I have a couple of servers running Windows 2008 R2 that are switching from Domain to Public or Private profiles. I feel like my issue might be gpo related but i dont know for sure. I am testing a new GPO structure in my org since GPO is not widely used and i wanted to start using Firewall rules more since the current admin "doesnt like using them as they are too hard to configure". Currently i have 3 gpo's applied to these servers:
- A generic server gpo that adds some users/groups to local admin and sets log on as a service rights
- A 2008 server firewall rule set that allow several items in the domain profile of the firewall rules. ie: allowing a port to be open for a monitoring agent daemon.
- A server specific gpo ( gpo is assigned to the computer object via security filtering ) that adds to the log on as a service and opens more ports on the firewall ( in this specific case ports for BESx to work. )
Somehow the computer loses connection to the DC and NLA puts the computer in Private or in a couple of cases Public. I have no rules set for those profiles so by default all outbound traffic is dropped which prevents pretty much everything from communicating. Which might explain why i can get out of it. What i have to do to reset it is stop the "Windows Firewall" service do a gp update and restart the NLA service. That usually puts it back to Domain profile.
Problem happens that if i reboot that server again it just end up with the same issue. Is it common practice to set rules on the private and public profile to allow certain outbound traffic so that if they flip to public and private they will have the access to flip back. Typing that sentence doesnt even make much sense to me. Also seems more of a workaround that a solution.
I might be missing a best practice here. In the end i want to have a gpo for all servers and then a specific gpo for the individual server role ie: Black berry / or citrix server. They should share configuration of firewall rules but never contest with each other since one rule should not exist in the other. If nothing else for the time being i have no intention of making deny rules. I should be able to do this model i think?
Point me in the right direction. I know i cant alter NLA so i need to set up the firewall to work with it. I might not be coming at this from the right angle. Should i be altering private and public profiles?