none
Win7 Firewall, Cisco VPN client, and firewall profiles

    Question

  • We are starting a Windows 7 pilot within my organization and the firewall is one of the new features we will be testing. Our general goal is to keep things pretty open in the domain profile and much more restrictive with the public and private profiles. My question is about applying the domain profile over a VPN connection.

     

    We use a 3rd party (Cisco) VPN client. When we connect a windows 7 machine to an external connection, it’s going to use the public or private profile. Once our client connects to the VPN connection, I’d like to apply the domain profile. Is this possible?

    Wednesday, September 30, 2009 12:48 PM

Answers

  • Hi,

     

    Regarding your question, I would like to say that we cannot apply the Domain profile to the network manually. Only when this computer identified this is a Domain network, the domain profile will be applied. If the network has been recognized as a Domain network, the profile cannot be changed manually.

     

    For your external connection, if it is not recognized as a Domain network, you can manually select its profile in Network and Sharing Center. In addition, for your better understanding about this, i would share the following with you:

     

    Windows Firewall with Advanced Security Getting Started Guide

     

    Exploring The Windows Firewall

     

    Hope this helps. Thanks.


    Nicholas Li - MSFT
    Tuesday, October 06, 2009 7:43 AM

All replies

  • Is anybody looking to use the firewall in an enterprise environment...using any 3rd party VPN client?
    Thursday, October 01, 2009 1:34 PM
  • Hi,

     

    Regarding your question, I would like to say that we cannot apply the Domain profile to the network manually. Only when this computer identified this is a Domain network, the domain profile will be applied. If the network has been recognized as a Domain network, the profile cannot be changed manually.

     

    For your external connection, if it is not recognized as a Domain network, you can manually select its profile in Network and Sharing Center. In addition, for your better understanding about this, i would share the following with you:

     

    Windows Firewall with Advanced Security Getting Started Guide

     

    Exploring The Windows Firewall

     

    Hope this helps. Thanks.


    Nicholas Li - MSFT
    Tuesday, October 06, 2009 7:43 AM
  • We are having the exact same problem, with Windows 7 and Cisco Anyconnect VPN client.  The issue is the same as you are having, where when a user connects, Windows is treating the VPN connection as part of the network they are connected to first.  So for instance, if the user connects to a public network somewhere, when they connect with VPN, it seems to be using the Public firewall profile.  Essentially, even with VPN connected, Windows firewall is blocking everything as if it were a public connection.

    Based on the reply and documentation and other threads that I've read, the solution I'm getting is that the user would have to select (when prompted) or manually select "Work" as the network type each and every time they connect to a new network.  This will NOT work.  We cannot rely on users to manually select settings.  There needs to be something that is set one time, and applies so that the users don't need to be involved at all.

    So far though, I've seen nothing of this sort with Windows 7 firewall.  One workaround that I found is to completely disable the firewall on the VPN connection in the advanced settings in Windows firewall.  I guess this is one way around it, but again you are relying on the user to change this setting which is not a good way to handle things.

    Tuesday, January 18, 2011 2:05 PM
  • We are seeing the exact same thing as well.. In our case we are using the Cisco VPN Client and when the VPN is connected on the Windows 7 system, it does not detect it as a Domain Profile. What is the determining factors that 7 uses in order to detect it is a Domain profile. As quoted from the help file: Applied to a network adapter when it is connected to a network on which it can detect a domain controller of the domain to which the computer is joined. Well, I dont see how it couldnt be detecting it when I am able to access all the network resources in question when I am attached to the VPN. Please advise...
    Thursday, January 20, 2011 7:39 PM
  • I'm seeing this problem also. This is how we fixed it.

    Connect the Cisco VPN. Otherwise it isn't listed.

    Open Windows Firewall Advanced Security

    Click Windows Firewall Properties (middle about half way down)

    Click Private Profile Tab

    Click Customize next to Protected network connections.

    Uncheck the VPN network card only (this only shows up while the VPN is connected) You may want to check Network Connections to see how it's named. In our case it was "Local Area Connection 2"

     

    Do the same for the Public Profile Tab

    This removes the tunnel connection from the Firewall blocking and allows remote access through the tunnel.

     


    • Proposed as answer by LomM Monday, November 21, 2011 12:00 PM
    Tuesday, February 08, 2011 4:21 PM
  • I'm seeing this problem also. This is how we fixed it.

    Connect the Cisco VPN. Otherwise it isn't listed.

     

    Open Windows Firewall Advanced Security

    Click Windows Firewall Properties (middle about half way down)

    Click Private Profile Tab

    Click Customize next to Protected network connections.

    Uncheck the VPN network card only (this only shows up while the VPN is connected) You may want to check Network Connections to see how it's named. In our case it was "Local Area Connection 2"

     

    Do the same for the Public Profile Tab

     


    Thanks for this m8! Helped alot :) I also had to automate this process so I did this batch-script (someone with more skill could prob. make better one and with powershell it would prob. look even better :) ALSO you don't have to connect VPN client if you do this "manually" you just need to enable the Cisco VPN adapter from:

    Control Panel\Network and Internet\Network Connections

    (NCPA.cpl)

     

     

    ::This script will copy the network card adapter id into wirewall exception list
    @ECHO OFF
    SET cisconame=""
    ::Search for the "Cisco VPN Adapter" in systems network adapter list
    FOR /F %%G IN ('REG QUERY HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318} /f "Cisco Systems VPN Adapter" /s ^| FIND "HKEY_LOCAL_MACHINE"') DO SET cisconame=%%G
    ::Now you have the REGKEY where you will find the ID stored in the cisconame variable
    ::Search for NetCfgInstanceId that is needed so it can be saved to Windows firewall exception list
    FOR /F "tokens=3 skip=2" %%G IN ('REG QUERY "%cisconame%" /f "NetCfgInstanceId"') DO IF %%G NEQ search: SET cisconame=%%G


    ::Write this value down on public and private networks so that Cisco VPN device will ignore this Network Card always WARNING! this will also replace any other ignore list you might have set before REG ADD HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile /v DisabledInterfaces /t REG_SZ /d %cisconame% /f REG ADD HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v DisabledInterfaces /t REG_SZ /d %cisconame% /f ::RESTART the computer so that the new settings are installed exit

    WARNING! always test registry scripts on your test environment before you implement them anywhere. This script was build only on our environment and might not work on your machines. We are using VPN-client version 5.0.06. I also don't know how this script will handle if you have multiple Cisco system VPN Adapters installed on a single machine.



    • Edited by LomM Monday, November 21, 2011 12:30 PM
    Monday, November 21, 2011 12:14 PM
  • We have been running into the same issues and did implement a similar workaround to turn off the firewall for the VPN adapter.  The Cisco VPN client has the application launcher feature that we integrated a vbscript into to run the necessary commands to detect the VPN adapter name and turn off the firewall for it for whichever profile the user is connected under.

    What I'm still noticing though is some programs still are prevented from being accessed by the firewall even though it is off for the VPN interface.  I was wondering if anyone could provide any more clarity around the difference between a program rule and a port rule.  What I've found is even though there is a a generic rule (or in this case firewall off and not protecting the interface) that it still prompts the user to create a rule for the program based on the profile.  I don't see any traffic being blocked in the log, however the program is being blocked from being accessed.

    Using remote assistance for example, it appears any time a program launches after the system is already running and tries to set up a listener that it will require a rule, but for traffic to the system processes, etc. that are already running it will allow the traffic (ie set up a drive mapping to the c$ share).  If there were a rule that allows any program on any port inbound, then why does it still prompt for certain programs to create rules?

    Tuesday, April 10, 2012 3:27 AM