Endpoint Protection

 View Only

  • 1.  Anyone Configured SEP with DirectAccess in Windows 7

    Posted Nov 30, 2010 06:38 PM

    We are piloting DirectAccess (DA) on Windows 7 and are using SEP's firewall (latest release). To get DirectAccess to work, it seems you need to use the Windows Firewall for connection security thus the firewall needs to be on.

    This seems to work ok, however one of our machines that is configured for DirectAccess (via GPO) behaves a little funny with regard to SEP and Windows Firewall.

    When the machine boots, DHCP doesn't work correctly on wired connection. When you log into the machine and run

     

     netsh advfirewall monitor show firewall

     

    You get this. Notice how Windows Firewall is enabled for all firewall categories. We really only want it enabled for the ConSecRuleCategory so that DA works.

     Global Settings:
----------------------------------------------------------------------
IPsec:
StrongCRLCheck                        0:Disabled
SAIdleTimeMin                         5min
DefaultExemptions                     ICMP
IPsecThroughNAT                       Never
AuthzUserGrp                          None
AuthzComputerGrp                      None

StatefulFTP                           Enable
StatefulPPTP                          Enable

Main Mode:
KeyLifetime                           Access Denied
SecMethods                            Access Denied
ForceDH                               Access Denied

Categories:
BootTimeRuleCategory                  Windows Firewall
FirewallRuleCategory                  Windows Firewall
StealthRuleCategory                   Windows Firewall
 ConSecRuleRuleCategory                Windows Firewall

    Also, looking at the windows firewall log it seems that the windows firewall is dropping DHCP replies, which is probably why DHCP is failing...however..

    If I run smc -stop then smc -start and run the same firewall command, it looks better:

      Global Settings:
----------------------------------------------------------------------
IPsec:
StrongCRLCheck                        0:Disabled
SAIdleTimeMin                         5min
DefaultExemptions                     ICMP
IPsecThroughNAT                       Never
AuthzUserGrp                          None
AuthzComputerGrp                      None
 
StatefulFTP                           Enable
StatefulPPTP                          Enable
 
Main Mode:
KeyLifetime                           Access Denied
SecMethods                            Access Denied
ForceDH                               Access Denied
 
Categories:
BootTimeRuleCategory                  Symantec Endpoint Protection
FirewallRuleCategory                  Symantec Endpoint Protection
StealthRuleCategory                   Symantec Endpoint Protection
ConSecRuleRuleCategory                Windows Firewall

    Then, DHCP starts working.  The problem comes back when the machine is rebooted.

    Has anyone ever seen this? Has anyone configured DirectAccess with SEP installed? Are there any best practices? I've looked around here and there isn't any chatter about it that I can find.

    A co-worker has opened a ticket with Symantec, but is getting the standard "did you uninstall and reinstall?", etc. Not really a good solution if we roll this out and some of our machines do the same thing.

     



  • 2.  RE: Anyone Configured SEP with DirectAccess in Windows 7

    Posted Nov 30, 2010 06:41 PM

    My question may be silly but I want to make sure - do you have NTP installed as SEP's component?



  • 3.  RE: Anyone Configured SEP with DirectAccess in Windows 7

    Posted Nov 30, 2010 07:22 PM
    Yes, NTP is installed of course :-)


  • 4.  RE: Anyone Configured SEP with DirectAccess in Windows 7

    Posted Nov 30, 2010 07:33 PM

    _Lunchbox_,

    When SEP's firewall - a part of NTP - is enabled, Windows 7 Action Center will detect it and wll disable Windows firewall. If you need to use Windows firewall, I would suggest to uninstall NTP.

    Since NTP is made of firewall and IPS, you may want to keep IPS. In my view it might be enough to disable firewall policy from the console (Policies - Firewall policy assigned to a group where your clients are - Unselect "Enable this policy"). It will disable firewall driver so it should be fine to enable Windows firewall. However, I have not tested it, it's just my assumption.

    Let us know how it works :)



  • 5.  RE: Anyone Configured SEP with DirectAccess in Windows 7

    Posted Nov 30, 2010 08:11 PM

    I completely understand what you are saying, however, that doesn't really answer my question. I do appreciate the idea of disabling the firewall policy, though. That might come in handy in the future.

    The main question I have would be why isn't SEP serving all firewall categories except the ConSecRuleCategory as it does if i run smc -stop and smc -start? Every time I reboot hte machine, it goes back to the way it was. Shouldn't it be like my second netsh rule output all the time?

    The reason I'd like to get it ironed out is mainly because there are three machines we've configured like this and one of them isn't behaving like we'd expect. The other two are. That's 33% of machines so far. I'd hate to have 33% of our machines have this issue if we were to continue with using DirectAccess and thus the ConSec part of Windows Firewall.

    Unless, SEP can do connection security for DirectAccess, but I don't think it can. I don't see it anywhere in the policy.

    We sort of don't have a choice but to have Windows Firewall on, but only serving the connection security category. :)

     

    Thanks for your help!



  • 6.  RE: Anyone Configured SEP with DirectAccess in Windows 7

    Posted Dec 01, 2010 03:26 AM

    Honestly, at this moment I cannot tell you why SEP FW activates for these three categories only after the services are reset. However I found a page which might be interesting for you: DirectAccess and Third-party Host Firewalls http://technet.microsoft.com/en-us/library/ee382257%28WS.10%29.aspx but I suppose you have already seen it.

    All these clients have the same policies?

     



  • 7.  RE: Anyone Configured SEP with DirectAccess in Windows 7

    Posted Dec 12, 2010 12:18 AM

    I have seen it and it basically describes what a 3rd party firewall should do when integrating with Windows Firewall. It might help Symantec, but it doesn't really help me :)

    I have reinstalled SEP on the machine in question and the behavior persists. :(

    Yes, all the clients in question have the same policies.



  • 8.  RE: Anyone Configured SEP with DirectAccess in Windows 7

    Posted Dec 12, 2010 07:15 AM

    The interesting thing is that when you turn the PC on you've got:

    Categories:
BootTimeRuleCategory                  Windows Firewall
FirewallRuleCategory                  Windows Firewall
StealthRuleCategory                   Windows Firewall
 ConSecRuleRuleCategory                Windows Firewall

    and with NTP installed WF should be inactive... I have no idea why NTP kicks in only after smc stop and smc -start. Do you have any particular GPO for windows firewall applied to these machines? Maybe some policy messes with WF and creates troubles?