Network Location Awareness (NLA) and How It Relates To Windows Firewall Prof PDF

Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles - Microsoft Enterprise Networking Team - Site
Home - TechNet Blogs
Server & Tools Blogs > Server & Management Blogs > Networking Blog
All About Windows Server Cloud OS Blogs Datacenter Management Client Management Virtualization, VDI & Remote Desktop File & Storage & High Availability Windows Server Management
Sign in
Identity & Access
Networking Blog
Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles
MichaelPlatts [msft] 8 Sep 2010 12:47 PM 3
Search TechNet with Bing

Search this blog Search all blogs
Live Now on Server & Tools Blogs

Installing & configuring Service Reporting for IaaS usage and metering Securing Static Resources with Windows Azure Active Directory Authentication Citrix Support for Windows Server 2012 R2 and Windows 8.1 Release
I am writing this blog post because we get a lot of questions regarding how NLA determines a network profile and how it relates to Firewall Profiles as the two are often confused.
What is NLA?
First lets start with what NLA does. For each network interface the PC is connected to, NLA aggregates the network information available to the PC and generates a globally unique identifier (GUID) to identify each network. In other words, it creates a Network Profile for any network it connects to. The Windows Firewall then uses that information to apply rules from the appropriate Windows Firewall Profile. This allows you to apply a different set of Firewall rules depending on which network you are connected to. For example, a Public network could get a very restrictive set of rules, a Home network could get a less restrictive set of rules, and a Managed network could get a set of rules determined by an administrator. NLA can be used for more but I want to focus on how it interacts with the Windows Firewall.
How Does NLA work?

So how does NLA determine which network it is connected to? It depends on which Windows version you are using.
Subscribe
Comments
Contact
Menu
Blog Home Atom
Windows XP
In Windows XP and Windows Server 2003, detection is pretty basic and there are only 2 network profiles: Domain and Standard. If the Connection Specific DNS Name matches the HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkName registry value, you get the Domain Profile. Otherwise, you get the Standard Profile. You can find more detail about Windows XP in the following Cable Guy article: http://technet.microsoft.com/en-us/library/bb878049.aspx
Translate this page

Spanish Spanish Microsoft Translator
Windows Vista and later
http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx[2013-10-15 20:57:00]
Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs
Since the Firewall in Windows XP only supported two firewall profiles, this system worked pretty well. The problem was that people dont connect to just two kinds of networks and found they wanted a restricted set of firewall rules when connected to a public hotspot and a less restrictive set when they were at home, in addition to the firewall rules required by their admin. In Windows Vista, Microsoft introduced a new set of firewall profiles: Domain, Public, and Private. The idea is that any new\unidentified network will get the Public (most restrictive) profile to start with. If you are then found to be on the domain network, you will get the Domain (managed) profile provided by your administrator. That leaves the Private profile for users to configure in their own (semi trusted) environment. To support the Private profile, network detection had to be enhanced. This was accomplished by gathering various characteristics about the network and using that information to create a network profile and assign a unique GUID that could be used to identify that network. Network identification still starts the same way that Windows XP did by determining if you are on the domain and if that fails it will try to match to a Network profile. The important thing to remember about Windows Vista is that you now have 3 profile choices but you can only have a single active Firewall Profile. So if the machine is multi-homed with a VPN connection, for example, you only get one Profile for all interfaces.
Recent Posts
Multi-Tenant VPN with Windows Server 2012 R2
Posted 10 hours ago
Border Gateway Protocol (BGP) with Windows Server 2012 R2

Posted 4 days ago
Network Automation using IPAM 2012 R2

Posted 8 days ago
Windows 7
The big change in Windows 7 from Windows Vista is that now you can have multiple active profiles. The same network identification process takes place, but it is done for each interface. So now, for example, a VPN interface can have the domain profile assigned while the physical interface can get the public profile and be protected. Note: Not all VPN clients work this way. The Microsoft VPN client registers as a network interface and will get an associated Firewall Profile, but third-party VPN clients may not register and thus would not get an associated Profile. The VPN connection will still work but the system will not be protected by the Microsoft Firewall on that VPN interface.
DNS Zone Level Statistics

