Escolar Documentos
Profissional Documentos
Cultura Documentos
Server & Tools Blogs > Server & Management Blogs > Networking Blog
All About Windows Server Cloud OS Blogs Datacenter Management Client Management Virtualization, VDI & Remote Desktop File & Storage & High Availability Windows Server Management
Sign in
Networking Blog
Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles
MichaelPlatts [msft] 8 Sep 2010 12:47 PM 3
I am writing this blog post because we get a lot of questions regarding how NLA determines a network profile and how it relates to Firewall Profiles as the two are often confused.
What is NLA?
First lets start with what NLA does. For each network interface the PC is connected to, NLA aggregates the network information available to the PC and generates a globally unique identifier (GUID) to identify each network. In other words, it creates a Network Profile for any network it connects to. The Windows Firewall then uses that information to apply rules from the appropriate Windows Firewall Profile. This allows you to apply a different set of Firewall rules depending on which network you are connected to. For example, a Public network could get a very restrictive set of rules, a Home network could get a less restrictive set of rules, and a Managed network could get a set of rules determined by an administrator. NLA can be used for more but I want to focus on how it interacts with the Windows Firewall.
Subscribe
Comments
Contact
Menu
Blog Home Atom
Windows XP
In Windows XP and Windows Server 2003, detection is pretty basic and there are only 2 network profiles: Domain and Standard. If the Connection Specific DNS Name matches the HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkName registry value, you get the Domain Profile. Otherwise, you get the Standard Profile. You can find more detail about Windows XP in the following Cable Guy article: http://technet.microsoft.com/en-us/library/bb878049.aspx
http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx[2013-10-15 20:57:00]
Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs
Since the Firewall in Windows XP only supported two firewall profiles, this system worked pretty well. The problem was that people dont connect to just two kinds of networks and found they wanted a restricted set of firewall rules when connected to a public hotspot and a less restrictive set when they were at home, in addition to the firewall rules required by their admin. In Windows Vista, Microsoft introduced a new set of firewall profiles: Domain, Public, and Private. The idea is that any new\unidentified network will get the Public (most restrictive) profile to start with. If you are then found to be on the domain network, you will get the Domain (managed) profile provided by your administrator. That leaves the Private profile for users to configure in their own (semi trusted) environment. To support the Private profile, network detection had to be enhanced. This was accomplished by gathering various characteristics about the network and using that information to create a network profile and assign a unique GUID that could be used to identify that network. Network identification still starts the same way that Windows XP did by determining if you are on the domain and if that fails it will try to match to a Network profile. The important thing to remember about Windows Vista is that you now have 3 profile choices but you can only have a single active Firewall Profile. So if the machine is multi-homed with a VPN connection, for example, you only get one Profile for all interfaces.
Recent Posts
Multi-Tenant VPN with Windows Server 2012 R2
Posted 10 hours ago
Windows 7
The big change in Windows 7 from Windows Vista is that now you can have multiple active profiles. The same network identification process takes place, but it is done for each interface. So now, for example, a VPN interface can have the domain profile assigned while the physical interface can get the public profile and be protected. Note: Not all VPN clients work this way. The Microsoft VPN client registers as a network interface and will get an associated Firewall Profile, but third-party VPN clients may not register and thus would not get an associated Profile. The VPN connection will still work but the system will not be protected by the Microsoft Firewall on that VPN interface.
Tags
KB
Archives
October 2013 (5) September 2013 (4) August 2013 (1) July 2013 (5)
http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx[2013-10-15 20:57:00]
Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs
Home and Work will both give you the Private profile while Public will of course give you the Public profile. I am often asked if this can later be changed; the answer is yes. In the Network and Sharing Center, there is a link to Customize the network settings.
http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx[2013-10-15 20:57:00]
Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs
Note: Customization does not apply to the Domain profile as it is determined by your administrator.
http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx[2013-10-15 20:57:00]
Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs
managed by a domain controller usually indicates that the network is a corporate network. Applications domain controller. may use this indication to attempt to discover and connect to corporate resources. Applications may also use this indication to apply policy or settings that are specific to the corporate network. Bandwidth Indicates the bandwidth of a TCP connection. Applications may adjust their behavior based on the bandwidth of a TCP connection. For example, if the bandwidth to a mail server is low, then a mail client application may choose to download only the headers of messages, rather than entire messages.
