I was wondering if anyone knows how to force specific network adapters (real or virtual) to take a specific NLA/firewall profile. I have a multi-homed machine in a domain and want one set of connections (192.168.x.x) to have a set of open ports and connections that I do not want the other (public address) NICs to have. Windows NLA identifies both NICs as "domain" profile, so I can not tweak it. Is there a way to override this so one subnet has different blocked/enabled connections than the other subnet?

Hi Steve, Thanks for posting here. > Windows NLA identifies both NICs as "domain" profile It is unusual that your host will identify and set your internet-facing interface to use “domain” firewall profile since host must meet some conditions for domain determination which is quite different with the other profiles’ . I’d suggest you to first check the settings on you internet-facing NIC , could you also post the “ipconfig /all” results from this host here? Meanwhile, are you using same name for active directory system and your internet domain ? Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx Thanks. Tiger Li Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks for that reply. As to the questions: I have a seperate server acting as PDC. It also seems to have the same behavior -- both NICs are being assigned domain profiles. This is a sub-domain set up specifically for testing. The PDC and test servers are all on the same sub-domain. The root domain is hosted elsewhere, so I just set up forwarders to the nameservers for DNS. I will look over the article on the link and post back. What I really want to acheive is the Intranet to be forced to a Private profile, and the Extranet to a Domain profile. Then I can manage all the unique firewall issues in the group policy. Thanks again, Steve

Hi Steve, Thanks for update. Yes, the odd thing is that the internet-facing NIC should not be recognized and applied the domain profile if we configure this server properly ,I’d expect to check server’s network settings if you can share with us. Thanks. Tiger Li Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I don't know if you guys know this or not, but I believe you can "force" a particular profile to a specific NIC. See here... http://4sysops.com/archives/windows-7-multiple-active-firewall-profiles/comment-page-1/#comment-242526 I don't know if you guys have seen this option or not. When you right click on the root of the firewall and select properties you come to the window with tabs for each profile. There is a sub heading called "Protected Network Connections" There you can select which NICs the firewall rules should apply to. Now don't quote me on this, because I haven't fully tested it, but I assume that the system will use the next highest level of protection if you remove the NIC from the "Public" profile. I hope this helped someone.