Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 851
  • Last Modified:

Running Logon Scripts through a VPN Concentrator

Hi,
   I've been reading a little bit on this board and on Cisco about how to run Windows Logon Scripts through our VPN Concentrators but still am not sure how to actually implement it. The scenario we want is for our remote users who come in through the concentrator to be able to get their network drive mappings which are located on Windows 2003 servers via the DC logon scripts.

I saw that you need to go into options of the VPN Client to check "Enalbe start before logon" but what else needs to be done? Do I need to enable anything on Concentrator? I assume that the Firewall also needs to be configured to allow the DC's and the 2003 file servers through as well. Anyone know which ports would have to be configured for them on the Firewall.

We have a Pix Firewall behind our Cisco VPN Concentrator. So people are connecting to the VPN Concentrator first.

Thanks
0
kriggins14
Asked:
kriggins14
  • 2
1 Solution
 
sciwriterCommented:
If you are using hardware VPN on BOTH ENDS of the tunnel, then you need to think of the user as just on the end of a veeeeerrrry lonog CAT5 cable.  It is no different.  The VPN concentrator handles the tunnels.  The users log into the 2003 server just like they are on a long ethernet cable, login is no different, and the scripts to run on the windows server are no different.

Now if the 2003 server does the VPN, everything is a lot more complicated, because it must FIRST VPN and then authenticate, so the procedure is different.  If your clients are logging in to the VPN concentrator to get the VPN via a "Cisco client" software package, THAT package does the VPN connect.  So even in that case, the LOGIN to the 2003 server is no diffferent than a full hardware VPN -- just a long cable.

Does that answer it?
0
 
kriggins14Author Commented:
Sciwriter, thanks for you input.
We are using the Cisco Client as you said in the second part of your answer. The user launches the client and connects to the VPN concentrator, they are then prompted for their user name and password. This prompt comes from Cisco and not from Windows, authentication is handled by a Cisco ACS server that does use the NT domain database to authenticate users.

My objective is to try to run the logon scripts from our NT4 Domain Controllers when the user logs on. Now as am I writing this I'm thinking maybe this can't be done since I am using an ACS server as opposed to authenticating directly against an actual Domain Controller. You see, the scripts on the domain controller is what actually will map the user to the 2003 server. I suppose I could always just have the user run a script from their workstation to just map the drive, but using a logon script would have been better.

0
 
sciwriterCommented:
<< This prompt comes from Cisco and not from Windows, authentication is handled by a Cisco ACS server that does use the NT domain database to authenticate users. >>

Yep, that is standard for the Cisco client.  It is still not the 2003 login, but it gets you to the same place.  I disagree with Cicso on how they do this, because you get exactly the problem you are seeing.

<<maybe this can't be done since I am using an ACS server as opposed to authenticating directly against an actual Domain Controller. You see, the scripts on the domain controller is what actually will map the user to the 2003 server >>

Yes that does create a problem, but until you do direct domain level authentication, there is still a workaround.  Why can't your mapping from NT to the 2003 simply run another script on the 2003 server?  If the NT4 script is just to transfer, that's no problem.  Then on the 2003, set up a whole group-level script fo common features for that group, that would work.  Keep the individual directory logins unique to the NT4 script.  Then when you migrate to direct DDL level logins, you just dump the NT4 translation scripts, and keep the group level 2003 scripts.... No???
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now