Windows clients with multihomed NICs: can one setup different firewall policies per address?

[carmik 0]

We have a scenario in which we have a number of endpoint security 8.x clients managed by ESET Protect, that should connect to a 2nd network (different gateway/subnet etc), which resides outside our security perimeter in order to run a single Windows application. Network considerations apart, one would go about it with a single network card by

a) first configuring the network card in Windows to have an additional ip address/subnet mask

b) configuring static routes to connect to the second network appropriately

c) and finally connecting the "foreign" router to our LAN. I know, not a great idea but it's for an interim period and the other network is from a "fellow" agency.

Now the deal is that our own network is configured in ESET Protect to be a safe network. This is done by setting a policy that setups Settings ->Network Protection->Firewall->Known networks to include our own/safe network.

My question is: is this setting applied NIC-wide (ie with a single network card, the connection could be either public, or home/private) or is it IP-wide (in which case we could have a policy that sets our own network as safe -home/private- and another policy that sets the 2nd network as public)?

If the former applies (settings are applied NIC-wide) could someone offer perhaps an idea to solve this problem?

PS: We've also toyed with the idea of creating a virtualbox WIndows VM and have its vNIC associated with a VLAN to keep traffic fully separated. However, this requires a lot of administrative effort for initial configuration and deployment. Plus there are hussles like configuring Virtualbox on each pc to pass through USB devices like barcode hand scanners to the VM...

[Marcos 5,074]

You can create different firewall profiles for different networks either based on network parameters or ESET Network authentication server that can be downloaded and installed in a network:

[carmik 0]

Thanks for (yet another) speedy reply! I've been using this facility to "tell" eset that our own network is a trusted one. The question is whether this policy would work not in the case that a system had a second NIC, but in the case of a single NIC that has two different networks assigned to it.

Can you please confirm whether or not this is feasible?