Windows Firewall "domain profile" and ZPA

For customers migrating from VPN to ZPA, one potential consideration is Windows Firewall settings. Windows Firewall offers three profiles: domain, private, and public. The domain profile, by default, applies to networks where the Windows device can authenticate to the domain controller (presumed on-premise). The private and public profiles apply to off-premise environments such as home networks, hotels, etc.

The assumption under the traditional enterprise network model is that when the user device is on-premise (domain profile), the Windows Firewall has a more open configuration - e.g., allowing inbound services such as RDP. When the user device is off-premise (private or public profile), the Windows Firewall has a more restricted configuration. By default, Windows Firewall assigns the appropriate profile based on whether the user device has connectivity to the domain controller or not, in effect using that as a criteria to determine whether the user is on-premise or not.

With ZPA, however, organizations generally desire users to have application access to the domain controller - for SSO, password changes, and other Windows administrative activities - even when off-premise, without relaxing the Windows Firewall profile. This requires using a different criteria to determine whether the user is on-premise in the Windows Firewall configuration. Fortunately, this can be done by configuring the domain profile criteria to validate connectivity to something other than the domain controllers.

This goal can be accomplished via these three steps:

  1. On the internal network, create an internal website with open access (for example, https://on-net.example.com)

  2. On the user’s Windows device, set this registry key: https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.NCSI::NCSI_DomainLocationDeterminationUrl to the above URL

  3. In ZPA, create an app segment for the above URL with Bypass set to Always, so ZPA will never pass traffic destined for that site.

With this configuration, the Windows device will correctly apply the domain profile when it is on-premise, but will apply an alternate profile when remote, even while connected via ZPA.

8 Likes