Wireless Access

When I connect my domain laptop from home to our company network through VIA, I can see there's 2 active NICs in Windows.

 

1: the real NIC, that's connected to my home network. This is classified as a Public net work in Windows.

2: the VIA NIC, connected to my company network. This is classified as a Domain network in Windows.

 

Now, I take a look at the firewall settings. Firewall is enabled, for both Domain networks and for Public networks. Other PC's on the company network are unable to ping my laptop, because of the firewall.

 

If I disable the Windows firewall for both Domain networks and Public networks, they are able to ping my laptop. However, this is not secure. I don't want other devices on my home network to be able to connect to my laptop, I only want other devices on the company network to be able to connect to it.

 

So, I disable the Windows firewall for Domain networks, but enable it for Public networks. Problem: company PC's are unable to ping my laptop now. They can only ping it when Windows firewall is disabled for Public networks as well.

 

Does anyone know how I can make this work the way I want it to? It would seem to me the Ping is tunneled throught the encrypted VIA connection to my laptop. So how would the firewall for the Public home connection be able to filter this? It's strange, isn't it?

I am not sure if this can be done.  Do you have split-tunneling enabled on your VIA client?

No, everything is tunneled through the controller now. Could using split-tunnel fix it?

 

I was also hoping using a different subnet might help. I'm using 255.255.255.255 now, maybe using 255.255.255.0 would make it 'understand' traffic coming from the company network is the same domain subnet and shouldn't be filtered by the non-domain firewall? Doesn't hurt to try I guess.

I've tried 255.255.255.0 and it doesn't make a difference.

 

Funny thing:

 

I created an inbound firewall rule that allows ALL traffic. For all interfaces, sources, all ports, etc. etc. However, I can still not ping the machine.

 

When I disable the firewall, I can ping it. But with firewall enabled, I can not ping it. Even though there's a rule that explicitly allows ALL traffic. What the hell? :)

 

It seems that the VIA connection confuses the windows firewall to the point of it not letting through any incoming connections, no matter what rules are set.

 

I'm going to try on Windows 7.... maybe this is a Windows 8.1 problem.

 

Edit: Windows 7 = same result.

So my conclusion is that VIA breaks firewall behaviour in Windows.

Even if you create an ALLOW ALL rule in the firewall, it still blocks all incoming connections from the VIA connection.

Only if you disable the firewall, it allows incoming traffic from VIA.

Please see this document here:  http://technet.microsoft.com/en-us/library/cc776171(v=WS.10).aspx

Thanks, but this article is not correct (anymore).

Because Windows 7 and Windows 8 actually DO recognize the VIA connection as a Domain connection instead of a public connection.

Also, creating the ALLOW ALL rule in both the public AND domain profile still make incoming connections impossible.

You are right.  That is an old article.  Maybe Microsoft would have a clue what is happening here.

Another way to make incoming connections work with firewall enabled is by setting 'inbound connections that do not match a rule are allowed' for the public profile. This basically means the same as turning the firewall off though :)

eriknl2,

 

What is the operating system of your Windows computer?

I tested on Windows 7 and on Windows 8.1 update 1.

ErikNl,

 

Are these domain computers?  Is it possible to try with a non-domain computer?

these are domain computers (I made sure there were no group policies applied to them).

I'll give it a go on a non-domain computer and let you know the result.

You are correct. This issue only appears on a domain joined computer.

 

On a non-domain computer, it works as expected.

 

Now I hope that you know a fix for this :)

 

I read online that when using multiple network adapters (like with VIA), that the windows firewall choses the most strict firewall profile to apply to the adapter, which would mean the public profile. I created an ALLOW ALL rule, for ALL profiles (including public), but that does not fix it.

Will you let me know if you learn anything about a fix for domain-computers?

Yes, we will.

Where did you see that article on multiple adapters?

http://technet.microsoft.com/nl-nl/library/getting-started-wfas-firewall-profiles-ipsec(v=ws.10).aspx

"If there are multiple network adapters connected to different networks, then the profile with the most restrictive profile settings is applied to all adapters on the computer. The public profile is considered to be the most restrictive, followed by the private profile; the domain profile is considered to be the least restrictive."

Still hoping on a fix for this issue :)

Should I open a case with support for this, cjoseph, or is this something you're already bringing to their attention?

Eriknl2,

You should open a case. They know about the issue but anyone that is affected by this should open a case, so they can get more information.

I am having the exact same problem. Is there any fix to this? I cannot remote manage any domain joined computers when they are on VIA, even if I allow all to all security profiles.

 

Really need a fix for this.

Opend a support case with Aruba and we were able to find a microsoft patch that fixed the issue.

 

Just in case others might run into this.

 

http://support2.microsoft.com/kb/2964643

 

I installed the patch and now I dont see windows firewall dropping packets, even when there is an allow all rule for inbound.

 

 

The issue will fix if the below patch is installed (It worked fine in widows 7)

 

http://support2.microsoft.com/kb/2964643/en-us

 

 

Interesting. Will try. Thanks.

Never mind, the patch did not fix anything. This issue seems to be random. I rebooted two times in a row and it seemed to work on my laptop. Today, the fiirewall is blocking traffic along with two other laptops I pushed the patch to on Friday.

 

Really need Aruba to fix this. No reason they cannot set this up in a lab and see for themselves that the Windows firewall does not apply any rules to the VIA interface.

Bmarrs2014,

Please open a TAC case and reference this thread. You could have an issue that is specific to your setup.

Haven't tried it yet, but the description for the Microsoft-page does not really match the symptoms I'm seeing.

I don't think it's very setup-specific. It seems to be any domain joined Win7/Win8 computer combined with VIA makes the firewall unusable...

Eriknl2,

Then please try it. If it does not work, we then need to re-investigate.

The article only applies to win7 and win2008r2. We're using Win8.1 now. I'll try and see if it installs anyway.

 

Edit: Nope, won't install.

That specific patch might not apply to you, then.

So, it's not the issue, then :) Nor the fix.

 

So VIA + domain computer still means broken firewall.

Already have a TAC case opened for this and so far just wasted time. I was hesitant about the patch, but TAC said it was referenced in other cases around this and I applied it.

 

The first couple of times it works, but after that nothing. 

 

I reopened my case, but not holding my breath for a resolution to this.

 

 

 

Did anyone ever identify a resolution for this?

Not me.

Aruba found a temp workaround for this but not a long term solution.  When the VIA software is installed, it installs an "Aruba VIA Driver" on the wireless and wired NICs which can be found in the properties.  Support claims that when this is checked, the tunnel is operating in L2TP mode.  When it's unchecked, it's operating in PPP.  RDP as wells as ping and other management tools work when this box is unchecked because the Windows Firewall is identified in GP under a different set of rules. 

 

The problem is that Aruba doesn't have any suggestions on how to apply this globally other than to create a script or do each one manually.  It's not something that can be applied in GPO nor is it an option in any of their latest releases to push out.  The only other thing we could think of was the registry, but Aruba Support isn't familiar with where the registry change would be made for something like that.  Any other thoughts on this?

FYI: we're using version 2.3.1.0.77153 and, when active, Windows Firewall says the computer is connected to the domain (like it should). And it applies the firewall rules just fine (firewall disabled for domain, enabled for public) and I am able to connect to a VIA-connected-computer from HQ. So it seems to work fine now.

eriknl2 is correct.  The new 2.3.0 version was supposed to permanently resolve this but has a know bug regarding DNS. 

 

We are having to update everyone with 2.3.1 which permanently puts everyone in PPP mode and has fixed the DNS issue as well.