Has anyone ever seen this before? For some reason one of our relays has been switching from domain to public profile on reboots or network outages from time to time. I set Network Location Awareness to delayed start and made it dependent on Netlogon, but I also just wanted to make sure BigFIx port 52311 is allowed through on all profiles.
However, when I double checked our firewall GPO I see that the rule to allow BESClient, BESRelay, etc. for the program on any port is applied to all profiles. Yet if I switch to public profile I see drops on incoming 52311 for some reason.
@KenB, with WireShark or similar, can you confirm that no traffic is outbound is flowing from the BESRelay in question?
Given your prior message, I’m assuming MS-WIN for OS and their integrated firewall service. If that is in fact the case, I would recommend opening a case with the OS/firewall vendor as this is non-standard behavior.
There is significant complexity to Windows Firewall, especially when managed by GPO.
A given profile may or may not allow exceptions, it may or may not allow merging local rules with GPO-enforced rules, etc.
One useful thing may be to generate a report of all policy settings via
gpresult.exe /h gpreport.html
And then view the results to see whether they are as expected. That can highlight issues with GPO inheritance / overrides, or may even show that GPO is not applying when the Domain is unreachable.
Ok so this seems to happen only when we reboot the relay VM’s host not the relay VM itself. I ran the steps in this white paper to try and pinpoint what rule can be causing the firewall drops of 52311 but it only indicates “Prompt the user for a decision corresponding this inbound traffic” which so far I can’t find in any of our firewall GPO rules.
The active firewall also switched from domain to public.
So the drop is coming from the fact that the firewall is switching from domain to public and for public we have it set to not use local rules. I am just not sure why the server is switching from domain to public when we reboot the host.