We are having exactly the same issue. We have an open call with PSS on this.
For the short term, we make our standard settings the same as the domain settings. Not real wonderful, but what can we do? One of the PSS guys mentioned a trick involving unhiding the ipsecshm "connectiod" via a registry setting. He is supposed to be providing more information. Please let me know if you get any resolution on this. I'll do likewise. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, January 25, 2005 1:35 PM To: [email protected] Subject: [ActiveDir] Firewalls and VPN questions Is anybody really familiar with the GPO settings that control the XP2 firewall on/off network configurations? What I'm trying to do: I'm trying to setup and test IPSEC vpn connectivity back to the corp network and use the XP2 firewall as the firewall of choice. Expected results: When I am off the network, I should have full shields up. When on the corp network, it should be the settings defined via GPO, permissions, exceptions, etc. What I've done: The on-network settings are fine. The results are exactly what was expected. The off-network settings are also fine. The results are exactly what was expected and GPO's were set to control this. Firewall is up and can't be modified etc. Perfect. Problem: What is supposed to happen, is that when you make a change to the network you're on, it's checked to see if it is on the same network that the last GPO applied was from. The key that's checked is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\Network Name If that value matches the connection-specific setting of any of your connections (that are not slip or ppp) then it should assume it's on the corporate network that it last got it's GPO from (i.e. it's native network). The problem I'm having is that the connection specific entry is getting set on the VPN interface, but it's not triggering the change in networks as far as the firewall is concerned. Questions: First off, is this what is expected? I realize that the doc also says that vpn's aren't considered in the algorithm if they're slip or ppp. Fair enough, but I can't tell which I'm using. It's blasted contivity crud that really doesn't give much information at all. In fact, it shows up as an Ethernet connection, similar to the nic. It does not however, show up in the network settings, which is odd. It's a mini-port driver on the nic. Second, if this is expected, should I expect that the firewall is up for the phys NIC and not engaged for the VPN interface? In other words, is the VPN interface unable to be firewalled? If anybody has any links or information or other newsgroups where somebody would know this I would appreciate hearing about it. Thanks, Al List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
