登入
 
首頁文件庫學習園地下載支援社群論壇
Note: Forums will be making significant UX changes to address key usability improvements surrounding search, discoverability and navigation. To learn more about these changes please visit the announcement which can be found HERE.
IT 專業人員的技術資源 >
WS08 Core - Firewall Profile

已答覆 WS08 Core - Firewall Profile

  • 2008年2月20日 下午 12:17
     
     
    登入以投票
    0

     

    Hi!

    I'm using WS08 ver 6.0.6001 and I have 2 nodes in my test network:

     

    1. Full - AD server

    2. Core - Member server

     

    Problem is that, when I add the Core server to domain then the Firewall profile stays Standard.

    Could somebody please tell me how to get the profile to Domain profile? What should I check?

     

    PS! I am using Public IP Addresses.

     

    Regards,

    Putuk

     

所有回覆

  • 2008年2月20日 下午 09:39
     
     已答覆
    登入以投票
    0

    Since the firewall in Server Core performs in the same way as the firewall in a Full Installation of Windows Server 2008 and Windows Server 2003, the following piece of text from the Windows Firewall Technical Reference on the Microsoft Web site applies:

     

    Windows Firewall uses a network determination algorithm to determine which profile to use.

    The network determination algorithm uses connection-specific DNS suffix information to determine whether a computer is connected to a managed network containing the domain in which the computer is a member. To do this, the algorithm compares the following DNS suffix information:

    • The last-received Group Policy update DNS name. This is stored in the HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkName registry entry and represents the connection-specific DNS suffix of the connection over which the last Group Policy update was received.

    • The connection-specific DNS suffixes of the currently connected connections (those that are assigned an IP address) that are not Point-to-Point Protocol (PPP) or Serial Line Internet Protocol (SLIP)-based, such as dial-up or VPN network connections.

    Using this DNS suffix information, the algorithm performs the following analysis:

    • If the computer is not a member of a domain, then the computer is always attached to another network.

    • If the last-received Group Policy update DNS name matches any of the connection-specific DNS suffixes of the currently connected connections on the computer that are not PPP or SLIP-based, then the computer is attached to a managed network.

    • If the last-received Group Policy update DNS name does not match any of the connection-specific DNS suffixes of the currently connected connections on the computer that are not PPP or SLIP-based, then the computer is attached to another network.

    Windows uses this network determination process during startup and when it is informed by the Network Location Awareness service that network settings on the computer have changed. To determine which profile to use, Windows Firewall applies this network determination process as follows:

    • If the connection-specific DNS suffix of a currently connected connection on the computer that is not PPP or SLIP-based (such as an Ethernet or 802.11 wireless network adapter) matches the value of the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkName registry entry, Windows Firewall uses the domain profile.
    • If the connection-specific DNS suffix of a currently connected connection on the computer that is not PPP or SLIP-based does not match the value of the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkName registry entry, Windows Firewall uses the standard profile.

     

    In short: The Server Core box feels it is not connected to a network that contains the domain controllers for the domain in which its computer account resides.

     
  • 2008年3月7日 下午 01:58
     
     
    登入以投票
    0

    OK I get it
    But in this case I can't see the way i can resolve my situation:

     

    1. I have public network as serving the Hyper-V interface
    2. I have a private VLAN for SAN network (192.168.0.x)

     

    first server now has 3 NIC's:
    1. DC serving DNS and DHCP
    2. DHCP enabled Public Hyper-V
    3. SAN

     

    second and third has 2NIC's:
    1. DHCP enabled Public Hyper-V serving HTTP
    2. SAN

     

    How could I then use the Firewall's Domain Profile to secure my connections between servers with Domain Rules and open up only HTTP connection with Public Rules.

     

    I know that Firewalls Domain Profile is activated only when second and third servers can authenticate with my domain controller using every network interface. So is there even a way that i could solve this with available hardware?

     
  • 2008年3月10日 下午 11:48
    擁有者
     
     已答覆
    登入以投票
    0

    Hi,

     

    Based on my understanding of the firewall, you are going to have to simply open the ports you need. You aren't going to be able to use both domain and public.

     

    Andrew

     

     
  • 2012年3月14日 上午 09:55
     
     
    登入以投票
    0

    Do you know how to change a 2008 R2 Server Core's network profile from Public to Domain?

    I have a remote server core DC which keeps on switching between Public and Domain on reboots.

    • 已編輯 jason404 2012年3月14日 上午 10:21
    •