Network Location Awareness does not work correctly with VPN
Hello colleagues, I have the following Network/NLA problem: We have configured a Firewall GPO for our domain Windows 7 firewall. We leverage the NLA functionality, e.g. we shut down the FW in the Public and Private networks (only Core Networking and 80/443 for IE) and open the FW in the domain profile. This works perfectly, for clients that connect directly to the LAN. As soon as the machine is connected, NLA makes the FW use the domain profile. The problem is for clients that connect via VPN. When the VPN is connected, the FW is not set to use the domain profile. The VPN solution we use is Juniper Network Connect. For troubleshooting purposes, I configured a FW rule that opens the firewall completely for all profiles (domain, public and private). But still no luck: The FW does not switch to the domain profile when set up the VPN connection. The network name (connection specific subnet) corresponds to the name in HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkName. The domain controllers are reachable. What is the next step in troubleshooting this? Regards, Stephan van der Plas You know you're an engineer when you have no life and can prove it mathematically
May 5th, 2011 11:49pm

It seems that stopping and starting the NLA service helps! Hereafter, the firewall has switched to domain profile. Is this a bug in Windows 7 (SP1 32 bit)?You know you're an engineer when you have no life and can prove it mathematically
Free Windows Admin Tool Kit Click here and download it now
May 6th, 2011 12:06am

Hi, Thanks for posting in Microsoft TechNet Forum. First, glad to hear that you have got a workaround for your problem. Regarding your query, I do not think this is a Windows 7 bug, this would be caused by improper setting, I would like to share the following article with you: Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles Alex Zhao TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
May 6th, 2011 12:34pm

Alex, First: Stopping and starting the NLA (and NLS) service is not a workaround, though it is a clue for further troubleshooting. I am aware of the blog post you link to. Even more, I have referred to the Reg key that is stated in that blog post in my original post. So I think there IS a bug in Windows or Juniper NC or the combination of the 2.You know you're an engineer when you have no life and can prove it mathematically
Free Windows Admin Tool Kit Click here and download it now
May 6th, 2011 12:39pm

Hi, As we can see in the article above, we know that: Not all VPN clients work this way. The Microsoft VPN client registers as a network interface and will get an associated Firewall Profile, but third-party VPN clients may not register and thus would not get an associated Profile. So I suggest you try Windows VPN to check how it works. Alex Zhao TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
May 9th, 2011 1:05pm

Hi Alex, I do not have a Windows vPN backend available, so I can not execute this test. But as you can so, there is no problem in the functionality as such. The problem is, the NLA (or better NLS) service is not triggered when setting up a VPN connection via Juniper NC. This might not be a Windows problem, but more a Juniper NC problem. My original question was: How can I troubleshoot this? By the way: We allready have opened a support ticket at Juniper-tech.You know you're an engineer when you have no life and can prove it mathematically
Free Windows Admin Tool Kit Click here and download it now
May 9th, 2011 1:09pm

Hi, Just as what we see in the post, the third-party VPN client may not work properly with this feature. Hope you will get satisfactory information and suggestions from Juniper Support. Alex Zhao TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
May 11th, 2011 12:54pm

Alex, We have done quite a lot of test in the meantime, is time with the junos pulse 2.0R2 client. This client has the same problems. in the Ipconfig information, the NIC and its ip-settings are shown. Nowhere else (e.g. connection center) the network is shown. Restarting the NLS and NLA service in this case won't even help. I'll retry setting up a support call at J-tech (Juniper) for this. Regards, StephanYou know you're an engineer when you have no life and can prove it mathematically
Free Windows Admin Tool Kit Click here and download it now
July 7th, 2011 4:26pm

Hi Stephan! Did you get any information regarding this issue from Juniper? /J
October 12th, 2011 11:53am

Hi J, Via a MS support call I obtained a workaround: Set the negative cache period to 0. This can be done via a reg key (which can be distributed via a custom adm in a gpo). The negative cache period Description: The NegativeCachePeriod entry specifies the time that a client will remember that a domain controller could not be found in a domain. If a program tries again within this time, the client call immediately fails without trying to find a domain controller again. Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters Entry: NegativeCachePeriod Type: DWORD Default value (seconds): 45 Recommended value: 0 You know you're an engineer when you have no life and can prove it mathematically
Free Windows Admin Tool Kit Click here and download it now
October 18th, 2011 8:09am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics