Networking

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Hyper-V: Add ICMP to Stateful ACL rules

    Currently you cannot add stateful ACL rules (on a Hyper-V Virtual Switch) on the ICMP protocol.

    This leaves you to either open ICMP to everyone or close ICMP to everyone including the VM itself.

    Neither is secure or practical for such an important and basic functionality (ping).

    Doc: https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v-virtual-switch/create-security-policies-with-extended-port-access-control-lists#bkmk_stateful

    So the request is simple: Create the functionality to create ICMP stateful rules.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Firewall  ·  Flag idea as inappropriate…  ·  Admin →
  2. Fix default NPS firewall rules for Server 2019

    Hi all,

    I understand there is an issue with Windows Server 2019/Windows 10 1809 however I was wondering if Microsoft are aware of any problems regarding the Firewall rather than the systems handling of user files.

    Recently I setup a Server 2019 VM (1.5GB Dynamic RAM, 2 Allocated Cores, 36GB Drive space, 3GB NIC Team) and installed the NPS and RDS Gateway role onto it however I noticed that despite the NPS role adding the standard firewall rules for port 1813 and 1812 they do not seem to be working.

    I have confirmed that with an exception allowing port 1812…

    85 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    25 comments  ·  Firewall  ·  Flag idea as inappropriate…  ·  Admin →
  3. Windows needs better inbox packet filtering.

    "netsh trace" and/or NetEventPacketCapture lacks capable packet filtering. A lot of secure and change managed environments do not [easily] allow the installation of packet capture tools for collecting network data, like Wireshark (or the now defunct netmon and Message Analyzer).

    The two built-in packet capture tools in Windows, "netsh trace" and NetEventPacketCapture, can only filter packets by IP address, MAC, and protocol. This makes collecting a targeted trace, sometimes needed when collecting traces on sensitive networks or when other data floods the ETL, impossible.

    This is a request to add, at a minimum, the ability to filter packets by TCP…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Misc  ·  Flag idea as inappropriate…  ·  Admin →
  4. LBFO Team: Prevent duplicate multicast traffic on virtual nic

    When using a switch independent team, multicast traffic is received by all physical nics in the team (switch does not know the ports are in a team). When attaching a virtual switch to the team, it appears as if virtual nics receive the multicast traffic multiple times (once from each physical team member). Is it not possible to send it to the virtual nic only once (eg. only from the physical nic the virtual nic's VMQ is associated with)?

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Teaming & load balancing  ·  Flag idea as inappropriate…  ·  Admin →
  5. Support SSHFP records in Windows DNS Server and its admin tools

    Since Windows now supports OpenSSH natively, as well as other clients/servers on the same network, supporting this standard for server authentication seems like an obvious win.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
  6. Create a WiFi policy linked to User Configuration, to allow for GP WiFi conn mngmt on non-domain devices

    Currently the WiFi Network Policies exists only under Computer Configuration -> Policies -> Windows Settings -> Security Settings and can only be applied to Computers that are members of the domain.
    We need a similar WiFi Network Policy under User Configuration to be able to manage the domain Users capability to connect to WiFi with Enterprise authentication irrespective to which device they use to connect to the Enterprise WiFi

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  7. [Bug] Server 2019, firewall logging injects NULL bytes into file "pfirewall.log"

    When firewall logging is activated, the resulting "pfirewall.log" gets a string of about 955,868 null bytes inserted into it. The actual log line entries are there, along with 900K of null's. OS seems to fixated on making a minimum size file. Big bug somewhere.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Firewall  ·  Flag idea as inappropriate…  ·  Admin →
  8. 2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Bug  ·  Flag idea as inappropriate…  ·  Admin →
  9. Support CAA records in nslookup

    The nslookup command line tool should support CAA (id=257) DNS resource record types. Bonus points for teaching Resolve-DnsName about this type as well. Super bonus points for supporting and rendering arbitrary record types: just print the data in a side-by-side hex/ASCII view. This way I can view newer record types without needing an OS update.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
  10. Remove Network Location Awareness from Windows Server

    Remove Network Location Awareness from Windows Server, all it does is cause problems. There is no reason to include this service in Windows Server, servers have static network settings, people do not consistently move servers to different networks. Network Location Awareness service fails way to often on reboots to find the proper network it should connect to. It then assigns the incorrect Windows Firewall to the NIC. This services needs to be removed, or we need the ability to set a static location (Domain).

    6 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Firewall  ·  Flag idea as inappropriate…  ·  Admin →
  11. Fix the ping timeout bug that gives incorrect "reply timed out" messages in Server 2012r2 and Windows 10 for pings under 1000ms timeout

    Ping can take a timeout, if the timeout is set less than 1000ms then genuine replies start getting ignored as timed out failures.

    Does not affect Server 2003 or 2008.

    Does affect Server 2012 r2 and Windows 10

    Appears to be a problem in WinAPI / networking stack rather than .Net or ping.exe implementation - happens at ICMPSendEcho2Ex and ICMP6SendEcho2Ex layers at least.

    Documented in detail here: https://stackoverflow.com/questions/45528336/winapi-why-does-icmpsendecho2ex-report-false-timeouts-when-timeout-is-set-belo

    and here: http://web.archive.org/web/20150519002258/http://www.frameflow.com:80/ping-utility-flaw-in-windows-api-creating-false-timeouts/

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Bug  ·  Flag idea as inappropriate…  ·  Admin →
  12. DNS recursion using wrong NS for delegated zone CNAME

    When Server 2016 DNS Server has a delgation within a primary zone, CNAME records in that delegation result in queries to the delgation's name servers, not forwarders / root hints.
    For example:

    Primary zone: one.example
    Delegation: foo.one.example, with nameserver ns.bar.com

    In that delegated zone, there exists a record:

    baz.foo.one.example IN CNAME other.two.example

    two.example's zone, hosted by ns.somethingelse.com, has a record:
    other.two.example IN A 1.2.3.4

    From a client pointed at the DNS server, query baz.foo.one.example.

