kriggins14
asked on
Running Logon Scripts through a VPN Concentrator
Hi,
I've been reading a little bit on this board and on Cisco about how to run Windows Logon Scripts through our VPN Concentrators but still am not sure how to actually implement it. The scenario we want is for our remote users who come in through the concentrator to be able to get their network drive mappings which are located on Windows 2003 servers via the DC logon scripts.
I saw that you need to go into options of the VPN Client to check "Enalbe start before logon" but what else needs to be done? Do I need to enable anything on Concentrator? I assume that the Firewall also needs to be configured to allow the DC's and the 2003 file servers through as well. Anyone know which ports would have to be configured for them on the Firewall.
We have a Pix Firewall behind our Cisco VPN Concentrator. So people are connecting to the VPN Concentrator first.
Thanks
I've been reading a little bit on this board and on Cisco about how to run Windows Logon Scripts through our VPN Concentrators but still am not sure how to actually implement it. The scenario we want is for our remote users who come in through the concentrator to be able to get their network drive mappings which are located on Windows 2003 servers via the DC logon scripts.
I saw that you need to go into options of the VPN Client to check "Enalbe start before logon" but what else needs to be done? Do I need to enable anything on Concentrator? I assume that the Firewall also needs to be configured to allow the DC's and the 2003 file servers through as well. Anyone know which ports would have to be configured for them on the Firewall.
We have a Pix Firewall behind our Cisco VPN Concentrator. So people are connecting to the VPN Concentrator first.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
<< This prompt comes from Cisco and not from Windows, authentication is handled by a Cisco ACS server that does use the NT domain database to authenticate users. >>
Yep, that is standard for the Cisco client. It is still not the 2003 login, but it gets you to the same place. I disagree with Cicso on how they do this, because you get exactly the problem you are seeing.
<<maybe this can't be done since I am using an ACS server as opposed to authenticating directly against an actual Domain Controller. You see, the scripts on the domain controller is what actually will map the user to the 2003 server >>
Yes that does create a problem, but until you do direct domain level authentication, there is still a workaround. Why can't your mapping from NT to the 2003 simply run another script on the 2003 server? If the NT4 script is just to transfer, that's no problem. Then on the 2003, set up a whole group-level script fo common features for that group, that would work. Keep the individual directory logins unique to the NT4 script. Then when you migrate to direct DDL level logins, you just dump the NT4 translation scripts, and keep the group level 2003 scripts.... No???
Yep, that is standard for the Cisco client. It is still not the 2003 login, but it gets you to the same place. I disagree with Cicso on how they do this, because you get exactly the problem you are seeing.
<<maybe this can't be done since I am using an ACS server as opposed to authenticating directly against an actual Domain Controller. You see, the scripts on the domain controller is what actually will map the user to the 2003 server >>
Yes that does create a problem, but until you do direct domain level authentication, there is still a workaround. Why can't your mapping from NT to the 2003 simply run another script on the 2003 server? If the NT4 script is just to transfer, that's no problem. Then on the 2003, set up a whole group-level script fo common features for that group, that would work. Keep the individual directory logins unique to the NT4 script. Then when you migrate to direct DDL level logins, you just dump the NT4 translation scripts, and keep the group level 2003 scripts.... No???
ASKER
We are using the Cisco Client as you said in the second part of your answer. The user launches the client and connects to the VPN concentrator, they are then prompted for their user name and password. This prompt comes from Cisco and not from Windows, authentication is handled by a Cisco ACS server that does use the NT domain database to authenticate users.
My objective is to try to run the logon scripts from our NT4 Domain Controllers when the user logs on. Now as am I writing this I'm thinking maybe this can't be done since I am using an ACS server as opposed to authenticating directly against an actual Domain Controller. You see, the scripts on the domain controller is what actually will map the user to the 2003 server. I suppose I could always just have the user run a script from their workstation to just map the drive, but using a logon script would have been better.