none
Assign NPS (VPN) clients to Private or Domain (not Public) network

    問題

  • Is it possible to assign a VPN (by NPS) client to not Public network (in terms of Firewall/Network center), say Private or Domain? I want to affect these users by particular firewall rules, but now only public rule profile affects what is inadmissible.

    I'm using Windows Server 2008 non-R2 SP1, but can switch to R2 if that will be required. Thanks!

    2012年6月21日 下午 08:05

解答

所有回覆

  • Hi abatishchev,

    Thanks for posting here.

    System will automatically determine and assignee firewall profile to any active interface. This is controlled by OS on client side but VPN or RADIUS server.

    Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles

    http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx

    Perhaps we can adjust the VPN address assignment and add our domain name into the DNS suffix which will make system to recognize and assign “Domain” profile to it . Of course we can also achieve that by customizing VPN client software by CMAK with specifying the DNS suffix :

    Remote Access Deployment – Part 1: Configuring Remote Access Clients

    http://blogs.technet.com/b/rrasblog/archive/2009/03/25/remote-access-deployment-part-1-configuring-remote-access-clients.aspx

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    • 已標示為解答 Tiger Li 2012年6月26日 上午 08:10
    2012年6月22日 上午 07:05
  • Thank you for your quick response, and for the links you've provided.

    From NLA article I've discovered that using GPEdit -> Computer Configuration -> Windows Settings -> Security Settings -> Network List Manager Policies I can assign "RAS (Dial In) Interface" to a Private Network Profile what puts VPN clients there too.

    Is it a correct way, how do you think? Thanks again.

    • 已標示為解答 Tiger Li 2012年6月26日 上午 08:10
    2012年6月22日 下午 03:36
  • Hi abatishchev,

    Thanks for update.

    I couldn’t find the configuration you mentioned about assigning RAS to use private profile under that . could you show us about that , maybe a screenshot.

    Base on my knowledge we can enforce system to use a default profile(public or private) in certain stage “identifying, unidentified or all”, we can also read these settings in the blog I posted it .

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    2012年6月25日 上午 07:19
  • In the same menu as the list of “identifying, unidentified or all” you can right click on the node in snap-in tree and choose "show all networks" (iirc) where can assign profile per particular network.
    2012年6月25日 上午 07:24
  • Hi abatishchev,

    Thanks for update.

    OK, I got it. Yes, I think that will work, however to this computer only .

    If we want to enforce all clients to assign individual profile by group policy then I think we’d better to modify settings of “ Unidentified ,Identifying or Network” and assign a profile .

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    2012年6月25日 上午 07:37