Firewall policy changes when disjoining domain computers

Hello Jason,

Where does it get this information?  Where is the policy that is in place when the computer is not able to see the DNS server?

Where did it get it's policy from in the first place? And what's in the policy? Is the computer in an AD sync'ed group or not and does it stay in the same group after disjoining?

It depends on various things. If the policy is for Dual location and Location detection selects the secondary after disjoining the domain then this policy applies.

Christian 

The Policy comes from the SEC.  The policy is to allow by default and blocks most of the default stuff. 

Yes, it is in an AD sync'ed group.  I am not sure if this computer gets removed from the AD sync'ed group or is in Unassigned. 

I do have dual location setup but the 2nd locatation is set right now to Allow all traffic.  So any idea where it gets block by default?

Thanks,

Jason

Hello Jason,

the computer should disappear from the group (whether it is deleted from AD or not). Can't say where it re-appears (if Unassigned then it should not receive a policy from SEC but otherwise it probably will).

In SCF's System log you'll find entries like: Detected location as ... and Firewall successfully configured (.... location). You'll see when this took place from the timestamps. You should check the client's configuration before and after it has been disjoined - they are likely not the same.   

Christian 

So I discovered my problem when a workgroup computer recieves Sophos it does not pick our firewall policy.  And so it has Block by Default selected.  Thus is cannot join the domain.  How would I get a firewall policy to this install so that is has some firewall policy like Allow all traffic until it at least gets on the domain?

Would I need to do something like this a home user setup in kb?  Export the firewall policy and integrate it into the installer?  http://www.sophos.com/support/knowledgebase/article/63182.html

Thanks,

Jason

So I discovered my problem when a workgroup computer receives Sophos it does not pick our firewall policy

How does it "receive" Sophos? Guess you're not using Protect Computers, are you?

You can join the computer to the domain first and when it has "appeared" in the AD group use Protect Computers to install Sophos (or use automatic protection).

If you want to install Sophos first, move it to a group with the required SCF settings after it appeared in SEC and then join it (using the -G flag of setup.exe you can move it to the desired group at installation time).

Does this answer your question?

Christian

Christian,

Do you not like the method of providing a 'SCFCidConfig.conf' file to the clients so when they are not in a group they would use this setting?

I like the group method as well I might adjust my login script to put the computers in a group.

Thanks,

Jason

Do you not like the method of providing a 'SCFCidConfig.conf' file

It's not a question of taste but elegance :smileyvery-happy:.

Actually - I think maintaining installation packages is a pain and if the computer will be managed by SEC it's easier to use an SEC policy from the start (which BTW does not need to be Allow all). Of course it depends on your process of setting up computers.

Christian

Christian,

It is a pain to mod install packages.  So what methods do you use to push the install?  Automatic install using AD sync?

How many clients do you have? 

I have login script setup which I was told was the best method. 

Jason

We have 250 clients in AD but I decided against AD sync as the group structure is convoluted. On a second management server is "all the rest" (about 3000 clients). We use several methods:

• We do have install packages for computers not administered by us (about two thirds). Users download the package which is built every two or three months from a live CID and contains an updating policy and mrinit.conf in the \rms subfolder (the reason is that by pointing the client to a different CID it can be "moved" to the other  management server and/or directed to use a message relay). The installer puts the client in a group so it receives custom policies for all components shortly after install. Once a client appears in SEC it's moved to the correct group to get it's "final" policies.   
• On computers set up by us we simply call setup.exe from the CID using the appropriate switches at a certain point during setup.
• Same procedure for clients which will join the domain (which also happens during setup - don't ask me for details, that's what you have subordinates for :smileywink:). From time to time I also search AD as sometimes a machine is joined which hasn't been set up by the normal process. I then use Protect computers to install Sophos. 

Christian