?
Solved

Need solid VPN solution w/ Win2K Domain, Win clients, PIX 515 firewall, Logon scripts

Posted on 2004-11-29
12
Medium Priority
?
316 Views
Last Modified: 2010-04-12
I need a recommended solution for configuring a VPN for one of my clients. It's urgent, and I need answers from experienced people only. This is a production environment, with a fully-configured firewall, and I can't take it down without scheduling an outage for the wee hours of the morning. Finally, I am *not* a Cisco expert -- and not sure that I want to be -- and prefer to see solutions that use the "training wheels" interface (PDM) wherever possible.

The desired solution:
- will provide the "must haves" shown below
- will not require the purchase of additional equipment or software
- will be relatively straightforward to setup
- will not require extensive maintenance
- will require few or no firewall reboots (24x7 production websites are running)
- will handle up to 20 remote users (VoIP phones and users)
- will work with workgroup routers that use NAT
- can use either the built-in Windows client or the Cisco VPN Client

NOTE: I can live with a solution that bypasses the PIX -- please no comments, Cisco experts, I can hear you cringing already! -- and uses PPTP/EAP-TLS (or similar config) directly to the Win2K RRAS server. Ease of maintenance is very important and I'm very familiar with setting up PPTP VPNs.

SERVER ENVIRONMENT
- Windows 2000 Server domain controller running Active Directory
- Windows 2000 Server member server running IAS, RRAS, Certificate Services
- Several other Win2K servers, including SQL Servers, IIS servers, file/print servers, etc.
- Cisco PIX 515e Restricted (3 interfaces: WAN/outside, LAN/inside, DMZ/dmz)
  > PIX 6.3(3); PDM 3.0(1), DES encryption only
- Cisco 2620 T-1 router
- Full data T-1 (44 static IP addresses)

CLIENT ENVIRONMENTS
- Win2K Pro (SP4) or WinXP Pro
- Mixture of cable and DSL connections
- Linksys-class routers (running NAT) and firewall/routers (NAT/PAT)
- Cisco VPN Client 4.0.5(C) or later is an option
- Some are stay-at-home PCs, some are work laptops brought home
- All PCs can be brought into the office, connected to domain and configured

"MUST HAVES"
- Ability to automatically run logon scripts without resorting to tricks like using Windows Scheduler to run them
  > Preferred: Server-based logon scripts
  > Preferred: Execution of logoff scripts
- Ability to browse network resources without re-entering credentials
- IPSec-based certificates or equivalent authentication method (e.g., EAP-TLS)
- Ability to connect and disconnect from the VPN without logging out
- Software-based client VPN endpoint solution

WHAT I'VE TRIED
- Cisco Windows Client 4.x to PIX using Group Authentication & UDP IPSec
  > Logon scripts do not execute
  > Couldn't get any domain policies to run
- Built-in Windows Client to PIX using L2TP and IPSec Certificates
  > Using MSCEP tool proved too complicated - never got it off the ground
- Built-in Windows Client to Win2K RRAS using PPTP
  > PPTP passes through PIX with no problem
  > No secure authentication (we have a standalone, not enterprise, CA)

THINGS I CAN CHANGE, IF NECESSARY
- Certificate Server
- RRAS server
- Domain IPSec policies
- VPN Settings on PIX
- VPN protocol can be PPTP, L2TP or other

THINGS I CAN'T CHANGE
- Can't reboot firewall without advance notice
- Server operating system
- PIX hardware configuration (can't add interfaces or IPsec card)

Let me know what other info you need.

This is an urgent situation, and any help is greatly appreciated. I may not able to respond during business hours (East coast) for the next few days, as I'll be out on clients sites during the day, but will respond each evening.

Thanks,
David
0
Comment
Question by:ddameo
  • 6
  • 3
  • 3
12 Comments
 
LVL 36

Accepted Solution

by:
grblades earned 900 total points
ID: 12705072
Hi ddameo,
> - Ability to automatically run logon scripts without resorting to tricks
> - Ability to connect and disconnect from the VPN without logging out
I think you will find these mutually exclusive. If you want login scripts to run you will have to log into the domain. Once you do this you already have credentials on the network so in order to disconnect you will really need to log out.
If you use a separate software client or use the windows VPN client after you log in you wont be logging into the domain so wont get the login scripts.
0
 

Author Comment

by:ddameo
ID: 12706184
Sorry, grblades, that's what I get for trying to do too many things at once.

What I meant by the first item you quoted is that I'd like the logon script(s) to be executed without manual intervention by the end user, or without resorting to any hokey tricks (like launching the Task Scheduler upon logon, which fires off a login script, as I've seen some people suggest with the Cisco client). The Windows RRAS Connection Manager Administration Kit (CMAK) allows you to build a package that includes logon and logoff scripts. This package takes the form of an executable file that gets distributed to users. While the logon scripts are not server-based, at least it's better than nothing.

What I meant to say in that second item you quoted is:
- Ability to connect and disconnect from the VPN without logging out *OF WINDOWS*
I think most solutions would give you that anyway, but I wanted to make sure it was included as a bullet point.

Does that help clarify things?
0
 
LVL 36

Expert Comment

by:grblades
ID: 12706436
I know the Cisco client has an option to load before windows starts which I think gives you an option to log into the domain.
I have never used this myself however as I don't want the extra traffic over the VPN as we dont have a fast link.
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 

Author Comment

by:ddameo
ID: 12712723
Yes, the Cisco client *does* have this option, which we've used. My memory is getting a little fuzzy, because I've set up several networks and VPNs in the past month, but I believe the problem was the only scripts that would execute would be user logon scripts that are entered in the user's profile in AD Users and Computers. We wanted to have domain-level script processing happen, and the Cisco client doesn't give us that.

