Solved

Remote Client Logon with VPN

Posted on 2011-02-12
13
831 Views
Last Modified: 2012-08-14
We have a remote worker whom I've built a PC for here, joined it to the domain and setup a VPN connection so she can use our line of business application.  I have since shipped it to her remote location.

How can I setup her PC so when she logs into it, it knows to use the VPN and authenticate to the domain thus keeping her remote PCs SID in sync with AD?

Said another way, that PC will not ever come back here, so I need the VPN to actually connect as she logs on to keep her PC a member in good standing on the domain.

Originally, I was going to have her do what I do with my laptop, log in, connect to the VPN and use the network resources I needed.  I've since wondered if that is not appropriate for her because my laptop actually comes back into the domain where her PC will not.

Please advise,
Thanks!
0
Comment
Question by:DustinEWright
  • 3
  • 3
  • 2
  • +3
13 Comments
 
LVL 10

Expert Comment

by:CSIPComputing
ID: 34879713
Hi Dustin,

To actively process Group Policy, keep in sync with AD etc, your remote user needs to connect to your VPN before she logs on.

This used to be a simple tick box in XP etc, but it is now a little harder to achieve.

Assuming you're using the standard WIndows SBS 2008 VPN (i.e. PPTP), the key is that you need to tick the "Allow other people to access this connection" box when creating the VPN Connection. With this box selected, I recommend NOT saving the password for the VPN Connection.

At the next logon, the user should press "ESC" or click "Switch User" which will show the logon screen with the two standard user icons, the blue "Ease of Access" icon to the Bottom Left, and the "Shutdown Options" to the bottom Right.  Next to Shudown Options, you'll now see a new Blue Button, "Network Connections".

Click this, and the remote user will be presented with a list of available VPN connections.  By clicking one of these connection icons, and entering their standard Username and Password (including Domain Name, i.e. CONTOSO\Joe) they will be connected to the VPN/AD/Main Network, and logged on to their PC/Laptop.

It's a little more convoluted than XP, but it is there...

Hope that helps!
0
 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
ID: 34880420
Going down a different path, if the remote worker has a computer of her own, I would have kept the station in the office and let her connect with RWW.  Much safer, much faster, and much more control.  The remote worker needs only to have a computer capable of RDC, basically any XP or better computer.
0
 
LVL 2

Expert Comment

by:paulstorm
ID: 34884798
adding to fly...

Not too hard to set up. Couple of things on the checklist.

Give the workplace PC a static IP.
Change the listening port via regedit to something other than 3389.
Create an exception in the firewall for that port.
Tick the "allow remote connections to this computer" box in computer properties.

On the router, port forward the listening port to the static IP of the workplace computer.

On the remote computer set up RDC with the WAN IP and listening port.

0
 
LVL 7

Expert Comment

by:scraby
ID: 34885468
and if you want to force the user to connect via vpn without a choice then you can set the Computer/HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon
creat or edit string RASForce and set to 1
this will grey and tick the dial up option so that the user has no option but to use the vpn only, when logging on.  
i have not tested this on 7 but do know it works on xp.  
0
 

Author Comment

by:DustinEWright
ID: 34911948
Ok, we tried, but are not having any luck.  She has a slightly different dialog there than I do here, see attached.  When I try to select the top checkbox, I have to selete a connection in the drop down.  She's currently using a wireless on the PC (cable is on order) and this process seems to cripple her Internet when we tried the above advice.  What can I do?

Thanks

 VPN Connection - Remote
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
ID: 34912078
I am starting to sound like a broken record, and if you have considered this and have a reason not to consider it, please let us know.

I would much prefer to see the newly built system inside the LAN, and the remote user connect to it with RWW.  More secure, less chance of data corruption, and zero chance of malware coming in over the VPN from the remote computer.
0
 

Author Comment

by:DustinEWright
ID: 34913532
We use Skype for our phone system and with RWW, she has to alt+tab to the desktop to dial and accept calls.  Simply put RWW will not meet the business need.  We have been limping along with that arrangement since July.  We need this.
0
 

Author Comment

by:DustinEWright
ID: 34913535
She can't use Skype from thru a RDP session.
0
 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
ID: 34915346
Ok, I see that having to press Alt+Tab could be a huge inconvienence.  I have never tried what you are describing, but wondering why the remote user could not use skype, or any other voip system on the desktop inside the LAN?  That is, if she were based in the office, could she not use skype?
0
 
LVL 7

Accepted Solution

by:
scraby earned 500 total points
ID: 34918205
you're under the sharing tab and selecting internet connection sharing, this turns the workstation into a gateway where others on the local netork are then allowed to used her connection to connect to the internet.  YOU'RE IN THE WRONG PLACE. see the attached picture, when you SETUP the connection it gives you the option to "allow other people to use this connection" check that and this will make the connection availale at the logon screen.  the wireless connection should not be an issue, windows starts the wireless service before logon just make sure you're using windows to connect to wireless networks and not a third party or adapter solution. so to break it down:

1. setup the new vpn connection and allow other people to use this connection in the setup, i would put all the information (including password) to allow the vpn to connect without the user having to enter information (less steps to confuse people)
2. instruct to use the ease of access button during logon and select the vpn connection before logging on (set RASForce to 1 as indicated above to no give the user to logon without the VPN)
3. make sure they are using the correct domain to logon and once they commence logging on the VPN will connect and the user will be authenticated on the domain as if they were local with all resources available and group policies will be applied to their work station

I've done this many times on XP and it works great.  i setup the comptuers to automatically logon to everything so that the user does not have to make any decisions (auto connect to vpn and autologon to domain), of course this is not good security practice but it all depends on your envorionment.

good luck, and please reply with your results or othe issues
vpn-connection-setup.jpg
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35275297
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
Let’s list some of the technologies that enable smooth teleworking. 
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now