Multi-Homed Servers and Windows Firewall Profile

I recently stumbled across the issue that a domain-joined host applied the domain profile of the Windows Firewall to all network connections. It seems this is by design because the Network Location Awareness stops evaluating network conditions as soon as the domain membership was discovered. Read on to learn how to force the firewall to apply different profiles to different network conditions.

Use Case

Somtimes you are in need to different firewall rules er network connections, e.g. if the host is connected to a trusted and an untrusted network in different networt ports.

Issue

The service responsible for evaluating network connections – Network Location Awareness (NLA) – sometimes fails to recognize different conditions. This happens especially when the host is domain-joined on one of the network connections. In such a case, the Network and Sharing Center only displays a single network type with all connections.

Workaround

Unfortunately, the behaviour of the NLA service is by design. The only resolution is based on tweaking the Windows Firewall. Every profile can be configured which network connection it may be applied to.

Specify network adapters

Summary

Is this ugly? Yes.

Do I like this solution? No.

Do I have a choice? Apart from redisigning network connectivity (which you may not be able to)? No.

Feedback is always welcome! If you'd like to get in touch with me concerning the contents of this article, please use Twitter.