Windows Server Summit 2024
Mar 26 2024 08:00 AM - Mar 28 2024 04:30 PM (PDT)
Microsoft Tech Community
LIVE

Multi-homed Server 2016, NLA & best practice

Iron Contributor

Not really specific to 2016 but just in case things have changed I am most interested in this version of the server OS.

The topic of correctly (securely) configuring a multi-homed server in a non-domain environment does not seem to be well covered. Take the requirement to deploy an Windows Application Proxy or Skype for Business Edge Server in a DMZ. These servers normally have two NIC one configured to face the firewalled internet the other configured to face the firewalled LAN.

The Windows firewall is configured based on profiles, public, private, domain - ignore the latter. We would want to apply public to the internet NIC and private to the LAN NIC. Problem is the service called Network Location Awareness attempts to apply logic to make this process "easier". Unfortunately it doesn't - not just my view but that of many based on a Bing search - you end up fighting it. If NLA can't determine the network it marks it as "unidentified network" and applies a public profile. Many articles suggest you can change this using the PowerShell cmdlet set-netconnectionprofile - you can't what it does is change the profile for ALL NIC identified with the same profile. In the case above changing one NIC interface to public has the result of changing the profile applied to "unidentified network", as both NIC are marked with profile both NIC end up with a private profile.

So what is the correct way of configuring a non-domain joined, multi-homed server in a secure environment?

Cheers

Paul


1 Reply

Hi Paul.

If you think about it, NLA is useful for end user systems that move from network to network. And like most "wizardy" things, it makes assumptions about any situation that it is in. Servers would not normally be moved from network to network, dynamically changing the firewall settings needed.

With server, the best practice, multi homed or not, would be to block all trafic and then only allow the traffic required to pass in or out via the firewall advanced configuration. You could apply all rules to all profiles and control the traffic via source/destination IP/port configuration.

Hope this helps.

Ed Gallagher, MVP