Windows – Cisco AnyConnect VPN client – prevent connecting as work network

cisco-vpn-clientvpnwindows 7windows firewall

From Windows 7 I'm using "Cisco AnyConnect Secure Mobility Client 3.0" to connect to our corporate network.

Every time I establish the VPN connection Windows will set the type as "work network". I don't want this. So I go to "network and sharing center" and manually / interactively change it to "public network".
But I have to repeat it for every new VPN connection.

  • Is there any way to make Windows remember / persist this configuration?
  • Can it be configured in the VPN client?
  • Do our IT admins need to change something at server end?

Motivation:
A "work network" per default uses different firewall settings that allows for stuff like "network discovery" and "file shares". But I absolutely don't want this for the VPN connection!
I just need "remote desktop" (mstsc). That's all.

Additional info:
Our IT admins claimed this would be Windows default behaviour and there was nothing we could do about it: Windows would always initiate a VPN connection as "work network". Based on this statement I assume this is a "general" issue and went ahead posting here (at superuser.com).
From what I've read so far it could be related to Microsoft / Windows NLA and related configuration parameters?

Update1:
The situation has become even worse. Previously i would establish the VPN connection and then manually change to "public network". But now – after some time running with VPN connection – the network type automatically switches back to "work network". This means: I need to frequently check the network type and adjust when required.
Help! How can i stop this?

Update2:
still the same problem with Cisco AnyConnect Secure Mobility Client 3.1.04072

Update3:
still the same problem with Cisco AnyConnect Secure Mobility Client 3.1.05182

observations so far:

it seems the following registry locations are playing a role:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures]

in particular:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{<Network GUID>]
"Category"=dword:00000000
"CategoryType"=dword:00000000

where:

0 = Public
1 = Private (includes "Home" and "Work")
2 = Domain

and in my case the "Category" keeps flipping back from "0" to "1".
the question is: why?
and how can i prevent this?

Best Answer

Here's what has worked for me:

  • start the VPN client and connect
  • now run secpol.msc
  • go to the node Network List Manager Policies
  • open the properties of your remote domain network
  • go to the tab "Network Location"
  • change "Location type" to Public
  • (optional?) change "User permissions" to "User cannot change location"

From now on windows will retain the network type as "public". enter image description here

Technically speaking this will populate entries below the following:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\

Those policies take precedence over the following entries - which (due to whatever logic) may change dynamically:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\

--
Confirmed with:
Cisco AnyConnect Secure Mobility Client 3.1.06079 @ Win7 x64

Update:
still working fine with Cisco AnyConnect Secure Mobility Client 3.1.10010 @ Win7 x64

Related Question