Need solid VPN solution w/ Win2K Domain, Win clients, PIX 515 firewall, Logon scripts

I need a recommended solution for configuring a VPN for one of my clients. It's urgent, and I need answers from experienced people only. This is a production environment, with a fully-configured firewall, and I can't take it down without scheduling an outage for the wee hours of the morning. Finally, I am *not* a Cisco expert -- and not sure that I want to be -- and prefer to see solutions that use the "training wheels" interface (PDM) wherever possible.

The desired solution:
- will provide the "must haves" shown below
- will not require the purchase of additional equipment or software
- will be relatively straightforward to setup
- will not require extensive maintenance
- will require few or no firewall reboots (24x7 production websites are running)
- will handle up to 20 remote users (VoIP phones and users)
- will work with workgroup routers that use NAT
- can use either the built-in Windows client or the Cisco VPN Client

NOTE: I can live with a solution that bypasses the PIX -- please no comments, Cisco experts, I can hear you cringing already! -- and uses PPTP/EAP-TLS (or similar config) directly to the Win2K RRAS server. Ease of maintenance is very important and I'm very familiar with setting up PPTP VPNs.

- Windows 2000 Server domain controller running Active Directory
- Windows 2000 Server member server running IAS, RRAS, Certificate Services
- Several other Win2K servers, including SQL Servers, IIS servers, file/print servers, etc.
- Cisco PIX 515e Restricted (3 interfaces: WAN/outside, LAN/inside, DMZ/dmz)
  > PIX 6.3(3); PDM 3.0(1), DES encryption only
- Cisco 2620 T-1 router
- Full data T-1 (44 static IP addresses)

- Win2K Pro (SP4) or WinXP Pro
- Mixture of cable and DSL connections
- Linksys-class routers (running NAT) and firewall/routers (NAT/PAT)
- Cisco VPN Client 4.0.5(C) or later is an option
- Some are stay-at-home PCs, some are work laptops brought home
- All PCs can be brought into the office, connected to domain and configured

- Ability to automatically run logon scripts without resorting to tricks like using Windows Scheduler to run them
  > Preferred: Server-based logon scripts
  > Preferred: Execution of logoff scripts
- Ability to browse network resources without re-entering credentials
- IPSec-based certificates or equivalent authentication method (e.g., EAP-TLS)
- Ability to connect and disconnect from the VPN without logging out
- Software-based client VPN endpoint solution

- Cisco Windows Client 4.x to PIX using Group Authentication & UDP IPSec
  > Logon scripts do not execute
  > Couldn't get any domain policies to run
- Built-in Windows Client to PIX using L2TP and IPSec Certificates
  > Using MSCEP tool proved too complicated - never got it off the ground
- Built-in Windows Client to Win2K RRAS using PPTP
  > PPTP passes through PIX with no problem
  > No secure authentication (we have a standalone, not enterprise, CA)

- Certificate Server
- RRAS server
- Domain IPSec policies
- VPN Settings on PIX
- VPN protocol can be PPTP, L2TP or other

- Can't reboot firewall without advance notice
- Server operating system
- PIX hardware configuration (can't add interfaces or IPsec card)

Let me know what other info you need.

This is an urgent situation, and any help is greatly appreciated. I may not able to respond during business hours (East coast) for the next few days, as I'll be out on clients sites during the day, but will respond each evening.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi ddameo,
> - Ability to automatically run logon scripts without resorting to tricks
> - Ability to connect and disconnect from the VPN without logging out
I think you will find these mutually exclusive. If you want login scripts to run you will have to log into the domain. Once you do this you already have credentials on the network so in order to disconnect you will really need to log out.
If you use a separate software client or use the windows VPN client after you log in you wont be logging into the domain so wont get the login scripts.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ddameoAuthor Commented:
Sorry, grblades, that's what I get for trying to do too many things at once.

What I meant by the first item you quoted is that I'd like the logon script(s) to be executed without manual intervention by the end user, or without resorting to any hokey tricks (like launching the Task Scheduler upon logon, which fires off a login script, as I've seen some people suggest with the Cisco client). The Windows RRAS Connection Manager Administration Kit (CMAK) allows you to build a package that includes logon and logoff scripts. This package takes the form of an executable file that gets distributed to users. While the logon scripts are not server-based, at least it's better than nothing.

What I meant to say in that second item you quoted is:
- Ability to connect and disconnect from the VPN without logging out *OF WINDOWS*
I think most solutions would give you that anyway, but I wanted to make sure it was included as a bullet point.

Does that help clarify things?
I know the Cisco client has an option to load before windows starts which I think gives you an option to log into the domain.
I have never used this myself however as I don't want the extra traffic over the VPN as we dont have a fast link.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

ddameoAuthor Commented:
Yes, the Cisco client *does* have this option, which we've used. My memory is getting a little fuzzy, because I've set up several networks and VPNs in the past month, but I believe the problem was the only scripts that would execute would be user logon scripts that are entered in the user's profile in AD Users and Computers. We wanted to have domain-level script processing happen, and the Cisco client doesn't give us that.

Also, if you connect with the Cisco client after you've already logged onto the computer (that is, you don't have the Connect before Logon option enabled), there is no mechanism for automatically launching logon scripts, and likewise there's no mechanism for auto-launching logoff scripts when you disconnect. The Microsoft RRAS Connection Manager has this capability, but I don't think it allows for domain script processing.

It's a tough one, and maybe nothing exists out there that will do this.

Failing that, can someone then at least point me in the direction of a technical explanation of how to implement ONE of the following:
- Authentication using user or machine certificates with Windows 2000 Certificate Services and either the Cisco 4.x client or the native Windows client (I have found numerous documents that describe parts of the process, but nothing that puts it all together for me, especially the usage of MSCEP on the Win2K Cert Server to allow processing of certificate requests by the PIX)
- Certificate authentication using PPTP bypassing the Cisco PIX entirely

I have never used cerificates on the PIX. What I have done for a customer though is configure the PIX to use RADIUS for authentication and the customer just confiured a Radius server on their file server to authenticate users. This works well.

I am not a windows expert but getting the PPTP passed through the PIX is easy you just define a static mapping from an external IP address to the IP address of the VPN server and then define an access-list to permit TCP port 1723 and GRE in. Let me know if you would like a configuration example.
Tim HolmanCommented:
The Cisco VPN client meets all of your must-haves, although you will need to enable 'Start Before Logon'.

You may have problems with VoIP latency over VPN - you would not be able to get QoS with DSL, so phone quality may be unreliable.

This seems to cover most things off:
ddameoAuthor Commented:
Sorry for the delay in responding. Family issues and client issues all at once make for no time to check EE!

To grblades: Yes, I had set up the PIX to use RADIUS authentication on a Win2K server, and that worked okay. You don't get any real doman policy processing because RADIUS is a generic protocol, not a MS-specific one. I got PPTP to go through the PIX with no problem -- as you said, it's just a matter of setting up ACLs to pass the appropriate TCP and IP traffic through. I appreciate your offer, but I got that working with no problem.

To tim_holman: You're partially right about the Cisco client -- it meets most, but not all, of our must-haves. Specifically, there is no mechanism for auto-running logoff scripts. Also, in order to use the Windows 2000 Certificate Services we had to buy the Resource Kit and load the MSCEP utility so it could process cert requests from the PIX. The MSCEP utility, however, requires a standalone Cert Server. Ours was an Enterprise Cert Server. Anyway, from what I've seen, the management of the certificates becomes a chore and more than my client was willing to invest in. Finally, the VoIP latency was a deal-breaker. Unbeknownst to me, our remote user (the Cisco VPN guinea pig) was having severe VoIP problems with the Cisco client -- upwards of 25 minutes for the thing even to connect and gets its IP address via DHCP. With the built-in Windows XP client, it took seconds and the connection has been solid.

In short, I've muddled my way through literally hundreds of documents from MS TechNet, Knowledgebase, and product CDs and the Cisco TAC site and have finally decided to go with an all Microsoft solution. I've set our Certificate Server back to being an Enterprise CA, and only have to determine how certificate requests get passed through the PIX (I may not have to do anything).

I'll update this question within the next couple of days and will award partial points at that time.
Tim HolmanCommented:
Let us know if we can be of any further help - I'm pretty sure we could get the VoIP problems ironed out with the Cisco solution, but if you've gone with M$, then probably little point barking up this tree...
ddameoAuthor Commented:
I agree -- I'm sure the VoIP problems are simply a configuration issue. At this point, the client wants a reasonably secure VPN up and running with minimal maintenance going forward. (They don't want to spend $$$ on me each time a new user is added.) With the IPSec (MPE? I can't remember the acronym right now), I think the security should be acceptable with MS PPTP.

Thanks for your help. This is my first question on EE, so I'll figure out the points thing later tonight. I never got an exact answer to my question, but you did reinforce the VoIP thing, so I'm inclined to give you at least partial points.
Tim HolmanCommented:
If you need 'administrative' help, there's a FAQ in the Help section (top right hand corner of this page), and moderators can be reached via the Support link next to it.  :)
ddameoAuthor Commented:
Thanks. I briefly read it once before, but I want to make sure I do it right. I appreciate your help.
ddameoAuthor Commented:
Well, no one actually solved my problem, although Tim did point out 'Start Before Login' option on the Cisco client, which I already knew about. In the end, I realize that my client can't have everything they want, so we're reduced to using a garden variety Microsoft PPTP VPN with the built-in Windows 2000 & XP client. We've added IPSec authentication, which was tricky to implement until I figured out the correct way of remotely issuing a client certificate from the Windows 2000 Enterprise Certificate Authority. My final problem is that I can't authenticate using a CMAK-generated connectoid (CMAK being the Windows 2000 RRAS (Routing and Remote Access) Connection Manager Authentication Kit, for those who don't know). I suspect it's encrypting the password, even though I've told it not to. But that's an issue for another question.

Thanks to all. I'll split points even though no one solved my problem, because I'm feeling generous in the spirit of Christmas.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.