7

We're using openvpn to provide access back from XP to work. We use AD policies to ensure the XP firewall is up when off the domain and down when on the domain. With openvpn, you end up with a new network interface, and when you're off the domain and vpn back to work, XP goes "domain found but I'm also on a non-domain network, so firewall up".

However, I discovered we could use netsh to disable the firewall entirely on the openvpn interface:

echo firewall set opmode mode = DISABLE interface = "name of openvpn interface" | netsh

This is great: it means when our users are at home/hotels, their firewall is up - but remote access over the vpn works bi-directionally.

And then along came Win7 (let's pretend Vista doesn't exist - not too hard!). Gone is the concept of "domain" and "other", now it's "domain", "home/work" and "public" - and you cannot disable the firewall per interface. It's a lot more complicated than XP and as a side note I'm seeing lots of home users totally disabling Win7 firewalls due to it - grrr!

Anyway, my question is, how can I duplicate the functionality we have under XP? How can I script Win7 to totally disable firewall on the openvpn interface, but carry on as normal on the others? End result I'm after is that we (IS group, AV servers, vuln scanners) can access the box remotely when they're in hotels/at home/etc - just as if they were on the corporate LAN. I need a script as my experience with the GUI implies we'll otherwise need a 10page document of screensnaps for our helpdesk guys!

peterh
  • 4,914
  • 13
  • 29
  • 44
jhaar
  • 181
  • 1
  • 1
  • 5

4 Answers4

9

You can control the firewall on a per-NIC (including virtual NIC) basis, with different settings by profile.

In "Windows Firewall" from the Control panel select properties on the root node of the tree. In each of the profile tab the "Protected Network Connections" button allows you to select which NICs are protected.

So disable the NIC only in the private profile, and validate the network detection picks up public when outside the LAN.

Richard
  • 5,309
  • 1
  • 22
  • 20
  • Thanks - that almost works. Unfortunately our AD policy is set to allow users to control the firewall definition for "work/home", but for "public" we force it to be firewall-up. By setting that policy we seem to block the ability to alter "protected network connections" under the "public" profile - which is the one I am trying to touch :-( I can make whatever changes needed to the policy - but nothing seems to make a difference. Also, I do need to do this from a script, so can you think of a way to do this using netsh or whatever else that would work? Thanks – jhaar Feb 25 '10 at 09:07
  • @jhaar: No idea on netsh (WMI might be another option). As Win7 expanded the Firewall functionality significantly, check you have win7 GP templates, these *might* give more control. – Richard Feb 26 '10 at 10:40
3

There is an GUI option to disable a firewall on a specific NIC with Advanced Security, here is how to: go to CP --> System & Security ---> Windows Firewall --> advanced setting(left panel) --> choose Proprieties(Action TAB(right)) --> click customize --> then uncheck the interface(NIC) you want to disable Firewall on, thanks

Ahmed
  • 31
  • 1
3

I know it's an old question, but I'll post this for reference. You can use Powershell:

Set-NetFirewallProfile -Name Private -DisabledInterfaceAliases 'Connection Name'

Source

ProGTX
  • 31
  • 1
2

As "Richard" says You can disable the firewall per interface in windows 7 through the GUI it's just rather hidden.

Unfortunately automating that setting on windows 7 is rather harder. Netsh doesn't provide access to that functionality (according to microsoft) and the powershell command that ProGTX suggests seems to be windows 8 only. The only method i've found that works for automating it on windows 7 is to use the COM API http://msdn.microsoft.com/en-us/library/windows/desktop/aa366418%28v=vs.85%29.aspx

Peter Michael Green
  • 21
  • 1