Posted 11 days ago
Tags
DNS IPv4 IPv6
Articles SMB Windows

7 Windows Firewall Windows Server 2003
KB
Step 1 - Domain Determination

In all cases, detection starts the same way that it does in Windows XP. If the Connection Specific DNS Name matches the HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkName registry key then the machine will attempt to contact a Domain Controller via LDAP. If both these steps succeed, you will get the Domain profile. It is important to note that if the steps succeed, processing stops here. This allows you to roam across multiple access points in the same domain without having to stop and identify each of them individually.
Step 2 - Network Identification

If the above steps are complete and a match to the domain was not found, NLA will evaluate the network characteristics to see if it can identify a match. If there is a profile created for that network (not to be confused with the Firewall Profile) the interface will get the Firewall profile associated with that network either Private or Public. If the network is not identified by one of the above methods it will remain with the Public profile. Note: By default all new/unidentified interfaces get the Public Profile. So how does it know which profile to associate with a network? Good question. The user is prompted when a new network is identified. They have a choice of Home, Work, or Public.
Windows Server 2008 Windows Server 2008 R2 Windows Vista

Windows XP
More
Archives
October 2013 (5) September 2013 (4) August 2013 (1) July 2013 (5)
April 2013 (1) More
Home and Work will both give you the Private profile while Public will of course give you the Public profile. I am often asked if this can later be changed; the answer is yes. In the Network and Sharing Center, there is a link to Customize the network settings.
Note: Customization does not apply to the Domain profile as it is determined by your administrator.
Private Network Characteristics

Generally, the next question I am asked is about the characteristics that are used to identify a network. Based on pieces of information I have collected myself and from this MSDN article that provides information on what NLA can tell you about the network, I have put together the following table that I think covers what is used to identify a network. This table shows the list of network characteristics NLA provides and indicates how applications may use them:
Characteristic Description Application

Managed Indicates when the computer is Typically, computers that are part of a corporate network are members of a domain that is managed by one or more domain controllers. Therefore, the presence of such a
managed by a domain controller usually indicates that the network is a corporate network. Applications domain controller. may use this indication to attempt to discover and connect to corporate resources. Applications may also use this indication to apply policy or settings that are specific to the corporate network. Bandwidth Indicates the bandwidth of a TCP connection. Applications may adjust their behavior based on the bandwidth of a TCP connection. For example, if the bandwidth to a mail server is low, then a mail client application may choose to download only the headers of messages, rather than entire messages.
Internet Connectivity
Indicates Applications can use this as an indication that they can discover and connect to servers connection to the on the Internet or establish a virtual private network (VPN) connection to the corporate Internet. network via the Internet. Domain names are closely related to the infrastructures of networks and as a consequence remain relatively static. When a computer moves around or returns to a given network, their Internet Protocol (IP) address may change, but their domain name suffix is likely to be the same. Applications can use this as a hint that the computer is connected the same network and apply policy or settings accordingly. However, the DNS suffix can be spoofed. Therefore, for applications where accurate network determination is needed, the DNS suffix should not be used as the only network identifier.
Primary DNS Suffix The name of the domain for which the computer is a member or the DNS suffix of the computer's full computer name. DC Authenticated
Indicates that the When the DC has authenticated the computer, applications may have a degree of domain controller confidence that the computer is on the corporate network and use this indication to (DC) of the apply policy or settings that are specific to the corporate network. domain for which the computer is a member has authenticated the computer. The IP address of If the IP address of the computer is a public IP address, then remote applications can use the computer. it to establish a connection to the computer. For example, a help and support application could relay the computer's IP address to the corporation's help and support center, along with a description of the issues it might be experiencing so that a technician may connect to the computer to assist. The subnet mask The subnet mask is used along with the host IP address to obtain the network ID of the of the subnet to subnet.
Host IP address
Subnet Mask
which the computer is connected. Subnet IP address The network ID of Applications may require a more granular network definition than a domain wide the subnet to network. The network ID allows applications to identify the specific subnet to which the which the computer is connected. Group policy may be applied per subnet. As a result, it may also computer is be useful for help and support applications to note the subnet to which the user is connected. connected in order for a technician to resolve any issues. The subnet network ID is the host IP address logically ANDed with the subnet mask.
Default Gateway IP The IP address of Like domain controllers, gateways (routers) on a subnet are also relatively static. Although address the default the user may roam within a network and connect at different places, when they are gateway. configured with the same default gateway, it is likely that they are on the same subnet. Thus, applications may use the default gateway IP address as an indication that the user is on a particular subnet. Applications that require a more granular network definition than a domain wide network may also use the default gateway IP address. This is particularly useful on home networks because home users typically do not have their own domain. WINS Indicates whether In some enterprises, WINS may be used to resolve Network Basic Input/Output System the computer is (NetBIOS) names into IP addresses. In such enterprises, the presence of a WINS server connected to a may be used as an indication that the network is a corporate network. network on which a Windows Internet Name Service (WINS) server is present. When connected to a Wireless Network The MAC address is more unique than an IP address and therefore makes a
SSID
Default Gateway MAC address
better characteristic 802.1x Auth Whether the PC is 802.1x authenticated to the given network
Unknown
The unknown status has been covered by one of my colleagues in a different blog so I wont go into detail here but Ill provide a link if you would like to read more about it. http://blogs.technet.com/b/networking/archive/2009/02/20/why-is-my-network-detected-as-unknown-by-windows-vista-orwindows-server-2008.aspx It simply means that Windows cannot uniquely identify the network and will apply the public profile. Generally this is because there is not default gateway and it is not a domain joined machine.
Forcing a Profile via GPO

