• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 672
  • Last Modified:

GPO Firewall Policy

With the Firewall settings, Advanced tab, the PC's network connections are displays and you can enable or disable (via check) which connection has the firewall setting applied.  But, when running the firewall settings from a GPO, how can I designate which connection will get the policies.  For example, ActiveSync installs it's own local Mobil network.  I want to be able to excluse that connection from a GPO firewall policy.  Can I?  

2 Solutions
The following website has alot of good information on GPOs relating to the Windows Firewall :


After reading all of the literature, Ive come to the conclusion that Windows / Microsoft does not allow you to pick different connections to apply the firewall to when using a GPO.  It looks like it is a all or nothing type thing.  You have two profiles to choose from when deciding when it will apply the GPO.  They are Domain and Standard.  The only setting under both of these areas that applies to what you are trying to do is the "Windows Firewall : Protect all network connections" setting.  Below is the properties for that setting :

Turns on Windows Firewall, which replaces Internet Connection Firewall on all computers that are running Windows XP Service Pack 2.

If you enable this policy setting, Windows Firewall runs and ignores the "Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting.

If you disable this policy setting, Windows Firewall does not run. This is the only way to ensure that Windows Firewall does not run and administrators who log on locally cannot start it.

If you do not configure this policy setting, administrators can use the Windows Firewall component in Control Panel to turn Windows Firewall on or off, unless the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting overrides.

Hope this helps...Im pretty sure that you want to do something that Microsoft just doesnt allow for...at least as of yet!
I had this same problem.   I decided to have the techs, as part of the VPN configuration process, disable the Windows firewall for the VPN interfaces.  I could find no Microsoft solution, and I was hesitant to make a custom ADM file that could possibly become obsolete or incorrect if VPN settings were changed.  

I'll probably revisit the custom .ADM bits when I get a bit more time.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now