Wireless Access

Reply
Frequent Contributor II
Posts: 116
Registered: ‎05-03-2013

VIA client and Windows Firewall

When I connect my domain laptop from home to our company network through VIA, I can see there's 2 active NICs in Windows.

 

1: the real NIC, that's connected to my home network. This is classified as a Public net work in Windows.

2: the VIA NIC, connected to my company network. This is classified as a Domain network in Windows.

 

Now, I take a look at the firewall settings. Firewall is enabled, for both Domain networks and for Public networks. Other PC's on the company network are unable to ping my laptop, because of the firewall.

 

If I disable the Windows firewall for both Domain networks and Public networks, they are able to ping my laptop. However, this is not secure. I don't want other devices on my home network to be able to connect to my laptop, I only want other devices on the company network to be able to connect to it.

 

So, I disable the Windows firewall for Domain networks, but enable it for Public networks. Problem: company PC's are unable to ping my laptop now. They can only ping it when Windows firewall is disabled for Public networks as well.

 

Does anyone know how I can make this work the way I want it to? It would seem to me the Ping is tunneled throught the encrypted VIA connection to my laptop. So how would the firewall for the Public home connection be able to filter this? It's strange, isn't it?

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: VIA client and Windows Firewall

I am not sure if this can be done.  Do you have split-tunneling enabled on your VIA client?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 116
Registered: ‎05-03-2013

Re: VIA client and Windows Firewall

No, everything is tunneled through the controller now. Could using split-tunnel fix it?

 

I was also hoping using a different subnet might help. I'm using 255.255.255.255 now, maybe using 255.255.255.0 would make it 'understand' traffic coming from the company network is the same domain subnet and shouldn't be filtered by the non-domain firewall? Doesn't hurt to try I guess.

Frequent Contributor II
Posts: 116
Registered: ‎05-03-2013

Re: VIA client and Windows Firewall

[ Edited ]

I've tried 255.255.255.0 and it doesn't make a difference.

 

Funny thing:

 

I created an inbound firewall rule that allows ALL traffic. For all interfaces, sources, all ports, etc. etc. However, I can still not ping the machine.

 

When I disable the firewall, I can ping it. But with firewall enabled, I can not ping it. Even though there's a rule that explicitly allows ALL traffic. What the hell? :)

 

It seems that the VIA connection confuses the windows firewall to the point of it not letting through any incoming connections, no matter what rules are set.

 

I'm going to try on Windows 7.... maybe this is a Windows 8.1 problem.

 

Edit: Windows 7 = same result.

Frequent Contributor II
Posts: 116
Registered: ‎05-03-2013

Re: VIA client and Windows Firewall

So my conclusion is that VIA breaks firewall behaviour in Windows.

Even if you create an ALLOW ALL rule in the firewall, it still blocks all incoming connections from the VIA connection.

Only if you disable the firewall, it allows incoming traffic from VIA.
Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: VIA client and Windows Firewall

Please see this document here:  http://technet.microsoft.com/en-us/library/cc776171(v=WS.10).aspx



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 116
Registered: ‎05-03-2013

Re: VIA client and Windows Firewall

Thanks, but this article is not correct (anymore).

Because Windows 7 and Windows 8 actually DO recognize the VIA connection as a Domain connection instead of a public connection.

Also, creating the ALLOW ALL rule in both the public AND domain profile still make incoming connections impossible.
Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: VIA client and Windows Firewall

You are right.  That is an old article.  Maybe Microsoft would have a clue what is happening here.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 116
Registered: ‎05-03-2013

Re: VIA client and Windows Firewall

[ Edited ]

Another way to make incoming connections work with firewall enabled is by setting 'inbound connections that do not match a rule are allowed' for the public profile. This basically means the same as turning the firewall off though :)

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: VIA client and Windows Firewall

eriknl2,

 

What is the operating system of your Windows computer?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: