We are piloting DirectAccess (DA) on Windows 7 and are using SEP's firewall (latest release). To get DirectAccess to work, it seems you need to use the Windows Firewall for connection security thus the firewall needs to be on.
This seems to work ok, however one of our machines that is configured for DirectAccess (via GPO) behaves a little funny with regard to SEP and Windows Firewall.
When the machine boots, DHCP doesn't work correctly on wired connection. When you log into the machine and run
netsh advfirewall monitor show firewall
You get this. Notice how Windows Firewall is enabled for all firewall categories. We really only want it enabled for the ConSecRuleCategory so that DA works.
Global Settings:
----------------------------------------------------------------------
IPsec:
StrongCRLCheck 0:Disabled
SAIdleTimeMin 5min
DefaultExemptions ICMP
IPsecThroughNAT Never
AuthzUserGrp None
AuthzComputerGrp None
StatefulFTP Enable
StatefulPPTP Enable
Main Mode:
KeyLifetime Access Denied
SecMethods Access Denied
ForceDH Access Denied
Categories:
BootTimeRuleCategory Windows Firewall
FirewallRuleCategory Windows Firewall
StealthRuleCategory Windows Firewall
ConSecRuleRuleCategory Windows Firewall
Also, looking at the windows firewall log it seems that the windows firewall is dropping DHCP replies, which is probably why DHCP is failing...however..
If I run smc -stop then smc -start and run the same firewall command, it looks better:
Global Settings:
----------------------------------------------------------------------
IPsec:
StrongCRLCheck 0:Disabled
SAIdleTimeMin 5min
DefaultExemptions ICMP
IPsecThroughNAT Never
AuthzUserGrp None
AuthzComputerGrp None
StatefulFTP Enable
StatefulPPTP Enable
Main Mode:
KeyLifetime Access Denied
SecMethods Access Denied
ForceDH Access Denied
Categories:
BootTimeRuleCategory Symantec Endpoint Protection
FirewallRuleCategory Symantec Endpoint Protection
StealthRuleCategory Symantec Endpoint Protection
ConSecRuleRuleCategory Windows Firewall
Then, DHCP starts working. The problem comes back when the machine is rebooted.
Has anyone ever seen this? Has anyone configured DirectAccess with SEP installed? Are there any best practices? I've looked around here and there isn't any chatter about it that I can find.
A co-worker has opened a ticket with Symantec, but is getting the standard "did you uninstall and reinstall?", etc. Not really a good solution if we roll this out and some of our machines do the same thing.