One problem that comes up moderately frequently when dealing with Windows servers is that the Network Location Awareness service (NLA) doesn’t allow you to assign a particular adapter to a particular network. On ordinary networks NLA seems to do a reasonable job, but typically it can’t cope with special-purpose networks such as SANs or point-to-point links; these are all lumped together as the “Unidentified Network” which by default is contained in the Public network profile.
Why is this a problem? Because the Windows Firewall is configured on a per-profile basis. That’s fine if Windows Firewall doesn’t interfere with whatever you’re doing on the special-purpose network. Unfortunately, sometimes it does.
If you search the internet, you’ll find a number of scripts which change which network profile the “Unidentified Network” is put into. You can also do this with group policy. This means you can make unidentified networks Private, and turn Windows Firewall off (or set relaxed rules) for Private networks. Is this a solution? Not really, because it doesn’t just affect your special-purpose network, it affects every unidentified network from now on. So if, for any reason, NLA ever fails to identify the network associated with your primary internet connection, your firewall will go down. I’m not happy about that.
I’ve found a possible workaround. IMPORTANT: I haven’t tested this thoroughly, and at the moment I’m not planning to use it on my production server (or at least only if every other option fails). I’ve only tried it on Windows 2012 although I suspect it will work on older versions as well. It is entirely possible that it only works for certain ethernet drivers. Try this only at your own risk and please take proper and adequate precautions.
In addition to adapter settings such as the DNS prefix, NLA uses the default gateway’s MAC address to uniquely identify the network. Special-purpose networks don’t generally have a default gateway; if yours does, you probably don’t have this problem in the first place! The idea is to create a fictitious default gateway, with suitable parameters, and the trick is that you have to give the fictitious gateway the same ethernet address as the local network adapter on the special-purpose network in question. If you give it a make-believe ethernet address, it won’t work; you could instead give it the address of another machine on the same network, but then it won’t work if that machine is ever off-line.
(If your special network is a point-to-point link, you might instead prefer to specify the actual IP address at the other end of the link as the default gateway, if you don’t mind that NLA will see it as a new network if the ethernet address ever changes.)
So, for example: when I use get-netadapter in PowerShell I see the following results:
PS C:\Users\Administrator> get-netadapter Name InterfaceDescription ifIndex Status MacAddress LinkSpeed ---- -------------------- ------- ------ ---------- --------- Ethernet 2 Broadcom BCM5709C NetXtreme II Gi...#42 13 Disconnected 00-10-18-EC-7F-84 0 bps SAN 2 Broadcom BCM5716C NetXtreme II Gi...#41 15 Up 08-9E-01-39-53-AB 1 Gbps SAN 1 Broadcom BCM5709C NetXtreme II Gi...#43 12 Up 00-10-18-EC-7F-86 1 Gbps UoW Broadcom BCM5716C NetXtreme II Gi...#40 14 Up 08-9E-01-39-53-AA 1 Gbps
In order to assign a specific network to the third adapter (interface index 12) I would use the following commands:
new-netroute 0.0.0.0/0 -interfaceindex 12 -nexthop 192.0.2.1 -publish no -routemetric 9999 new-netneighbor 192.0.2.1 -interfaceindex 12 -linklayeraddress 001018ec7f86 -state permanent
The first command assigns the default gateway for the interface. I chose IP address 192.0.2.1 because it is reserved and will never be used by a real device; I suggest you do the same. We don’t want this route to be published, and we set the metric to 9999 so that it won’t ever be used. (The system uses the default gateway with the lowest metric.)
The second command assigns the fictitious IP address an ethernet address; as discussed before, we use the same ethernet address as the adapter we’re assigning it to. Note that the ethernet address must be entered in a different format to that in which it is displayed; just remove the hyphens. We make the mapping permanent. (You can use the remove-netneighbor command if you want to remove it later.)
I hope this is helpful. If you do try it, please let me know how it goes.