I have had MANY problems since upgrading to Vista RC1 (now v5728) with
connectivity in my Windows 2003 R2 native Ad domain. Windows time not
working, netdiag crashing, not picking up Kerberos tickets for Vista
machine...

Once I disabled the firewall, things improved. Windows Time started
automatically.

Let me sasy first that the new Windows Firewall is a great leap forward, but
it is very complex and difficult to configure. I suspect once adm/admx
files are available that it may become easier. Third-party firewalls are
much easier to configure than Vista Firewall. Complexity is the hobgoblin
of security, and Microsoft has made the Windows Firewall very diffiuclt to
understand an onerous to configure. Rules that I put in to open the
firewall to domain connectivity appear not to work.

I would recommend to anyone deploying Vista in a pre-existing domain
infrastructure to disable Windows Firewall completely for the near term.

--
Edward Ray
CCIE Security, CISSP, GCIA Gold, GCIH Gold, MCSE+Security, PE

I haven't had a single problem with the Vista firewall in my AD domain.

--
Richard G. Harper [MVP Shell/User]
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


"Edward Ray" wrote in message
...
I have had MANY problems since upgrading to Vista RC1 (now v5728) with
connectivity in my Windows 2003 R2 native Ad domain. Windows time not
working, netdiag crashing, not picking up Kerberos tickets for Vista
machine...

Once I disabled the firewall, things improved. Windows Time started
automatically.

Let me sasy first that the new Windows Firewall is a great leap forward,
but it is very complex and difficult to configure. I suspect once
adm/admx files are available that it may become easier. Third-party
firewalls are much easier to configure than Vista Firewall. Complexity is
the hobgoblin of security, and Microsoft has made the Windows Firewall
very diffiuclt to understand an onerous to configure. Rules that I put in
to open the firewall to domain connectivity appear not to work.

I would recommend to anyone deploying Vista in a pre-existing domain
infrastructure to disable Windows Firewall completely for the near term.

--
Edward Ray
CCIE Security, CISSP, GCIA Gold, GCIH Gold, MCSE+Security, PE

"Richard G. Harper" wrote in message
...
I haven't had a single problem with the Vista firewall in my AD domain.


I would be interested in what your configuration is. Do you use IPSec
encryption (I do)? Do you use NetBIOS (I do not)? Did you upgrade from and
existing Windows XP SP2 install?

This firewall makes it very challenging to troubleshoot problems, so I find
it best to disable it until you have everything working right, then enable.



--
Edward Ray
CCIE Security, CISSP, GCIA Gold, GCIH Gold, MCSE+Security, PE

No IPSec, and all forms of name resolution (NetBIOS, WINS and DNS) are
supported.

--
Richard G. Harper [MVP Shell/User]
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


"Edward Ray" wrote in message
...

"Richard G. Harper" wrote in message
...
I haven't had a single problem with the Vista firewall in my AD domain.


I would be interested in what your configuration is. Do you use IPSec
encryption (I do)? Do you use NetBIOS (I do not)? Did you upgrade from
and existing Windows XP SP2 install?

This firewall makes it very challenging to troubleshoot problems, so I
find it best to disable it until you have everything working right, then
enable.



--
Edward Ray
CCIE Security, CISSP, GCIA Gold, GCIH Gold, MCSE+Security, PE

Oh sorry, only half-answered. Also have done both upgrades and clean
installs with no problems.

--
Richard G. Harper [MVP Shell/User]
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


"Edward Ray" wrote in message
...

"Richard G. Harper" wrote in message
...
I haven't had a single problem with the Vista firewall in my AD domain.


I would be interested in what your configuration is. Do you use IPSec
encryption (I do)? Do you use NetBIOS (I do not)? Did you upgrade from
and existing Windows XP SP2 install?

This firewall makes it very challenging to troubleshoot problems, so I
find it best to disable it until you have everything working right, then
enable.



--
Edward Ray
CCIE Security, CISSP, GCIA Gold, GCIH Gold, MCSE+Security, PE

"Richard G. Harper" wrote in message
...
No IPSec, and all forms of name resolution (NetBIOS, WINS and DNS) are
supported.

I do not use NetBIOS/WINS, due to security risks as wells as not necessary
(no Win9x or NT boxes in my domain). I IPSec encrypt ALL SMB/CIFS port 445
traffic using PKI authentication. As I said before, it takes a few boots to
get it right when I had RC 1 5600; for 5728 I just disabled the firewall at
first then re-enabled it. Having custom GPOs for Wista will help in the
future.

Ed,
Gettin all wrapped up in this huh?
If you look at Windows Firewall; it's easy to setup now
And it's easy to use;
Jeff

"Edward Ray" wrote in message
...