    I would expect the server to query ns.bar.com for baz, receive a reply of other.two.example, and then query either two.example's nameserver, or use the default forwarders…

    16 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Bug  ·  Flag idea as inappropriate…  ·  Admin →
  13. Windows Firewall does not always display the correct default Main Mode IPsec policy

    Bug:

    The Windows Firewall snap-in does not always show the default Main Mode IPsec policy, it shows whatever MM policy was last created or assigned.

    Expected Behavior:

    Even if there are multiple Main Mode policies (called Main Mode Crypto Sets internally), the policy with the name of '{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE1}' should always be displayed as the default in the GUI because it is the default used by Windows for IPsec.

    Steps to Reproduce:

    *In the Windows Firewall snap-in you can see the current default IPsec Main Mode proposal set by going to Properties of the Windows Firewall > IPsec Settings tab >…

    7 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Firewall  ·  Flag idea as inappropriate…  ·  Admin →
  14. Broke RRAS

    At the moment PPPoE is broken in Windows Server 2016 over RRAS.
    It would be great if this could be solved.
    Till yet we're using Windows Server 2012. But we would like to upgrade but can't 'cause RRAS is broken.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Misc  ·  Flag idea as inappropriate…  ·  Admin →
  15. Fix -WhatIf, -Verbose, and -ErrorAction support in the DnsServer PowerShell module

    The new cmdlets for DNS policies in particular have inconsistent and downright broken support for -WhatIf and -Verbose.

    Example:

    Add-DnsServerClientSubnet -cn MyDC -Name 'Whatever' -IPv4Subnet 10.0.0.0/32

    That works if you explicitly add -WhatIf. But if I make the call inside an advanced function that SupportsShouldProcess and call the outer function with -WhatIf, the preference will NOT carry over. In order to do that, I have to use -WhatIf:$WhatIfPreference.

    The same is true with -Verbose, having to use -Verbose:$VerbosePreference because it won't inherit it.

    This is true on the cmdlets for:
    - Client Subnets
    - Zone Scopes
    - Query Reoslution Policies

    6 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
  16. DNS: Application high availability

    Hello,

    On your site "What's new in DNS Server in Windows Server 2016" is written that there will be a new feature called "DNS Policies", which can be used for "Application high availability". But i can't find this feature, which allows me to redirect clients to the healthiest endpoint like a failover-cluster. I'm not looking for a loadbalancer.

    Other People are looking too for this Feature and some documentation, when will it be available?

    This feature would be great for applications like ADFS and so on.

    "What's New" https://technet.microsoft.com/en-us/windows-server-docs/networking/dns/what-s-new-in-dns-server
    Other person: https://social.technet.microsoft.com/Forums/office/en-US/84d3b0de-e427-4987-b498-6b053851e2dc/dns-policies-application-high-availability?forum=WinServerPreview

    7 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
  17. Expose whether DNS Client Server Address assigned by DHCP or Static

    The Get-DNSClientServerAddress cmdlet does not provide information on whether or not the Server Addresses were assigned via DHCP or have been statically assigned.

    This is presumably because the information is not provided to WMI/CIM.

    This information is available by using NETSH, so it is available in the OS.

    This would allow some problems in the xDNSServerAddress resource in the xNetworking DSC resource module (in the Resource Kit) to be solved.

    For more information about the problem and why it is causing problems, please see this issue in the xNetworking resource module: https://github.com/PowerShell/xNetworking/issues/164

    9 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Managment tools  ·  Flag idea as inappropriate…  ·  Admin →
  18. DirectAccess documentation

    Comparing the documentation of DirectAccess for 2012 with other products, even DirectAccess 2008, I see that it lacks some in-depth insights that an Admin needs to be able to deploy and manage the component effectively.
    for example, I could not find a TechNet article describing in details, what happens from start to finish when a resource is being accessed through direct access:
    1. how is the NAT64 working? how does NAT64 translates address and which IPv4 address translates to which IPv6 and vice-versa? how does the component come up with those connection security rules in GPOs based on admin input…

    8 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Misc  ·  Flag idea as inappropriate…  ·  Admin →
  19. DNS Manager should sort IP addresses numerically

    In DNS Manager the Data column treats everything as a string so it sorts alphabetically. Instead, it should be smarter and recognize different types of data and sort those numerically. Specifically, it should recognize IPv4 addresses and sort them numerically.

    We could go from:

    To:

    10.0.0.1
    10.0.0.2
    10.0.0.100
    10.0.0.101
    10.0.0.200
    10.0.0.201

    17 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Managment tools  ·  Flag idea as inappropriate…  ·  Admin →
  20. Additional DHCP Server Failover Links

    In Server 2012, Windows Server had DHCP failover added to eliminate the requirement of clustering for HA. DHCP failover is limited to either a Load Balanced pair or an Active-HotStandby member.

    It would be nice to have a load balanced pair of DHCP servers, with a second failover association of a Hot-Standby at a remote location.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  DHCP  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4
  • Don't see your idea?

Feedback and Knowledge Base