You can use Group Policy to force certain settings. For example you can set unidentified networks to get the Private Profile by default. There are four policies available beneath Computer Configuration->Windows Settings->Security Settings->Network List Manager Policies: <The domain name> Unidentified Networks Identified Networks All Networks
Summary
NLA attempts to identify the network you are connecting to so that you can apply an appropriate set of Firewall rules based on the connection type. It attempts to match the Connection Specific DNS suffix to the domain you are joined to, and if they match you get the Domain firewall profile. Windows Vista adds the additional requirement of successfully connecting to a DC. If that does not succeed, other networks are identified using various infrastructure characteristics and then a unique GUID is assigned to form a Network Profile.
Technical Specifics
Lastly, I want to share additional technical information about how and where NLA stores information in Windows Vista and later.
More about Domain Determination

Another question I am often asked is about what calls are made when determining if the domain is accessible. This article has the most thorough description I know of: 980873 A computer cannot identify the network when the computer is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2, and is a member of a child domain The Network Location Awareness (NLA) service expects to be able to enumerate the domains forest name to choose the right network profile for the connection. The service does this by calling DsGetDcName on the forest root name and issuing an LDAP query on UDP port 389 to a root Domain Controller. The service expects to be able to connect to the PDC in the forest domain to populate the following registry subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\IntranetForests If something hinders the DNS name resolution or the connection attempt to the DC, NLA is not able to set the appropriate network profile on the connection.
The Registry Details

