Deploying XP SP2 to laptops. While attached to internal network, they need no
software firewall. However, they travel and connect remotely and do require
the ICF to be enabled. They will be connecting both via wired and wireless
interfaces.

Aside from establishing a cheezy scheduled task to enable/disable ICF based
on local network addresses (192.168.1.0/24 is our network)--have any ideas on
how to accomplish this in a more professional manner? Thanks!!!

I'd leave the Windows Firewall enabled at all times then. It'll make your
life easier.

"hutch606" > wrote in message
...
> Deploying XP SP2 to laptops. While attached to internal network, they need
> no
> software firewall. However, they travel and connect remotely and do
> require
> the ICF to be enabled. They will be connecting both via wired and wireless
> interfaces.
>
> Aside from establishing a cheezy scheduled task to enable/disable ICF
> based
> on local network addresses (192.168.1.0/24 is our network)--have any ideas
> on
> how to accomplish this in a more professional manner? Thanks!!!

Ports must be available for sms and other software while on corporate
network. However, I do not want them open while roaming (cable modem, hotels,
etc.).

I realize that it would be easier to leave it on at all times; if that was
feasible, that would have happened. However, as that is not the case, I
posted to see if anybody had helpful suggestions (not the usual mindless
"leave it on" comments).


"Fritz" wrote:

> I'd leave the Windows Firewall enabled at all times then. It'll make your
> life easier.
>
> "hutch606" > wrote in message
> ...
> > Deploying XP SP2 to laptops. While attached to internal network, they need
> > no
> > software firewall. However, they travel and connect remotely and do
> > require
> > the ICF to be enabled. They will be connecting both via wired and wireless
> > interfaces.
> >
> > Aside from establishing a cheezy scheduled task to enable/disable ICF
> > based
> > on local network addresses (192.168.1.0/24 is our network)--have any ideas
> > on
> > how to accomplish this in a more professional manner? Thanks!!!
>
>
>

That's why you configure exceptions for the local IP address range. Any
requests from other addresses will be denied.

"hutch606" > wrote in message
...
> Ports must be available for sms and other software while on corporate
> network. However, I do not want them open while roaming (cable modem,
> hotels,
> etc.).
>
> I realize that it would be easier to leave it on at all times; if that was
> feasible, that would have happened. However, as that is not the case, I
> posted to see if anybody had helpful suggestions (not the usual mindless
> "leave it on" comments).
>
>
> "Fritz" wrote:
>
>> I'd leave the Windows Firewall enabled at all times then. It'll make
>> your
>> life easier.
>>
>> "hutch606" > wrote in message
>> ...
>> > Deploying XP SP2 to laptops. While attached to internal network, they
>> > need
>> > no
>> > software firewall. However, they travel and connect remotely and do
>> > require
>> > the ICF to be enabled. They will be connecting both via wired and
>> > wireless
>> > interfaces.
>> >
>> > Aside from establishing a cheezy scheduled task to enable/disable ICF
>> > based
>> > on local network addresses (192.168.1.0/24 is our network)--have any
>> > ideas
>> > on
>> > how to accomplish this in a more professional manner? Thanks!!!
>>
>>
>>

The sp2 firewall has two "profiles", Domain and Standard. When the laptop
believes it is connected to the domain, it will use the Domain profile,
otherwise it will use the Standard settings. Though the control panel UI
only allows configuration of the current profile, the netsh command line
interface as well as group policy allows you to deploy settings specifically
targeting a profile.

It's important to note that the decision of whether the machine is on the
domain is based on a match between the dns suffix of a network interface and
the equivalent id of the AD providing group policy. In some cases though,
domain infrustucture is designed such that a match is not possible, leading
to machines using the Standard settings.

A feature exists (only configurable via group policy) to allow for ipsec
authenticated (pki/certs or kerberos) machines to "bypass" the firewall. If
your corporate network has an ipsec deployment you can specify that your sms
servers are allowed to get through the firewall without having to disable it
on the domain.

--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.


"hutch606" > wrote in message
...
> Ports must be available for sms and other software while on corporate
> network. However, I do not want them open while roaming (cable modem,
> hotels,
> etc.).
>
> I realize that it would be easier to leave it on at all times; if that was
> feasible, that would have happened. However, as that is not the case, I
> posted to see if anybody had helpful suggestions (not the usual mindless
> "leave it on" comments).
>
>
> "Fritz" wrote:
>
>> I'd leave the Windows Firewall enabled at all times then. It'll make
>> your
>> life easier.
>>
>> "hutch606" > wrote in message
>> ...
>> > Deploying XP SP2 to laptops. While attached to internal network, they
>> > need
>> > no
>> > software firewall. However, they travel and connect remotely and do
>> > require
>> > the ICF to be enabled. They will be connecting both via wired and
>> > wireless
>> > interfaces.
>> >
>> > Aside from establishing a cheezy scheduled task to enable/disable ICF
>> > based
>> > on local network addresses (192.168.1.0/24 is our network)--have any
>> > ideas
>> > on
>> > how to accomplish this in a more professional manner? Thanks!!!
>>
>>
>>