Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs

http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx[2013-10-15 20:57:00]

Live Now on Server & ToolsBlogs

Menu

Translate this page

Spanish

Microsoft® Translator

Search this blog Search all blogs

Installing & configuring ServiceReporting for IaaS usage and metering

Securing Static Resources withWindows Azure Active DirectoryAuthentication

Citrix Support for Windows Server 2012R2 and Windows 8.1 Release

Subscribe Comments Contact

Blog Home

Atom

3

Network Location Awareness (NLA) and how it relates toWindows Firewall Profiles

MichaelPlatts [msft] 8 Sep 2010 12:47 PM

I am writing this blog post because we get a lot of questions regarding how NLA determines a network profile and how it relatesto Firewall Profiles as the two are often confused.

What is NLA?

First let’s start with what NLA does. For each network interface the PC is connected to, NLA aggregates the network informationavailable to the PC and generates a globally unique identifier (GUID) to identify each network. In other words, it creates aNetwork Profile for any network it connects to. The Windows Firewall then uses that information to apply rules from theappropriate Windows Firewall Profile. This allows you to apply a different set of Firewall rules depending on which network youare connected to. For example, a Public network could get a very restrictive set of rules, a Home network could get a lessrestrictive set of rules, and a Managed network could get a set of rules determined by an administrator. NLA can be used formore but I want to focus on how it interacts with the Windows Firewall.

How Does NLA work?

So how does NLA determine which network it is connected to? It depends on which Windows version you are using.

Windows XP

In Windows XP and Windows Server 2003, detection is pretty basic and there are only 2 network profiles: Domain and Standard.If the Connection Specific DNS Name matches the “HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\GroupPolicy\History\NetworkName” registry value, you get the Domain Profile. Otherwise, you get the Standard Profile. You can findmore detail about Windows XP in the following Cable Guy article: http://technet.microsoft.com/en-us/library/bb878049.aspx

Windows Vista and later…

Sign in Server & Tools Blogs > Server & Management Blogs > Networking Blog

All AboutWindows Server

Cloud OS Blogs DatacenterManagement

ClientManagement

Virtualization, VDI& RemoteDesktop

File & Storage &High Availability

Windows ServerManagement

Identity & Access

Networking Blog

Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs

http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx[2013-10-15 20:57:00]

DNS IPv4 IPv6 KBArticles SMB Windows7 Windows Firewall

Windows Server 2003Windows Server2008 WindowsServer 2008 R2Windows VistaWindows XP

October 2013 (5)

September 2013 (4)

August 2013 (1)

July 2013 (5)

Tags

Archives

Recent Posts

Multi-Tenant VPN with Windows Server2012 R2Posted 10 hours ago

Border Gateway Protocol (BGP) withWindows Server 2012 R2Posted 4 days ago

Network Automation using IPAM 2012R2Posted 8 days ago

DNS Zone Level StatisticsPosted 11 days ago

More ▼

Since the Firewall in Windows XP only supported two firewall profiles, this system worked pretty well. The problem was thatpeople don’t connect to just two kinds of networks and found they wanted a restricted set of firewall rules when connected to apublic hotspot and a less restrictive set when they were at home, in addition to the firewall rules required by their admin. InWindows Vista, Microsoft introduced a new set of firewall profiles: Domain, Public, and Private. The idea is that anynew\unidentified network will get the Public (most restrictive) profile to start with. If you are then found to be on the domainnetwork, you will get the Domain (managed) profile provided by your administrator. That leaves the Private profile for users toconfigure in their own (semi – trusted) environment. To support the Private profile, network detection had to be enhanced. Thiswas accomplished by gathering various characteristics about the network and using that information to create a network profileand assign a unique GUID that could be used to identify that network. Network identification still starts the same way thatWindows XP did by determining if you are on the domain and if that fails it will try to match to a Network profile. The importantthing to remember about Windows Vista is that you now have 3 profile choices but you can only have a single active FirewallProfile. So if the machine is multi-homed with a VPN connection, for example, you only get one Profile for all interfaces.

Windows 7

The big change in Windows 7 from Windows Vista is that now you can have multiple active profiles. The same networkidentification process takes place, but it is done for each interface. So now, for example, a VPN interface can have the domainprofile assigned while the physical interface can get the public profile and be protected.

Note: Not all VPN clients work this way. The Microsoft VPN client registers as a network interface and will get an associatedFirewall Profile, but third-party VPN clients may not register and thus would not get an associated Profile. The VPN connectionwill still work but the system will not be protected by the Microsoft Firewall on that VPN interface.

Step 1 - Domain Determination

In all cases, detection starts the same way that it does in Windows XP. If the Connection Specific DNS Name matches the“HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkName” registry key then themachine will attempt to contact a Domain Controller via LDAP. If both these steps succeed, you will get the Domain profile. It isimportant to note that if the steps succeed, processing stops here. This allows you to roam across multiple access points in thesame domain without having to stop and identify each of them individually.

