Need solid VPN solution w/ Win2K Domain, Win clients, PIX 515 firewall, Logon scripts

Posted on 2004-11-29
Last Modified: 2010-04-12
I need a recommended solution for configuring a VPN for one of my clients. It's urgent, and I need answers from experienced people only. This is a production environment, with a fully-configured firewall, and I can't take it down without scheduling an outage for the wee hours of the morning. Finally, I am *not* a Cisco expert -- and not sure that I want to be -- and prefer to see solutions that use the "training wheels" interface (PDM) wherever possible.

The desired solution:
- will provide the "must haves" shown below
- will not require the purchase of additional equipment or software
- will be relatively straightforward to setup
- will not require extensive maintenance
- will require few or no firewall reboots (24x7 production websites are running)
- will handle up to 20 remote users (VoIP phones and users)
- will work with workgroup routers that use NAT
- can use either the built-in Windows client or the Cisco VPN Client

NOTE: I can live with a solution that bypasses the PIX -- please no comments, Cisco experts, I can hear you cringing already! -- and uses PPTP/EAP-TLS (or similar config) directly to the Win2K RRAS server. Ease of maintenance is very important and I'm very familiar with setting up PPTP VPNs.

- Windows 2000 Server domain controller running Active Directory
- Windows 2000 Server member server running IAS, RRAS, Certificate Services
- Several other Win2K servers, including SQL Servers, IIS servers, file/print servers, etc.
- Cisco PIX 515e Restricted (3 interfaces: WAN/outside, LAN/inside, DMZ/dmz)
  > PIX 6.3(3); PDM 3.0(1), DES encryption only
- Cisco 2620 T-1 router
- Full data T-1 (44 static IP addresses)

- Win2K Pro (SP4) or WinXP Pro
- Mixture of cable and DSL connections
- Linksys-class routers (running NAT) and firewall/routers (NAT/PAT)
- Cisco VPN Client 4.0.5(C) or later is an option
- Some are stay-at-home PCs, some are work laptops brought home
- All PCs can be brought into the office, connected to domain and configured

- Ability to automatically run logon scripts without resorting to tricks like using Windows Scheduler to run them
  > Preferred: Server-based logon scripts
  > Preferred: Execution of logoff scripts
- Ability to browse network resources without re-entering credentials
- IPSec-based certificates or equivalent authentication method (e.g., EAP-TLS)
- Ability to connect and disconnect from the VPN without logging out
- Software-based client VPN endpoint solution

- Cisco Windows Client 4.x to PIX using Group Authentication & UDP IPSec
  > Logon scripts do not execute
  > Couldn't get any domain policies to run
- Built-in Windows Client to PIX using L2TP and IPSec Certificates
  > Using MSCEP tool proved too complicated - never got it off the ground
- Built-in Windows Client to Win2K RRAS using PPTP
  > PPTP passes through PIX with no problem
  > No secure authentication (we have a standalone, not enterprise, CA)

- Certificate Server
- RRAS server
- Domain IPSec policies
- VPN Settings on PIX
- VPN protocol can be PPTP, L2TP or other

- Can't reboot firewall without advance notice
- Server operating system
- PIX hardware configuration (can't add interfaces or IPsec card)

Let me know what other info you need.

This is an urgent situation, and any help is greatly appreciated. I may not able to respond during business hours (East coast) for the next few days, as I'll be out on clients sites during the day, but will respond each evening.

Question by:ddameo
    LVL 36

    Accepted Solution

    Hi ddameo,
    > - Ability to automatically run logon scripts without resorting to tricks
    > - Ability to connect and disconnect from the VPN without logging out
    I think you will find these mutually exclusive. If you want login scripts to run you will have to log into the domain. Once you do this you already have credentials on the network so in order to disconnect you will really need to log out.
    If you use a separate software client or use the windows VPN client after you log in you wont be logging into the domain so wont get the login scripts.

    Author Comment

    Sorry, grblades, that's what I get for trying to do too many things at once.

    What I meant by the first item you quoted is that I'd like the logon script(s) to be executed without manual intervention by the end user, or without resorting to any hokey tricks (like launching the Task Scheduler upon logon, which fires off a login script, as I've seen some people suggest with the Cisco client). The Windows RRAS Connection Manager Administration Kit (CMAK) allows you to build a package that includes logon and logoff scripts. This package takes the form of an executable file that gets distributed to users. While the logon scripts are not server-based, at least it's better than nothing.

    What I meant to say in that second item you quoted is:
    - Ability to connect and disconnect from the VPN without logging out *OF WINDOWS*
    I think most solutions would give you that anyway, but I wanted to make sure it was included as a bullet point.

    Does that help clarify things?
    LVL 36

    Expert Comment

    I know the Cisco client has an option to load before windows starts which I think gives you an option to log into the domain.
    I have never used this myself however as I don't want the extra traffic over the VPN as we dont have a fast link.

    Author Comment

    Yes, the Cisco client *does* have this option, which we've used. My memory is getting a little fuzzy, because I've set up several networks and VPNs in the past month, but I believe the problem was the only scripts that would execute would be user logon scripts that are entered in the user's profile in AD Users and Computers. We wanted to have domain-level script processing happen, and the Cisco client doesn't give us that.