Also, if you connect with the Cisco client after you've already logged onto the computer (that is, you don't have the Connect before Logon option enabled), there is no mechanism for automatically launching logon scripts, and likewise there's no mechanism for auto-launching logoff scripts when you disconnect. The Microsoft RRAS Connection Manager has this capability, but I don't think it allows for domain script processing.

It's a tough one, and maybe nothing exists out there that will do this.

Failing that, can someone then at least point me in the direction of a technical explanation of how to implement ONE of the following:
- Authentication using user or machine certificates with Windows 2000 Certificate Services and either the Cisco 4.x client or the native Windows client (I have found numerous documents that describe parts of the process, but nothing that puts it all together for me, especially the usage of MSCEP on the Win2K Cert Server to allow processing of certificate requests by the PIX)
- Certificate authentication using PPTP bypassing the Cisco PIX entirely

Thanks,
David
0
 
LVL 36

Expert Comment

by:grblades
ID: 12713807
I have never used cerificates on the PIX. What I have done for a customer though is configure the PIX to use RADIUS for authentication and the customer just confiured a Radius server on their file server to authenticate users. This works well.

I am not a windows expert but getting the PPTP passed through the PIX is easy you just define a static mapping from an external IP address to the IP address of the VPN server and then define an access-list to permit TCP port 1723 and GRE in. Let me know if you would like a configuration example.
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 600 total points
ID: 12715426
The Cisco VPN client meets all of your must-haves, although you will need to enable 'Start Before Logon'.

You may have problems with VoIP latency over VPN - you would not be able to get QoS with DSL, so phone quality may be unreliable.

This seems to cover most things off:

http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel4_0/user_gd/vc7.htm
0
 

Author Comment

by:ddameo
ID: 12775470
Sorry for the delay in responding. Family issues and client issues all at once make for no time to check EE!

To grblades: Yes, I had set up the PIX to use RADIUS authentication on a Win2K server, and that worked okay. You don't get any real doman policy processing because RADIUS is a generic protocol, not a MS-specific one. I got PPTP to go through the PIX with no problem -- as you said, it's just a matter of setting up ACLs to pass the appropriate TCP and IP traffic through. I appreciate your offer, but I got that working with no problem.

To tim_holman: You're partially right about the Cisco client -- it meets most, but not all, of our must-haves. Specifically, there is no mechanism for auto-running logoff scripts. Also, in order to use the Windows 2000 Certificate Services we had to buy the Resource Kit and load the MSCEP utility so it could process cert requests from the PIX. The MSCEP utility, however, requires a standalone Cert Server. Ours was an Enterprise Cert Server. Anyway, from what I've seen, the management of the certificates becomes a chore and more than my client was willing to invest in. Finally, the VoIP latency was a deal-breaker. Unbeknownst to me, our remote user (the Cisco VPN guinea pig) was having severe VoIP problems with the Cisco client -- upwards of 25 minutes for the thing even to connect and gets its IP address via DHCP. With the built-in Windows XP client, it took seconds and the connection has been solid.

In short, I've muddled my way through literally hundreds of documents from MS TechNet, Knowledgebase, and product CDs and the Cisco TAC site and have finally decided to go with an all Microsoft solution. I've set our Certificate Server back to being an Enterprise CA, and only have to determine how certificate requests get passed through the PIX (I may not have to do anything).

I'll update this question within the next couple of days and will award partial points at that time.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12777575
Let us know if we can be of any further help - I'm pretty sure we could get the VoIP problems ironed out with the Cisco solution, but if you've gone with M$, then probably little point barking up this tree...
0
 

Author Comment

by:ddameo
ID: 12777665
I agree -- I'm sure the VoIP problems are simply a configuration issue. At this point, the client wants a reasonably secure VPN up and running with minimal maintenance going forward. (They don't want to spend $$$ on me each time a new user is added.) With the IPSec (MPE? I can't remember the acronym right now), I think the security should be acceptable with MS PPTP.

Thanks for your help. This is my first question on EE, so I'll figure out the points thing later tonight. I never got an exact answer to my question, but you did reinforce the VoIP thing, so I'm inclined to give you at least partial points.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12778077
If you need 'administrative' help, there's a FAQ in the Help section (top right hand corner of this page), and moderators can be reached via the Support link next to it.  :)
0
 

Author Comment

by:ddameo
ID: 12778165
Thanks. I briefly read it once before, but I want to make sure I do it right. I appreciate your help.
0
 

Author Comment

by:ddameo
ID: 12856208
Well, no one actually solved my problem, although Tim did point out 'Start Before Login' option on the Cisco client, which I already knew about. In the end, I realize that my client can't have everything they want, so we're reduced to using a garden variety Microsoft PPTP VPN with the built-in Windows 2000 & XP client. We've added IPSec authentication, which was tricky to implement until I figured out the correct way of remotely issuing a client certificate from the Windows 2000 Enterprise Certificate Authority. My final problem is that I can't authenticate using a CMAK-generated connectoid (CMAK being the Windows 2000 RRAS (Routing and Remote Access) Connection Manager Authentication Kit, for those who don't know). I suspect it's encrypting the password, even though I've told it not to. But that's an issue for another question.

Thanks to all. I'll split points even though no one solved my problem, because I'm feeling generous in the spirit of Christmas.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question