A question that has come up from time to time is how and why Windows Vista and Windows Server 2008 detect a network as “unknown”. I hope the following explanation is helpful.
Network Location Awareness or NLA is the service that determines what kind of connectivity you have on a Windows Vista or Windows Server 2008. It makes connection specific information available to other applications and services. The Advanced Firewall in Windows Vista and Windows Server 2008 uses the NLA information to apply specific firewall settings. For example, if you are connected only to a Domain network, then the Advanced Firewall will apply the Domain firewall profile.
The following TechNet article details how the decision process happens in NLA. http://technet.microsoft.com/en-us/magazine/2007.06.vistafirewall.aspx Jump to the “Network Profiles” section.
The Domain profile is only applied if you are connected to a Domain network. There is no way for a user to manually set the Domain profile.
When a network is detected that is not a Domain based network, you will be prompted to supply a network profile. Here is a breakdown of the network profile options and the firewall profile that will apply:
Firewall Profile Applied
Since you are likely to connect to the same network, such as your home network, Windows tries to uniquely identify each network. A key part of this identification is based on the gateway device. If there is enough information for Windows to uniquely identify the connection, then Windows will remember your choice of network profiles and apply it the next time you connect. Now that’s handy!
If the connection has no gateway, then the network is labeled as “Unknown”. When you see this, think to yourself, “There is not enough information for Windows to uniquely identify this network”. I won’t go into too much detail about what is used to uniquely identify the network, other than to say that Windows needs a minimum amount of information to make sure that it is not connecting to spoofed version of a network. An “Unknown” network will apply the Public network profile and the Public firewall profile. The user can manually change the network profile to Work or Home to have a less restrictive firewall profile applied.
Since Windows cannot uniquely identify the network, Windows is not going to know if you connect to it again. So, your network profile choice is transient and will only be applied until you lose connectivity to that network. If you reboot your machine, you will need to set a network profile for the “Unknown” connection again.
At first blush this may seem like a lot of extra work. However, consider the security impact of setting a persistent network profile on a network that Windows cannot identify. Since Windows cannot uniquely identify the network, if a persistent network profile were applied, it may be applied on a network that the user did not originally intend to be marked as a private network.
Here are a couple of points to consider:
If the connection should be identified as a Domain network and is not, then the likely causes are failure to contact DNS servers or domain controllers on that interface. Make sure that these resources are available.
If the network is not a Domain network and there is no default gateway configured, or the gateway is not available, the network will be categorized as “Unknown” and the Public profile and Public firewall policy will be applied to the computer.
I hope this helps you understand why a network may be identified as an “Unknown” network.
The Windows 7 beta is available and there are some changes to the way NLA handles network identification. If you are interested checking out what is in the beta, I’d encourage you to download it from your MSDN or TechNet subscription and check it out. I think you will like it!
PingBack from http://windows-vista.shuublog.info/?p=2687
What about the case where you have a second NIC on an internal (rack only) subnet for iSCSI traffic, where you do not need/want to have a gateway specified? In that case it would be helpful to be able to have that network as Domain (or at least private) so that it doesn't lock down the whole profile to public.
Do the the new features in Win7 allow for that, and if so, will they be implemented in 2k8 R2?
My questions are the same than Kris about in the cases of heartbeat clusters NIC and dedicated NLB Unicast NIC (as second machine NIC)
My primary home network is a wireless one. However, at times I connect my laptop and desktop using a ethernet crossover cable when transferring large files. Why doesn't Windows identify that the computers I'm connecting are part of my home network and assign the "Home" profile to the wired network?
Has anyone discovered a resolution to the second NIC issue? We use a seperate NIC/VLAN for SQL connectivity that has no gateway assined and always shows up as "Unknown Network". Our Primary NIC shows up correct as domain. This seems like a commond scenario, is there no solution without disabling the firewall?
My computer connected to internet through 3g usb modem. It works fine. Problem is to connect my laptop to computer. There is no gateway between them, so they always will by in 'unknown' network. Again I have to disable firewall. "Since security is a top priority in Windows Vista", may be there is something wrong in design?
I understand the philosophy behind this, but it is very inconvenient when the computers on my network are not connected and do not connect to the internet. If I disable the firewall, can I bypass that "unknown network," public network nemesis and will the network remain as private. This network is a media network only with two extenders and two computers. The public designation is playing havoc on the entire system.
Recently I came across the xNIC issue above on my Virtual Labs. After some searching and testing I managed to solve the problem as follow:
Case of not having a DC:
- Option one: You could enter a gateway address for the 2nd NIC. This gateway can be the same as the one from the first NIC
- Option two: you could do some routing changes in the machine routing table for all NICs like (well this option is the same as above):
route delete 0.0.0.0
route add 0.0.0.0 mask 0.0.0.0 <gateway address> metric 1 if <interface index>
Using either of the options above will cause NLA to identify each NIC and add them to the Private Network profile. I know, having gateways on NICs might cause other issues but skipping them will also cause you headache :D
Case of having a DC:
- I still did not test this one myself. I am on it.
I understand why this feature is beneficial on the client side but so far this feature has been nothing but a headache on the server side. I have 2 servers, one 2k8, one 2k8 R2. The 2k8 server no matter what I do keeps seeing the network as unidentified while the R2 box is connected. It's the same hardware, same VLAN, same switch, etc..
Fantastic article about why I have my problem with no solution to it. "This is why your new windows computer (worse, my previously working xp computer) DOESNT connect to the internet! Isnt it great!"
No, it isnt. 2 days with win7, no internet. A new record. This is even longer downtime than my 'upgrade' to ME.
Check out my new facebook group : Dont Upgrade to Windows 7.
Turning off the firewall seems to have solved my problem. The network is still identified as public, but file sharing is no longer disabled.
"A key part of this identification is based on the gateway device. If there is enough information for Windows to uniquely identify the connection, then Windows will remember your choice of network profiles and apply it the next time you connect."
What this REALLY means is:
1) There must be an IP address entered for the gateway value.
2) There must be a device at that IP address that responds when pinged.
It does NOT have to be a gateway device, just any device that will respond. I have mine pointed at a network printer and it recognizes the network every time. Another idea it to point at the management address on a switch although I havent tried that.
I also administer several servers with 2 NICs. With 2003 server, it's piece of cake easy to open *just* RDP (3389) on the external NIC, and of course let the LAN side share files, as a server should. With 2008 server (both flavors) the inability to define firewall profiles between the 2 different NICs breaks BOTH of these functionalities. For administrators who know what they are doing, this is frustrating as hell, and even insulting. Not to mention stupid and dangerous that the ONLY work-around is to disable the firewall. I sure hope we are allowed to properly configure our security for ourselves soon.
Thanks at least for posting this information, after months of wasted time I'll stop looking for a way to restore the functionality I had in 2003 Server. That's too bad, I was hoping to migrate my customers to 2008.
I have to say, the network config in 2008 is terrible!!
Really good information and basics for Profiles and how network location works.