    Also, if you connect with the Cisco client after you've already logged onto the computer (that is, you don't have the Connect before Logon option enabled), there is no mechanism for automatically launching logon scripts, and likewise there's no mechanism for auto-launching logoff scripts when you disconnect. The Microsoft RRAS Connection Manager has this capability, but I don't think it allows for domain script processing.

    It's a tough one, and maybe nothing exists out there that will do this.

    Failing that, can someone then at least point me in the direction of a technical explanation of how to implement ONE of the following:
    - Authentication using user or machine certificates with Windows 2000 Certificate Services and either the Cisco 4.x client or the native Windows client (I have found numerous documents that describe parts of the process, but nothing that puts it all together for me, especially the usage of MSCEP on the Win2K Cert Server to allow processing of certificate requests by the PIX)
    - Certificate authentication using PPTP bypassing the Cisco PIX entirely

    LVL 36

    Expert Comment

    I have never used cerificates on the PIX. What I have done for a customer though is configure the PIX to use RADIUS for authentication and the customer just confiured a Radius server on their file server to authenticate users. This works well.

    I am not a windows expert but getting the PPTP passed through the PIX is easy you just define a static mapping from an external IP address to the IP address of the VPN server and then define an access-list to permit TCP port 1723 and GRE in. Let me know if you would like a configuration example.
    LVL 23

    Assisted Solution

    by:Tim Holman
    The Cisco VPN client meets all of your must-haves, although you will need to enable 'Start Before Logon'.

    You may have problems with VoIP latency over VPN - you would not be able to get QoS with DSL, so phone quality may be unreliable.

    This seems to cover most things off:

    Author Comment

    Sorry for the delay in responding. Family issues and client issues all at once make for no time to check EE!

    To grblades: Yes, I had set up the PIX to use RADIUS authentication on a Win2K server, and that worked okay. You don't get any real doman policy processing because RADIUS is a generic protocol, not a MS-specific one. I got PPTP to go through the PIX with no problem -- as you said, it's just a matter of setting up ACLs to pass the appropriate TCP and IP traffic through. I appreciate your offer, but I got that working with no problem.

    To tim_holman: You're partially right about the Cisco client -- it meets most, but not all, of our must-haves. Specifically, there is no mechanism for auto-running logoff scripts. Also, in order to use the Windows 2000 Certificate Services we had to buy the Resource Kit and load the MSCEP utility so it could process cert requests from the PIX. The MSCEP utility, however, requires a standalone Cert Server. Ours was an Enterprise Cert Server. Anyway, from what I've seen, the management of the certificates becomes a chore and more than my client was willing to invest in. Finally, the VoIP latency was a deal-breaker. Unbeknownst to me, our remote user (the Cisco VPN guinea pig) was having severe VoIP problems with the Cisco client -- upwards of 25 minutes for the thing even to connect and gets its IP address via DHCP. With the built-in Windows XP client, it took seconds and the connection has been solid.

    In short, I've muddled my way through literally hundreds of documents from MS TechNet, Knowledgebase, and product CDs and the Cisco TAC site and have finally decided to go with an all Microsoft solution. I've set our Certificate Server back to being an Enterprise CA, and only have to determine how certificate requests get passed through the PIX (I may not have to do anything).

    I'll update this question within the next couple of days and will award partial points at that time.
    LVL 23

    Expert Comment

    by:Tim Holman
    Let us know if we can be of any further help - I'm pretty sure we could get the VoIP problems ironed out with the Cisco solution, but if you've gone with M$, then probably little point barking up this tree...

    Author Comment

    I agree -- I'm sure the VoIP problems are simply a configuration issue. At this point, the client wants a reasonably secure VPN up and running with minimal maintenance going forward. (They don't want to spend $$$ on me each time a new user is added.) With the IPSec (MPE? I can't remember the acronym right now), I think the security should be acceptable with MS PPTP.

    Thanks for your help. This is my first question on EE, so I'll figure out the points thing later tonight. I never got an exact answer to my question, but you did reinforce the VoIP thing, so I'm inclined to give you at least partial points.
    LVL 23

    Expert Comment

    by:Tim Holman
    If you need 'administrative' help, there's a FAQ in the Help section (top right hand corner of this page), and moderators can be reached via the Support link next to it.  :)

    Author Comment

    Thanks. I briefly read it once before, but I want to make sure I do it right. I appreciate your help.

    Author Comment

    Well, no one actually solved my problem, although Tim did point out 'Start Before Login' option on the Cisco client, which I already knew about. In the end, I realize that my client can't have everything they want, so we're reduced to using a garden variety Microsoft PPTP VPN with the built-in Windows 2000 & XP client. We've added IPSec authentication, which was tricky to implement until I figured out the correct way of remotely issuing a client certificate from the Windows 2000 Enterprise Certificate Authority. My final problem is that I can't authenticate using a CMAK-generated connectoid (CMAK being the Windows 2000 RRAS (Routing and Remote Access) Connection Manager Authentication Kit, for those who don't know). I suspect it's encrypting the password, even though I've told it not to. But that's an issue for another question.

    Thanks to all. I'll split points even though no one solved my problem, because I'm feeling generous in the spirit of Christmas.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
    If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now