Firewall profile switching

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello all,

I'm currently testing a GPO to hopefully go live that will enable / disable
the windows firewall depending on the location of our users. The GPO itself
is fine - what i'm having trouble with is switching profiles automatically.

If I boot off the network, then the standard profile is applied just fine.
once i connect to the network the domain profile is applied almost
immediately. the problem is though, that once i disconnect again from the
network, the domain profile stays current. even when i connect to an outside
network, the domain profile stays active. is this supposed to happen? am i
not waiting long enough for the profile to switch back to standard?

thanks very much!
-Pete
 
The link below helps to explain the network determination behavior though
there is some dispute on exactly how it works. What I would try after you
remove the computer from the network to run gpupdate /force on the computer
to see if that makes a difference. If that works then do the procedure again
and try using just gpupdate. If gpupdate /force or gpupdate work then if
you need to you can change the Group Policy refresh interval for computer
configuration and policy processing [if needed] that can speed up the
changing of profiles for Windows Firewall with the understanding you want to
do that only for computer that need it as reducing the interval and
particular policy processing to force Group Policy to be reapplied at each
refresh will increase network usage. --- Steve

http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx
 
Thanks Steven, that page was helpful!

I had tried a gpupdate /force after connecting to the outside force the
first time around and this second time with no luck, i'm still on the domain
profile. My plan now is to wait some time, as even a release / renew on the
new network doesn't get me to the standard profile.

From that page:

"If the last-received Group Policy update DNS name does not match any of the
connection-specific DNS suffixes of the currently connected connections on
the computer that are not PPP or SLIP-based, then the computer is attached to
another network."

an ipconfig /all shows no trace of my company's DNS suffixes or IPs.

"Windows uses this network determination process during start up and when it
is informed by the Network Location Awareness service that network settings
on the computer have changed."

I guess this is my next step - to see how this works, and what exactly it
does. I'll let everyone know what happens for posterity's sake.

Thanks again!

-Pete

--
======================
http://petekemble.com


Steven L Umbach said:
The link below helps to explain the network determination behavior though
there is some dispute on exactly how it works. What I would try after you
remove the computer from the network to run gpupdate /force on the computer
to see if that makes a difference. If that works then do the procedure again
and try using just gpupdate. If gpupdate /force or gpupdate work then if
you need to you can change the Group Policy refresh interval for computer
configuration and policy processing [if needed] that can speed up the
changing of profiles for Windows Firewall with the understanding you want to
do that only for computer that need it as reducing the interval and
particular policy processing to force Group Policy to be reapplied at each
refresh will increase network usage. --- Steve

http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx
Click to expand...
 
Back
Top