"Richard G. Harper" wrote in message
...
No IPSec, and all forms of name resolution (NetBIOS, WINS and DNS) are
supported.

I do not use NetBIOS/WINS, due to security risks as wells as not necessary
(no Win9x or NT boxes in my domain). I IPSec encrypt ALL SMB/CIFS port
445 traffic using PKI authentication. As I said before, it takes a few
boots to get it right when I had RC 1 5600; for 5728 I just disabled the
firewall at first then re-enabled it. Having custom GPOs for Wista will
help in the future.

"Jeff" wrote in message
...
Ed,
Gettin all wrapped up in this huh?
If you look at Windows Firewall; it's easy to setup now
And it's easy to use;
Jeff

Jeff:

It may be easy for a single user, but when you have an organization with
500 potential Vista clients who is paying me for advice on ease of use, I
have to report its shortcomings. Vista is geared primarily to get Windows
2000 (and potentially Windows XP pre-SP2) clients to upgrade to Vista.
Stand-alone I am sure it works great, but for corporate buy-in it must play
well with existing infrastructures. As I said in previous posts, my advice
is to disable the firewall initially, then reenable after GPO's have been
applied. In a network with multiple layers of protection, this does not
present a major security risks. Perhaps when Vista ADM/ADMX files are
released this will be an easier transition, but I will still prefer
third-party AV/Firewall/IPS/App Protection over Windows Firewall for
laptops, PDAs and other wireless devices that use the Windows OS.

Just becasue it annoys you, my certifications are below. I also have a BSEE
from Cornell and an MSEE from UCLA (nose turns upward... )


--
Edward Ray
CCIE Security, CISSP, GCIA Gold, GCIH Gold, MCSE+Security, PE

Ed,
It doesn't annoy me;
in fact;
I think it's kind of humorous;that you feel the need to include your
certifications in a post.

And; if I'm not mistaken; MSFT has devoted a whole bunch of resources to
business migration.

Here for example:
http://www.microsoft.com/technet/win...y/default.mspx


You outta know; that;the best defense is hardware firewalls;
and all those initials-lol
BTW-running a laptop on mutiple networks; Vista firewall; no hacks;no
breakins;etc.
And at home;behind a hardware firewall;just for giggles.

Jeff

"Edward Ray" wrote in message
...

"Jeff" wrote in message
...
Ed,
Gettin all wrapped up in this huh?
If you look at Windows Firewall; it's easy to setup now
And it's easy to use;
Jeff

Jeff:

It may be easy for a single user, but when you have an organization with
500 potential Vista clients who is paying me for advice on ease of use, I
have to report its shortcomings. Vista is geared primarily to get Windows
2000 (and potentially Windows XP pre-SP2) clients to upgrade to Vista.
Stand-alone I am sure it works great, but for corporate buy-in it must
play well with existing infrastructures. As I said in previous posts, my
advice is to disable the firewall initially, then reenable after GPO's
have been applied. In a network with multiple layers of protection, this
does not present a major security risks. Perhaps when Vista ADM/ADMX
files are released this will be an easier transition, but I will still
prefer third-party AV/Firewall/IPS/App Protection over Windows Firewall
for laptops, PDAs and other wireless devices that use the Windows OS.

Just becasue it annoys you, my certifications are below. I also have a
BSEE from Cornell and an MSEE from UCLA (nose turns upward... )


--
Edward Ray
CCIE Security, CISSP, GCIA Gold, GCIH Gold, MCSE+Security, PE

Edward - Although you are probably aware of it - but Vista provides a
"Windows Firewall and Security" snap-in for the Management Console which
provides more options than control panel security center.

"Edward Ray" wrote in message
...
I have had MANY problems since upgrading to Vista RC1 (now v5728) with
connectivity in my Windows 2003 R2 native Ad domain. Windows time not
working, netdiag crashing, not picking up Kerberos tickets for Vista
machine...

Once I disabled the firewall, things improved. Windows Time started
automatically.

Let me sasy first that the new Windows Firewall is a great leap forward,
but it is very complex and difficult to configure. I suspect once
adm/admx files are available that it may become easier. Third-party
firewalls are much easier to configure than Vista Firewall. Complexity is
the hobgoblin of security, and Microsoft has made the Windows Firewall
very diffiuclt to understand an onerous to configure. Rules that I put in
to open the firewall to domain connectivity appear not to work.

I would recommend to anyone deploying Vista in a pre-existing domain
infrastructure to disable Windows Firewall completely for the near term.

--
Edward Ray
CCIE Security, CISSP, GCIA Gold, GCIH Gold, MCSE+Security, PE