Step 2 - Network Identification

If the above steps are complete and a match to the domain was not found, NLA will evaluate the network characteristics to see ifit can identify a match. If there is a profile created for that network (not to be confused with the Firewall Profile) the interface willget the Firewall profile associated with that network either Private or Public. If the network is not identified by one of the abovemethods it will remain with the Public profile.

Note: By default all new/unidentified interfaces get the Public Profile.

So how does it know which profile to associate with a network? Good question. The user is prompted when a new network isidentified. They have a choice of Home, Work, or Public.

Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs

http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx[2013-10-15 20:57:00]

April 2013 (1)

More ▼

Home and Work will both give you the Private profile while Public will of course give you the Public profile. I am often asked ifthis can later be changed; the answer is yes. In the Network and Sharing Center, there is a link to “Customize” the networksettings.

Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs

http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx[2013-10-15 20:57:00]

Note: Customization does not apply to the Domain profile as it is determined by your administrator.

Private Network Characteristics

Generally, the next question I am asked is about the characteristics that are used to identify a network. Based on pieces ofinformation I have collected myself and from this MSDN article that provides information on what NLA can tell you about thenetwork, I have put together the following table that I think covers what is used to identify a network.

This table shows the list of network characteristics NLA provides and indicates how applications may use them:

Characteristic Description Application

Managed Indicates whenthe computer is

Typically, computers that are part of a corporate network are members of a domain thatis managed by one or more domain controllers. Therefore, the presence of such a

Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs

http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx[2013-10-15 20:57:00]

managed by adomain controller.

domain controller usually indicates that the network is a corporate network. Applicationsmay use this indication to attempt to discover and connect to corporate resources.Applications may also use this indication to apply policy or settings that are specific tothe corporate network.

Bandwidth Indicates thebandwidth of aTCP connection.

Applications may adjust their behavior based on the bandwidth of a TCP connection. Forexample, if the bandwidth to a mail server is low, then a mail client application maychoose to download only the headers of messages, rather than entire messages.

InternetConnectivity

Indicatesconnection to theInternet.

Applications can use this as an indication that they can discover and connect to serverson the Internet or establish a virtual private network (VPN) connection to the corporatenetwork via the Internet.

Primary DNS Suffix The name of thedomain for whichthe computer is amember or theDNS suffix of thecomputer's fullcomputer name.

Domain names are closely related to the infrastructures of networks and as aconsequence remain relatively static. When a computer moves around or returns to agiven network, their Internet Protocol (IP) address may change, but their domain namesuffix is likely to be the same. Applications can use this as a hint that the computer isconnected the same network and apply policy or settings accordingly. However, the DNSsuffix can be spoofed. Therefore, for applications where accurate network determinationis needed, the DNS suffix should not be used as the only network identifier.

DC Authenticated Indicates that thedomain controller(DC) of thedomain for whichthe computer is amember hasauthenticated thecomputer.

When the DC has authenticated the computer, applications may have a degree ofconfidence that the computer is on the corporate network and use this indication toapply policy or settings that are specific to the corporate network.

Host IP address The IP address ofthe computer.

If the IP address of the computer is a public IP address, then remote applications can useit to establish a connection to the computer. For example, a help and support applicationcould relay the computer's IP address to the corporation's help and support center, alongwith a description of the issues it might be experiencing so that a technician may connectto the computer to assist.

Subnet Mask The subnet maskof the subnet to

The subnet mask is used along with the host IP address to obtain the network ID of thesubnet.

Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs

http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx[2013-10-15 20:57:00]

which thecomputer isconnected.

Subnet IP address The network ID ofthe subnet towhich thecomputer isconnected.

Applications may require a more granular network definition than a domain widenetwork. The network ID allows applications to identify the specific subnet to which thecomputer is connected. Group policy may be applied per subnet. As a result, it may alsobe useful for help and support applications to note the subnet to which the user isconnected in order for a technician to resolve any issues. The subnet network ID is thehost IP address logically ANDed with the subnet mask.

Default Gateway IPaddress

The IP address ofthe defaultgateway.

Like domain controllers, gateways (routers) on a subnet are also relatively static. Althoughthe user may roam within a network and connect at different places, when they areconfigured with the same default gateway, it is likely that they are on the same subnet.Thus, applications may use the default gateway IP address as an indication that the useris on a particular subnet. Applications that require a more granular network definitionthan a domain wide network may also use the default gateway IP address. This isparticularly useful on home networks because home users typically do not have their owndomain.

WINS Indicates whetherthe computer isconnected to anetwork on whicha WindowsInternet NameService (WINS)server is present.

In some enterprises, WINS may be used to resolve Network Basic Input/Output System(NetBIOS) names into IP addresses. In such enterprises, the presence of a WINS servermay be used as an indication that the network is a corporate network.

