Firewall issues resulting from connection Location Type changing
I have recurring networking issues with Server 2008 that give incorrect results for evaluation of connectionlocation type. Connections may be evaluated as public when they are private or domain. A reboot will sometimes correct the issue when domain connection is typed as public, but not after considerable distruption to the network users this causes due to firewall issues using the wrong profile. Connections that are manually changed from PUBLIC to PRIVATE are set back to PUBLIC after a reboot. Again causing much disruption due to firewall issues using a different profile. Connections that are incorrectly typed as PUBLIC that should be PRIVATE or DOMAIN: 1. Internal Virtual network connections created in Hyper-V that have no external connection. These revert to public after each reboot as well.2. Network connections with Private IP ranges like 10.0.0.0 that can't be accessed publicly unless a gateway device has been configured to allow it3. Network connections with no gateway specified, surely this is private since it can't talk off the subnet.4. Domain connections that specify a domain DNS server on a different subnet to the connection I should be able to merge any two networks I want, especially PRIVATE and DOMAIN. In particular when they use the same domain DNS server and are connected to the same domain. At present my only work around to these recurring issues is to disable the public firewall so the server keeps working when the network location type changes on reboot. Much of this problem is because the network location type is determined dynamically every time, that is just dumb. Once I set it, and I should be able to set it to domain if that's what I want, it should not be able to change itself. It is the 'being too smart' logic here that is the root cause of many of these problems coming back each time.With Server 2008 you never know after a reboot if the server will work because a network connection may change location type and using the wrong firewall profile. The only protection against this errant behaviour to to disable the firewall, especially the public profile since that is the one that gets used unexpectedly and causes problem. So just what is the point of the firewall if it has to be turned off to be reliable? I would like my servers to be safe behind a firewall, but they MUST BE RELIABLE before that.Please look into this Microsoft, Server 2008 is a nightmare to run with the firewall turned on. Just make the location type permanent when I manually change it would suffice. Oh, and let me make it domain location.
August 13th, 2008 4:47am

I don't have a fix for you, but I agreethat there is a problem. It is not so much with Hyper-V as with the networking setup in Server 2008 an network types.I tried to set up a system with one of the RC releases to route virtual networks through the host and struck the same problems. It is completely unworkable.On every reboot the network typewould switch from private to public and the server would lose connection to the physical network. I gave up and ran the router in a vm rather than the host, and had no further problems.There have been a few posts in the networking forums and newsgroups complaining about this network type changing, but no suggestions or solutions.Bill
Free Windows Admin Tool Kit Click here and download it now
August 14th, 2008 5:27am

Mark,Have you seen this post? I haven't tried it yet but it might be the solution to your problem.http://forums.technet.microsoft.com/en-US/winserverPN/thread/0dbb28f3-3597-4cee-9e26-3b3b0779f257Bill
August 28th, 2008 2:51am

Hi , AllFinally after about 4 hours of research , I think this is the solution:To be able to change you second adapter status to private network profile do the following:1. If this is need for a stand alone server , run local security policy editor2. select network list Manager Policies3. At the right Side you can select & double click: Unidentified Networks4. In the location typeselect Private , which means that all Unidentified networks will be consider as private profile network5. you can also allow the user to change the Location profileThis will allow the system to keep settings after rebootThe same hold true if you used teh Domain Policy Have funHikmat Kanaan
Free Windows Admin Tool Kit Click here and download it now
August 28th, 2008 4:01pm

Ultimately, you need to correct the underlying problem and have the network detected correctly. Hikmat's solution is a workaround that makes it work, even though the network is being detected INcorrectly.Common reasons for Windows not correctly detecting a network type are: A NIC that is not connected to the network at all (this will be public, by default - Hikmat's solution addresses this one). The fix is to attach it to the network. Incomplete network configuration. For example, you must have a default gateway value, or Windows can't complete the identification. Dave Bishop
September 22nd, 2008 8:12pm

Ultimately, you need to correct the underlying problem and have the network detected correctly. Hikmat's solution is a workaround that makes it work, even though the network is being detected INcorrectly.Common reasons for Windows not correctly detecting a network type are: A NIC that is not connected to the network at all (this will be public, by default - Hikmat's solution addresses this one). The fix is to attach it to the network. Incomplete network configuration. For example, you must have a default gateway value, or Windows can't complete the identification.Dave Bishop
Free Windows Admin Tool Kit Click here and download it now
September 22nd, 2008 8:13pm

While this is a year old discussion, it does address some problems with Network and Sharing Center. There are circumstances where there is a necessity for incomplete network configuration such as using a multi-homed server as a RRAS server and you don't wantremote users to be able to gain access to the internet via the LAN network. Network and Sharing Center willmake the LAN connection public because by it's criteria,the NIC propertiesare incomplete.This isn't an underlying problem. It is a problem with Network and Sharing Center.Network and Sharing Center is a great program for consumers and protecting their laptops using wireless, it's a nusiance on servers and in corporate environments.
October 17th, 2009 5:15am

It is now 2011 and we are using Server 2008 R2 and still seeing this problem. It appears that the problem to be fixed is in the OS, not the network connection or configuration. We have over a dozen servers having this problem, both VM and physical. When they reboot, about 1/3rd of the time, they come up using the Public FW profile. Since these are nearly all very basic servers with minimal configuration changes from the defaults, it is pretty clear that the problem is with the OS. The large numbers of posts in many forums with no real solutions backs this up. Microsoft, please provide a fix. thank you
Free Windows Admin Tool Kit Click here and download it now
August 23rd, 2011 12:31pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics