none
Setting Network Locations in Server Core 2008 R2

    Question

  • Hi All,

    Couple of questions please

    1. Does anyone know have to change the Network Locations of NIC's in Server Core e.g. Domain, Public, Private? I guess going to be NETSH command but can't find anything...

    2. The reason I ask is because I have 2 NIC on a Windows 2008 Server Core R2. NIC1 is internet facing and NIC2 is internal. I want to set up NIC1 to be "PUBLIC" and NIC2 to be "PRIVATE". Then I am hoping in lockdown ports on NIC1 (PUBLIC) and Open ports up on NIC2 (PRIVATE) so I can still manage to server interally. Do you think this is possible?

    Thanks

    ECL

      

    Wednesday, February 29, 2012 1:18 PM

All replies

  • Hi,
     
    Please check:
     
    set {ProfileType}
    Configures options for the profile associated with the specified network location type.
     
    Netsh Commands for Windows Firewall with Advanced Security
    http://technet.microsoft.com/en-us/library/cc771920%28WS.10%29.aspx
     
    By the way, as far as I know, if you want use two network adapters for different communication, you have to configure route for them.
     

    Vincent Hu

    TechNet Community Support

    Monday, March 05, 2012 12:31 PM
    Moderator
  • Hi Vincent.  I don't think this answers what the OP is asking.  One can configure the options per profile type, but can you assign different profiles to different network adapters?  I think that is the question.

    Grant Ward, a.k.a. Bigteddy

    What's new in Powershell 3.0 (Technet Wiki)

    Monday, March 05, 2012 12:37 PM
  • Hi All,

    In the end I managed to remotely connect to the workgroup server (using matching local admin accounts) and use the Firewall MMC to configure the network profile on each NIC.

    Thanks

    ECL

     

    • Proposed as answer by jason404 Monday, March 12, 2012 7:03 PM
    • Unproposed as answer by jason404 Wednesday, March 14, 2012 9:27 AM
    Monday, March 05, 2012 12:58 PM
  • Hi ECL.

    I have been monitoring the question, because when I first saw it, I scoured the web for an answer, and could not find one.

    My thinking is:  If you can do it with wf.msc, why not with netsh?


    Grant Ward, a.k.a. Bigteddy

    What's new in Powershell 3.0 (Technet Wiki)

    Monday, March 05, 2012 2:04 PM
  • same here I googled for days :)
    Monday, March 05, 2012 2:09 PM
  • I have enabled remote management of the 2008 R2 Server Core host (Server Manager and MMC), and I have connected to the remote server with Server Manager, but I cannot see anywhere in the Firewall section where I can change the network profile from Public to Domain.

    I could modify the Public profile to act like Domain, but isn't there a more elegant way?

    Wednesday, March 14, 2012 9:30 AM
  • In the Public / Private or Domain profile tab in the state section click on customise and you can assign the nic's to the different profiles.

    Wednesday, March 14, 2012 9:44 AM
  • Thanks for your reply, but are you sure that doesn't actually leave the firewall completely turned off for one interface? 

    What I was actually looking for was a way to keep one profile selected (Domain), as I have found that this remote server core DC sometimes switches to Public sometimes, which makes it impossible for it to work as a replica DC.

    netsh advfirewall show currentprofile

    Currently shows that the Domain profile is being used.

    If I deselect the WAN interface under Domain, both of them for Private, and deselect the VPN interface for Public, I suspect that the WAN interface will not actually have any firewall protection at all when the above netsh command shows that the Domain profile is active, or the VPN interface will have no firewall protection when the Public profile is active.

    I'll have to try the some thing out on a GUI version of Windows Server on a host with two interfaces to see is this is the case.

    Wednesday, March 14, 2012 5:02 PM
  • the core server I am using is in a workgroup is using the public profile. As yours is in a domain it will use the domain. You can check to see which is really in use by enabling the firewall loging and check the logs in the c:\windows\system32\logfiles\firewall.

    Thursday, March 15, 2012 1:37 PM
  • I have the same problem.
    Does the core can't change network location?
    Thursday, April 05, 2012 9:00 AM
  • This attribute is not a property of the adapter or interface. Adapter or interface can be connected to different networks, this is obvious for Wi-Fi but is also true for wired Ethernet (just plug the cable to the hotel room socket to experience this).

    This attribute is a property of the "network signature", which is managed by the Network Location Awareness service. It identifies networks by things like the default gateway's MAC address and the DNS suffix provided by the DHCP server, creates a unique record for each such network and allows the user to set whether it is Public or Private. Then NLA pushes this setting down to the firewall.

    Now the solution:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged

     scan all subkeys here, and look at DefaultGatewayMac to find the proper one (Wi-Fi networks can have some other fields there, but I have some doubts in Wi-Fi on Server Core).

    In the proper subkey, find ProfileGuid.

    Then:

    net stop nlasvc

    (this also stops netprofm)

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{profile guid}

    Category REG_DWORD 0 - public, 1 - private, edit this dword

    net start netprofm

    (this also starts nlasvc)

    To check the tweak was actually applied:

     netsh adv sh cur

    (should be Public before, Private after)

    There is also a PowerShell script for this - but PowerShell is not installed by default on Core, neither is its dependency of .NET 2.0


    • Edited by maxim__sMVP Saturday, August 11, 2012 2:20 AM
    • Proposed as answer by jason404 Saturday, August 11, 2012 5:20 AM
    Saturday, August 11, 2012 2:08 AM
  • Have you got the link for the PowerShell script?  The Amazon EC2 Windows Server 2008 R2 Server Core AMI I have been using does have PowerShell installed by default.

    Thanks.

    Saturday, August 11, 2012 5:23 AM
  • Here is the Link:

    http://blogs.msdn.com/b/powershell/archive/2009/04/03/setting-network-location-to-private.aspx

     

    And that's the script:

    # Skip network location setting for pre-Vista operating systems
    if([environment]::OSVersion.version.Major -lt 6) { return }

    # Skip network location setting if local machine is joined to a domain.
    if(1,3,4,5 -contains (Get-WmiObject win32_computersystem).DomainRole) { return }

    # Get network connections
    $networkListManager = [Activator]::CreateInstance([Type]::GetTypeFromCLSID([Guid]"{DCB00C01-570F-4A9B-8D69-199FDBA5723B}"))
    $connections = $networkListManager.GetNetworkConnections()

    # Set network location to Private for all networks
    $connections | % {$_.GetNetwork().SetCategory(1)}



    • Edited by sbrutsch Tuesday, January 01, 2013 1:59 PM
    • Proposed as answer by jason404 Tuesday, January 01, 2013 4:47 PM
    Tuesday, January 01, 2013 1:58 PM