxx> wrote:
Sorry, I may have explained badly so just to clarify:

Our default GPO is set to enable the XP Firewall when the laptops are
on "Standard Profile" and disable it when using "Domain
Profile" (going from "netsh firewall show currentprofile").

What seems to happen is laptop is using public wi-fi, so it's on
"Standard Profile", firewall is enabled.

User connects using Network Connect.

XP does a GPUpdate and because it can reach the domain controllers
seems to assume "Oh I'm on the domain" and switches to Domain Profile
and switches off the firewall on the client.

I could configure a GPO just for laptops that keeps the firewall on
regardless, but I'm trying to ascertain whether what I'm seeing is
normal or not?

Also what (if any) mitigation does disabling split tunnelling so the
VPN client can't see/be seen even on the local subnet have?

Cheers,
Paul

On 22 Jun 2009, at 17:01, Victor Williams wrote:

We have our GPO's set to have the firewall on, with the only
exception being tcp port 139 and 445 can be accessed by our domain
controllers. Would a setup like this not work?

All of our VPN clients work with the Microsoft XP firewall turned
on without issue. We use the Cisco IPSec client as well as the
AnyConnect VPN client. No issues with either.

The XP firewall by default allows any outgoing traffic, and no
incoming unless you so specify. I'm not sure why it would be
blocking your outgoing VPN traffic originating from your
workstations. If it is, you should be able to make an exception
related to the actual VPN executable allowing it outgoing access,
and leave the firewall on all the time, regardless of what network
it's connected to.


---- Paul Hutchings <paul@xxxxxxxxxxx> wrote:
Folks hoping for a little input here:

We have a Juniper SSL VPN that has Network Connect functionality. We
have our Group Policies configured so that when onsite XP firewall is
disabled, when offsite XP firewall is enabled.

It seems what's happening when people use the Network Connect
functionality of the VPN is that XP is detecting that it has
connectivity to the LAN and the domain controllers/DNS boxes and is
switching from the "Standard Profile" to the "Domain Profile" and
dropping the firewall, which is of course unacceptable (I accept it's
behaving by design so it's not really a criticism of Microsoft).

What do people do to work around this kind of issue? I guess a group
policy for laptops that enables the firewall even when on the domain
is one option, and I've opened a case with JTAC in case I'm missing
something on the SA config.

Thanks.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: New Printer problem--Help please!
    ... I was able to successfully turn off all firewalls on the laptop, and I believe I also was successful with turning off all firewalls, virus protection, etc on the desktop. ... I have re-set up the network using the home network wizard. ... Following the suggestion I found elsewhere, I set up the network "wrong" (chose incorrect connection method), then set it up again "right". ... the presence of the Symantec VPN driver raises the possibility that the laptop has a Symantec firewall installed. ...
    (microsoft.public.windowsxp.print_fax)
  • Re: Travelling laptops over VPN
    ... >>> on the user's machine within the properties of the VPN Dialup Connectiod. ... >> network administrators would want to do that to prevent the users from enabling ... when the user connects to the VPN using the Cisco ... the firewall shuts off because it sees the domain. ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: Travelling laptops over VPN
    ... >>> on the user's machine within the properties of the VPN Dialup Connectiod. ... >> network administrators would want to do that to prevent the users from enabling ... when the user connects to the VPN using the Cisco ... the firewall shuts off because it sees the domain. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Printer sharing
    ... Then I have a laptop which connects wirelessly to the router. ... Problems sharing files between computers on a network are generally caused by 1) a misconfigured firewall; or 2) inadvertently running two firewalls such as the built-in Windows Firewall and a third-party firewall; and/or 3) not having identical user accounts and passwords on all Workgroup machines; 4) trying to create shares where the operating system does not permit it. ... If you need Pro's ability to set fine-grained permissions, turn off Simple File Sharing and create identical user accounts/passwords on all computers. ...
    (microsoft.public.windowsxp.general)
  • Re: Using a Linksys router, should I also use Zonealarm?
    ... public internet to access corporate network. ... In the "old days" when people used to use Dial-In instead of VPN you ware ... protected by corporate Firewall -- since there was no public Internet ...
    (microsoft.public.security)