Most info regarding NLA will be stored under the following three places: HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList HKLM\Software\Microsoft\Windows\CurrentVersion\HomeGroup C:\Windows\System32\NetworkList Historical data can be found under the Cache key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache Profiles are stored under the profiles key. Notice the GUID: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{985EE69C-23B4-4D38-AC665F0D6AD8A128} "ProfileName"="corp.microsoft.com" "Description"="corp.microsoft.com" "Managed"=dword:00000001 "Category"=dword:00000002 "DateCreated"=hex:d9,07,0b,00,01,00,10,00,11,00,30,00,1c,00,68,02 "NameType"=dword:00000006 "DateLastConnected"=hex:da,07,07,00,04,00,0f,00,03,00,12,00,1d,00,b9,03 And managed Networks are stored under the Signatures\Managed key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed\010103000F0000F0A00000000F0000F077ABED71E35E1237A502490669F3BF81 "ProfileGuid"="{985EE69C-23B4-4D38-AC66-5F0D6AD8A128}" "Description"="corp.microsoft.com" "Source"=dword:000000a0 "DnsSuffix"="northamerica.corp.microsoft.com" "FirstNetwork"="corp.microsoft.com" "DefaultGatewayMac"=hex:00,07,b3,00,00,00 While unmanaged networks are stored under Signatures\Unmanged: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged I think that about sums it up for now; I hope you find this information useful. - David Pracht
Windows Vista, Windows Server 2008, Windows Server 2003, Windows XP, Windows Firewall, Windows 7, NLA, Network Location Awareness, http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx[2013-10-15 20:57:00]
Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs Windows Server 2008 R2
Tweet
11
LikeLike Share
Save this on Delicious
Leave a Comment
Name
Comment
Post
Comments
Argon.pro
12 Oct 2010 1:19 AM
Dear Enterprise Networking Team, I want to test DirectAccess in virtual environment, so i've installed to WS2008R2 virtual machine, wich serves as ipv4/v6 router from test to production network additional NIC, and configuret it with random non-private ip addresses 88.10.0.1 88.10.0.2 no default router, no dns. Windows detects this NIC as Domain, so i cannot enable DirectAccess. This NIC connected to virtual network dedicated for win7 test clients only.
What should i do o make this NIC detected as Public? Kind regrds, Igor Romanovsky MCITP: EA, EMA, VA; MCSA
dmstrouse
9 Dec 2010 9:21 AM
Could you explain how NLA is affected by IPSec?
JuanAnD
13 May 2012 12:15 PM
Great article! Could you edit with some details about Windows 8? Thanks!
2013 Microsoft Corporation. Terms of Use
Trademarks
Privacy & Cookies
5.6.426.415
dvdvideosoft_youtube_video_downloader_button dvdvideosoft_test_button dvdvideosoft_youtube_mp3_downloader_button dvdvideosoft_youtube_iphone_downloader_button dvdvideosoft_youtube_ipod_downloader_button dvdvideosoft_youtube_dvd_downloader_button dvdvideosoft_youtube_video_downloader_ex_button dvdvideosoft_youtube_mp3_downloader_ex_button dvdvideosoft_youtube_iphone_downloader_ex_button dvdvideosoft_youtube_ipod_downloader_ex_button dvdvideosoft_youtube_dvd_downloader_ex_button dvdvideosoft_youtube_video_downloader_put_url_button dvdvideosoft_youtube_mp3_downloader_put_url_button dvdvideosoft_youtube_iphone_downloader_put_url_button dvdvideosoft_youtube_ipod_downloader_put_url_button dvdvideosoft_youtube_dvd_downloader_put_url_button

Network Location Awareness (NLA) and How It Relates To Windows Firewall Prof PDF

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Network Location Awareness (NLA) and How It Relates To Windows Firewall Prof PDF

Enviado por

Direitos autorais:

Formatos disponíveis

Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles - Microsoft Enterprise Networking Team - Site

Home - TechNet Blogs

Identity & Access

Search TechNet with Bing

Live Now on Server & Tools Blogs

How Does NLA work?

Translate this page

Windows Vista and later

Border Gateway Protocol (BGP) with Windows Server 2012 R2

Network Automation using IPAM 2012 R2

DNS Zone Level Statistics

DNS IPv4 IPv6

Articles SMB Windows

Step 1 - Domain Determination

Step 2 - Network Identification

Windows Server 2008 Windows Server 2008 R2 Windows Vista

April 2013 (1) More

Private Network Characteristics

Characteristic Description Application

Default Gateway MAC address

Forcing a Profile via GPO

More about Domain Determination

The Registry Details

Save this on Delicious

12 Oct 2010 1:19 AM

9 Dec 2010 9:21 AM

Could you explain how NLA is affected by IPSec?

13 May 2012 12:15 PM

2013 Microsoft Corporation. Terms of Use

Privacy & Cookies

Você também pode gostar