Hello colleagues, I have the following Network/NLA problem: We have configured a Firewall GPO for our domain Windows 7 firewall. We leverage the NLA functionality, e.g. we shut down the FW in the Public and Private networks (only Core Networking and 80/443 for IE) and open the FW in the domain profile. This works perfectly, for clients that connect directly to the LAN. As soon as the machine is connected, NLA makes the FW use the domain profile. The problem is for clients that connect via VPN. When the VPN is connected, the FW is not set to use the domain profile. The VPN solution we use is Juniper Network Connect. For troubleshooting purposes, I configured a FW rule that opens the firewall completely for all profiles (domain, public and private). But still no luck: The FW does not switch to the domain profile when set up the VPN connection. The network name (connection specific subnet) corresponds to the name in HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkName. The domain controllers are reachable. What is the next step in troubleshooting this? Regards, Stephan van der Plas You know you're an engineer when you have no life and can prove it mathematically

It seems that stopping and starting the NLA service helps! Hereafter, the firewall has switched to domain profile. Is this a bug in Windows 7 (SP1 32 bit)?You know you're an engineer when you have no life and can prove it mathematically

Hi, Thanks for posting in Microsoft TechNet Forum. First, glad to hear that you have got a workaround for your problem. Regarding your query, I do not think this is a Windows 7 bug, this would be caused by improper setting, I would like to share the following article with you: Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles Alex Zhao TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Alex, First: Stopping and starting the NLA (and NLS) service is not a workaround, though it is a clue for further troubleshooting. I am aware of the blog post you link to. Even more, I have referred to the Reg key that is stated in that blog post in my original post. So I think there IS a bug in Windows or Juniper NC or the combination of the 2.You know you're an engineer when you have no life and can prove it mathematically

Hi, As we can see in the article above, we know that: Not all VPN clients work this way. The Microsoft VPN client registers as a network interface and will get an associated Firewall Profile, but third-party VPN clients may not register and thus would not get an associated Profile. So I suggest you try Windows VPN to check how it works. Alex Zhao TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Alex, I do not have a Windows vPN backend available, so I can not execute this test. But as you can so, there is no problem in the functionality as such. The problem is, the NLA (or better NLS) service is not triggered when setting up a VPN connection via Juniper NC. This might not be a Windows problem, but more a Juniper NC problem. My original question was: How can I troubleshoot this? By the way: We allready have opened a support ticket at Juniper-tech.You know you're an engineer when you have no life and can prove it mathematically

Hi, Just as what we see in the post, the third-party VPN client may not work properly with this feature. Hope you will get satisfactory information and suggestions from Juniper Support. Alex Zhao TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Alex, We have done quite a lot of test in the meantime, is time with the junos pulse 2.0R2 client. This client has the same problems. in the Ipconfig information, the NIC and its ip-settings are shown. Nowhere else (e.g. connection center) the network is shown. Restarting the NLS and NLA service in this case won't even help. I'll retry setting up a support call at J-tech (Juniper) for this. Regards, StephanYou know you're an engineer when you have no life and can prove it mathematically