When the SEP client is installed on the host OS and a Virtual PC virtual machine is loaded on that same machine the traffic from that virtual machine is not filtered by SEP-NTP. As such it does not abide by the rules in the SEP firewall policy. This issue only happens if the virtual machines network adapter is set to use the physical NIC (also known as bridged mode). The firewall on the host OS will correctly filter the traffic if the virtual machine is set to use NAT.
Traffic from a virtual machine that is in bridged-mode is directed to that virtual machine before any filtering is applied. This is done intentionally so that the virtual machine behaves as if it is a physical system connected to the network.
The reason for this behavior can be seen in the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network" registry key. At this key there is a registry value named "FilterClasses" indicating the filter layers declared by different drivers:
first ms_firewall_upper scheduler encryption compression vpn loadbalance failover diagnostic custom
Please note that "custom" is the lowest in the list indicating it is the closest to the physical adapter. This is where the virtual machine places the network filter it uses for bridged-mode networking. Software firewalls, VPN adapters, Encryption software, and other similar applications used for filtering and protecting network traffic on the host machine will necessarily be higher on the stack than the "custom" filter location and therefore will not affect traffic going to or from the virtual machine when it is in bridged-mode.
Because of this behavior it is recommended that the virtual machine be treated as a separate physical machine. As such a firewall and antivirus solution should be installed on the virtual machine itself to protect the operating system and other data on the hardware that the virtual machine represents.
Windows 7 running Virtual PC XP Mode
Imported Document ID: TECH150230
Subscribing will provide email updates when this Article is updated. Login is required.