A question that has come up from time to time is how and why Windows Vista and Windows Server 2008 detect a network as “unknown”. I hope the following explanation is helpful.
Network Location Awareness or NLA is the service that determines what kind of connectivity you have on a Windows Vista or Windows Server 2008. It makes connection specific information available to other applications and services. The Advanced Firewall in Windows Vista and Windows Server 2008 uses the NLA information to apply specific firewall settings. For example, if you are connected only to a Domain network, then the Advanced Firewall will apply the Domain firewall profile.
The following TechNet article details how the decision process happens in NLA. http://technet.microsoft.com/en-us/magazine/2007.06.vistafirewall.aspx Jump to the “Network Profiles” section.
The Domain profile is only applied if you are connected to a Domain network. There is no way for a user to manually set the Domain profile.
When a network is detected that is not a Domain based network, you will be prompted to supply a network profile. Here is a breakdown of the network profile options and the firewall profile that will apply:
Firewall Profile Applied
Since you are likely to connect to the same network, such as your home network, Windows tries to uniquely identify each network. A key part of this identification is based on the gateway device. If there is enough information for Windows to uniquely identify the connection, then Windows will remember your choice of network profiles and apply it the next time you connect. Now that’s handy!
If the connection has no gateway, then the network is labeled as “Unknown”. When you see this, think to yourself, “There is not enough information for Windows to uniquely identify this network”. I won’t go into too much detail about what is used to uniquely identify the network, other than to say that Windows needs a minimum amount of information to make sure that it is not connecting to spoofed version of a network. An “Unknown” network will apply the Public network profile and the Public firewall profile. The user can manually change the network profile to Work or Home to have a less restrictive firewall profile applied.
Since Windows cannot uniquely identify the network, Windows is not going to know if you connect to it again. So, your network profile choice is transient and will only be applied until you lose connectivity to that network. If you reboot your machine, you will need to set a network profile for the “Unknown” connection again.
At first blush this may seem like a lot of extra work. However, consider the security impact of setting a persistent network profile on a network that Windows cannot identify. Since Windows cannot uniquely identify the network, if a persistent network profile were applied, it may be applied on a network that the user did not originally intend to be marked as a private network.
Here are a couple of points to consider:
If the connection should be identified as a Domain network and is not, then the likely causes are failure to contact DNS servers or domain controllers on that interface. Make sure that these resources are available.
If the network is not a Domain network and there is no default gateway configured, or the gateway is not available, the network will be categorized as “Unknown” and the Public profile and Public firewall policy will be applied to the computer.
I hope this helps you understand why a network may be identified as an “Unknown” network.
The Windows 7 beta is available and there are some changes to the way NLA handles network identification. If you are interested checking out what is in the beta, I’d encourage you to download it from your MSDN or TechNet subscription and check it out. I think you will like it!
This bit me today. Very frustrating. I have a 192.x.x.x network behind my servers that is used for inter-server traffic. There is no gateway on this network for security reasons!!!
Frankly, any network that doesn't have a gateway should be private by default right? The public can't get to it!