Internet Connectivity
Indicates Applications can use this as an indication that they can discover and connect to servers connection to the on the Internet or establish a virtual private network (VPN) connection to the corporate Internet. network via the Internet. Domain names are closely related to the infrastructures of networks and as a consequence remain relatively static. When a computer moves around or returns to a given network, their Internet Protocol (IP) address may change, but their domain name suffix is likely to be the same. Applications can use this as a hint that the computer is connected the same network and apply policy or settings accordingly. However, the DNS suffix can be spoofed. Therefore, for applications where accurate network determination is needed, the DNS suffix should not be used as the only network identifier.
Primary DNS Suffix The name of the domain for which the computer is a member or the DNS suffix of the computer's full computer name. DC Authenticated
Indicates that the When the DC has authenticated the computer, applications may have a degree of domain controller confidence that the computer is on the corporate network and use this indication to (DC) of the apply policy or settings that are specific to the corporate network. domain for which the computer is a member has authenticated the computer. The IP address of If the IP address of the computer is a public IP address, then remote applications can use the computer. it to establish a connection to the computer. For example, a help and support application could relay the computer's IP address to the corporation's help and support center, along with a description of the issues it might be experiencing so that a technician may connect to the computer to assist. The subnet mask The subnet mask is used along with the host IP address to obtain the network ID of the of the subnet to subnet.
Host IP address
Subnet Mask
http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx[2013-10-15 20:57:00]
Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs
which the computer is connected. Subnet IP address The network ID of Applications may require a more granular network definition than a domain wide the subnet to network. The network ID allows applications to identify the specific subnet to which the which the computer is connected. Group policy may be applied per subnet. As a result, it may also computer is be useful for help and support applications to note the subnet to which the user is connected. connected in order for a technician to resolve any issues. The subnet network ID is the host IP address logically ANDed with the subnet mask.
Default Gateway IP The IP address of Like domain controllers, gateways (routers) on a subnet are also relatively static. Although address the default the user may roam within a network and connect at different places, when they are gateway. configured with the same default gateway, it is likely that they are on the same subnet. Thus, applications may use the default gateway IP address as an indication that the user is on a particular subnet. Applications that require a more granular network definition than a domain wide network may also use the default gateway IP address. This is particularly useful on home networks because home users typically do not have their own domain. WINS Indicates whether In some enterprises, WINS may be used to resolve Network Basic Input/Output System the computer is (NetBIOS) names into IP addresses. In such enterprises, the presence of a WINS server connected to a may be used as an indication that the network is a corporate network. network on which a Windows Internet Name Service (WINS) server is present. When connected to a Wireless Network The MAC address is more unique than an IP address and therefore makes a
SSID
http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx[2013-10-15 20:57:00]
Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs
better characteristic 802.1x Auth Whether the PC is 802.1x authenticated to the given network
Unknown
The unknown status has been covered by one of my colleagues in a different blog so I wont go into detail here but Ill provide a link if you would like to read more about it. http://blogs.technet.com/b/networking/archive/2009/02/20/why-is-my-network-detected-as-unknown-by-windows-vista-orwindows-server-2008.aspx It simply means that Windows cannot uniquely identify the network and will apply the public profile. Generally this is because there is not default gateway and it is not a domain joined machine.
http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx[2013-10-15 20:57:00]
Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs
Summary
NLA attempts to identify the network you are connecting to so that you can apply an appropriate set of Firewall rules based on the connection type. It attempts to match the Connection Specific DNS suffix to the domain you are joined to, and if they match you get the Domain firewall profile. Windows Vista adds the additional requirement of successfully connecting to a DC. If that does not succeed, other networks are identified using various infrastructure characteristics and then a unique GUID is assigned to form a Network Profile.
