Solved

VPN group policy

Posted on 2008-10-03
15
493 Views
Last Modified: 2012-08-13
I have setup a vpn using ISA server.
The VPN works fine, home users dialup to the vpn after they have logged in.

How do I
1) Log all vpn logins ? (I want to make sure everyone who uses the vpn is tracked)
2) Enable login scripts to run for the vpn user ?
0
Comment
Question by:anarine
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
15 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22639986
You don't. They are called logon scripts because they are run at logon time. They are not called runatvpnconnectiontime scripts.

Make a copy of the login script batch file and make it available on each pc - make an icon or something on the desktop. Run this after the vpn connection is established. That will map the drive letters and printers or whatever else your script does.

Turn on auditing.

0
 

Author Comment

by:anarine
ID: 22640397
I have 4 domain controllers. Please tell me how to configure the auditing.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22640411
No, I won't. You tell us what your environment is, operating system(s) used, service pack levels etc and related info then we can see what we can do for you. I am not playing at guessing games - for all we know you could be using a Linux back end.
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 

Author Comment

by:anarine
ID: 22640569
The domain controllers are all windows 2003 Standard SP2
All clients are vista/ xp.
I want to be able to log all users who attempt to login using the vpn. My apologies for not providing all the details.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 50 total points
ID: 22643768
As far as auditing this is concerned, it is done automatically. If you open the ISA gui, select monitoring - logging - to get to the ISA realtime monitor screen. By default, ISA will log and display all information that passes inbound or outbound through its interfaces. You will see an option to start query - the default query is 'live' so it shows real time. However, you can edit the query and change the log time from 'live' to any period you want - the last seven days for example. If you made and applied that change then clicked start query, it would show you all the traffic for the past seven days.

You can also edit the query and select the 'action' tab - changing this from the default to action = initiated vpn connection and time to last seven days would give you all the VPN connection attempts. etc etc etc.

You can cut and paste the outputs into Excel or a text file as you wish.

When done, just remember to put the defaults back.....
Action  not equal to connection status
log time equal Live

Keith
0
 

Author Comment

by:anarine
ID: 22645832
I enabled RRAS logging in the routing and remote access snap in.
Thanks for your help, if I join the remote computers to the domain and ask users to check the "dial in" checkbox in the windows login box before logging in, will that apply the login scripts ?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22645843
As long as they are part of the domain - and the connection is established to the vpn as the login takes place then this should allow the login script to operate. As i stated, if you cannot achieve this, then you can simply place a copy of the logon script onto each pc with an icon and run it afterwards.
0
 

Author Comment

by:anarine
ID: 22658007
One last question, if I enable ISA site to site VPN (with ISA at both ends) am I assuming correctly that  Users will not need to dial in to the vpn ?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22662035
That is correct - A site to site vpn traditionally means that the connection is established between the two end points rather than having been established individually by each client. I have a number of sites with 5 or more sites and these are permanently connected and established as if they were point-to-point links.

Keith
0
 

Author Comment

by:anarine
ID: 22668021

Will I have to do any port forwarding on the remote branch's DSL modem ?

By configuring the site to site vpn does this mean that remote clients will need to utilize the main office broadband connection for internet access ?


0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22670911
That will depend upon your site requirements, your security policy, bandwidth availability, dns configurations etc.
Yes, you will want to pass through all ports on the dsl to the remote ISA external nic.
0
 

Author Comment

by:anarine
ID: 22673717
Keith, One last question, what is your personal take on vpn solutions ? Would you go for ISA solution or Cisco / sonicwall / hardware vpn router?
Are there any disadvantages by using ISA ?
I will be going with ISA 2006 standard edition in all branches in site - site VPN. Hope I don't need the enterprise version.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22676133
lol - I think you have done quite well already for a 50 point question anarine.....

There is no where near enough information to make a choice here. - nor is this the right place to do so. The last time I did an installation of the size you are discussing it was a six month implementation activity and I ran a team of 8. The design stage alone took over two months just working out exactly what the company needed to achieve, the applications and services that would be shared, the DNS and the security considerations that needed to be factored in plus the likely bandwidth implications.

The choice of solution was the last activity and we opted for Cisco ASA at the edge (providing the VPN/SSL connectivity with ISA acting as the internal firewall/proxy.

Every installation is different and the requirements for each will determine the solution needed.
0
 

Author Comment

by:anarine
ID: 22677670
Thanks for the help keith. I will open a new question on  ISA site to site VPN
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22680680
Welcome mate
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Setting up new vpn 15 77
macos sierra "Destination Net Unreachable" 7 96
New office setup 2 38
Use of vpn-filter value  in S2S VPN 2 62
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question