SSID When connectedto a WirelessNetwork

Default GatewayMAC address

The MAC addressis more uniquethan an IPaddress andtherefore makes a

Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs

http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx[2013-10-15 20:57:00]

bettercharacteristic

802.1x Auth Whether the PC is802.1xauthenticated tothe given network

“Unknown”

The “unknown” status has been covered by one of my colleagues in a different blog so I won’t go into detail here but I’ll providea link if you would like to read more about it.

http://blogs.technet.com/b/networking/archive/2009/02/20/why-is-my-network-detected-as-unknown-by-windows-vista-or-windows-server-2008.aspx

It simply means that Windows cannot uniquely identify the network and will apply the public profile. Generally this is becausethere is not default gateway and it is not a domain joined machine.

Forcing a Profile via GPO

You can use Group Policy to force certain settings. For example you can set unidentified networks to get the Private Profile bydefault.

There are four policies available beneath Computer Configuration->Windows Settings->Security Settings->Network List ManagerPolicies:

<The domain name>Unidentified NetworksIdentified NetworksAll Networks

Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs

http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx[2013-10-15 20:57:00]

Summary

NLA attempts to identify the network you are connecting to so that you can apply an appropriate set of Firewall rules based onthe connection type. It attempts to match the Connection Specific DNS suffix to the domain you are joined to, and if they matchyou get the Domain firewall profile. Windows Vista adds the additional requirement of successfully connecting to a DC. If thatdoes not succeed, other networks are identified using various infrastructure characteristics and then a unique GUID is assigned toform a Network Profile.

Technical Specifics

Lastly, I want to share additional technical information about how and where NLA stores information in Windows Vista and later.

More about Domain Determination

Another question I am often asked is about what calls are made when determining if the domain is accessible. This article hasthe most thorough description I know of:

980873 A computer cannot identify the network when the computer is running Windows Vista, Windows Server 2008, Windows7, or Windows Server 2008 R2, and is a member of a child domain

The Network Location Awareness (NLA) service expects to be able to enumerate the domain’s forest name to choose the rightnetwork profile for the connection. The service does this by calling DsGetDcName on the forest root name and issuing an LDAPquery on UDP port 389 to a root Domain Controller. The service expects to be able to connect to the PDC in the forest domainto populate the following registry subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\IntranetForests

If something hinders the DNS name resolution or the connection attempt to the DC, NLA is not able to set the appropriatenetwork profile on the connection.

The Registry Details

Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs

http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx[2013-10-15 20:57:00]

Windows Vista, Windows Server 2008, Windows Server 2003, Windows XP, Windows Firewall , Windows 7, NLA, Network Location Awareness,

Most info regarding NLA will be stored under the following three places:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkListHKLM\Software\Microsoft\Windows\CurrentVersion\HomeGroupC:\Windows\System32\NetworkList

Historical data can be found under the Cache key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache

Profiles are stored under the profiles key. Notice the GUID:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{985EE69C-23B4-4D38-AC66-5F0D6AD8A128}

"ProfileName"="corp.microsoft.com""Description"="corp.microsoft.com""Managed"=dword:00000001"Category"=dword:00000002"DateCreated"=hex:d9,07,0b,00,01,00,10,00,11,00,30,00,1c,00,68,02"NameType"=dword:00000006"DateLastConnected"=hex:da,07,07,00,04,00,0f,00,03,00,12,00,1d,00,b9,03

And managed Networks are stored under the Signatures\Managed key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Signatures\Managed\010103000F0000F0A00000000F0000F077ABED71E35E1237A502490669F3BF81

"ProfileGuid"="{985EE69C-23B4-4D38-AC66-5F0D6AD8A128}""Description"="corp.microsoft.com""Source"=dword:000000a0"DnsSuffix"="northamerica.corp.microsoft.com""FirstNetwork"="corp.microsoft.com""DefaultGatewayMac"=hex:00,07,b3,00,00,00

While unmanaged networks are stored under Signatures\Unmanged:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged

I think that about sums it up for now; I hope you find this information useful.

- David Pracht

Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs

http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx[2013-10-15 20:57:00]

Name

Comment

Windows Server 2008 R2

Tweet 11 Save this on DeliciousShare

2

Leave a Comment

Post

Comments

Argon.pro 12 Oct 2010 1:19 AM

Dear Enterprise Networking Team,

I want to test DirectAccess in virtual environment, so i've installed to WS2008R2 virtual machine, wich serves as ipv4/v6router from test to production network additional NIC, and configuret it with random non-private ip addresses

88.10.0.1

88.10.0.2

no default router, no dns.

Windows detects this NIC as Domain, so i cannot enable DirectAccess. This NIC connected to virtual network dedicatedfor win7 test clients only.

LikeLike

Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs

http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx[2013-10-15 20:57:00]

dmstrouse 9 Dec 2010 9:21 AM

JuanAnD 13 May 2012 12:15 PM

© 2013 Microsoft Corporation. Terms of Use Trademarks Privacy & Cookies 5.6.426.415

What should i do o make this NIC detected as Public?

Kind regrds,

Igor Romanovsky

MCITP: EA, EMA, VA; MCSA

Could you explain how NLA is affected by IPSec?

Great article! Could you edit with some details about Windows 8?

Thanks!