Technical Specifics
Lastly, I want to share additional technical information about how and where NLA stores information in Windows Vista and later.
Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs
Most info regarding NLA will be stored under the following three places: HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList HKLM\Software\Microsoft\Windows\CurrentVersion\HomeGroup C:\Windows\System32\NetworkList Historical data can be found under the Cache key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache Profiles are stored under the profiles key. Notice the GUID: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{985EE69C-23B4-4D38-AC665F0D6AD8A128} "ProfileName"="corp.microsoft.com" "Description"="corp.microsoft.com" "Managed"=dword:00000001 "Category"=dword:00000002 "DateCreated"=hex:d9,07,0b,00,01,00,10,00,11,00,30,00,1c,00,68,02 "NameType"=dword:00000006 "DateLastConnected"=hex:da,07,07,00,04,00,0f,00,03,00,12,00,1d,00,b9,03 And managed Networks are stored under the Signatures\Managed key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed\010103000F0000F0A00000000F0000F077ABED71E35E1237A502490669F3BF81 "ProfileGuid"="{985EE69C-23B4-4D38-AC66-5F0D6AD8A128}" "Description"="corp.microsoft.com" "Source"=dword:000000a0 "DnsSuffix"="northamerica.corp.microsoft.com" "FirstNetwork"="corp.microsoft.com" "DefaultGatewayMac"=hex:00,07,b3,00,00,00 While unmanaged networks are stored under Signatures\Unmanged: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged I think that about sums it up for now; I hope you find this information useful. - David Pracht
Windows Vista, Windows Server 2008, Windows Server 2003, Windows XP, Windows Firewall, Windows 7, NLA, Network Location Awareness, http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx[2013-10-15 20:57:00]
Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs Windows Server 2008 R2
Tweet
11
LikeLike Share
Leave a Comment
Name
Comment
Post
Comments
Argon.pro
Dear Enterprise Networking Team, I want to test DirectAccess in virtual environment, so i've installed to WS2008R2 virtual machine, wich serves as ipv4/v6 router from test to production network additional NIC, and configuret it with random non-private ip addresses 88.10.0.1 88.10.0.2 no default router, no dns. Windows detects this NIC as Domain, so i cannot enable DirectAccess. This NIC connected to virtual network dedicated for win7 test clients only.
http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx[2013-10-15 20:57:00]
Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs
What should i do o make this NIC detected as Public? Kind regrds, Igor Romanovsky MCITP: EA, EMA, VA; MCSA
dmstrouse
JuanAnD
Great article! Could you edit with some details about Windows 8? Thanks!
Trademarks
5.6.426.415
dvdvideosoft_youtube_video_downloader_button dvdvideosoft_test_button dvdvideosoft_youtube_mp3_downloader_button dvdvideosoft_youtube_iphone_downloader_button dvdvideosoft_youtube_ipod_downloader_button dvdvideosoft_youtube_dvd_downloader_button dvdvideosoft_youtube_video_downloader_ex_button dvdvideosoft_youtube_mp3_downloader_ex_button dvdvideosoft_youtube_iphone_downloader_ex_button dvdvideosoft_youtube_ipod_downloader_ex_button dvdvideosoft_youtube_dvd_downloader_ex_button dvdvideosoft_youtube_video_downloader_put_url_button dvdvideosoft_youtube_mp3_downloader_put_url_button dvdvideosoft_youtube_iphone_downloader_put_url_button dvdvideosoft_youtube_ipod_downloader_put_url_button dvdvideosoft_youtube_dvd_downloader_put_url_button
http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx[2013-10-15 20:57:00]