• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 861
  • Last Modified:

Remote Client Logon with VPN

We have a remote worker whom I've built a PC for here, joined it to the domain and setup a VPN connection so she can use our line of business application.  I have since shipped it to her remote location.

How can I setup her PC so when she logs into it, it knows to use the VPN and authenticate to the domain thus keeping her remote PCs SID in sync with AD?

Said another way, that PC will not ever come back here, so I need the VPN to actually connect as she logs on to keep her PC a member in good standing on the domain.

Originally, I was going to have her do what I do with my laptop, log in, connect to the VPN and use the network resources I needed.  I've since wondered if that is not appropriate for her because my laptop actually comes back into the domain where her PC will not.

Please advise,
Thanks!
0
DustinEWright
Asked:
DustinEWright
  • 3
  • 3
  • 2
  • +3
1 Solution
 
CSIPComputingCommented:
Hi Dustin,

To actively process Group Policy, keep in sync with AD etc, your remote user needs to connect to your VPN before she logs on.

This used to be a simple tick box in XP etc, but it is now a little harder to achieve.

Assuming you're using the standard WIndows SBS 2008 VPN (i.e. PPTP), the key is that you need to tick the "Allow other people to access this connection" box when creating the VPN Connection. With this box selected, I recommend NOT saving the password for the VPN Connection.

At the next logon, the user should press "ESC" or click "Switch User" which will show the logon screen with the two standard user icons, the blue "Ease of Access" icon to the Bottom Left, and the "Shutdown Options" to the bottom Right.  Next to Shudown Options, you'll now see a new Blue Button, "Network Connections".

Click this, and the remote user will be presented with a list of available VPN connections.  By clicking one of these connection icons, and entering their standard Username and Password (including Domain Name, i.e. CONTOSO\Joe) they will be connected to the VPN/AD/Main Network, and logged on to their PC/Laptop.

It's a little more convoluted than XP, but it is there...

Hope that helps!
0
 
Larry Struckmeyer MVPCommented:
Going down a different path, if the remote worker has a computer of her own, I would have kept the station in the office and let her connect with RWW.  Much safer, much faster, and much more control.  The remote worker needs only to have a computer capable of RDC, basically any XP or better computer.
0
 
paulstormCommented:
adding to fly...

Not too hard to set up. Couple of things on the checklist.

Give the workplace PC a static IP.
Change the listening port via regedit to something other than 3389.
Create an exception in the firewall for that port.
Tick the "allow remote connections to this computer" box in computer properties.

On the router, port forward the listening port to the static IP of the workplace computer.

On the remote computer set up RDC with the WAN IP and listening port.

0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
scrabyCommented:
and if you want to force the user to connect via vpn without a choice then you can set the Computer/HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon
creat or edit string RASForce and set to 1
this will grey and tick the dial up option so that the user has no option but to use the vpn only, when logging on.  
i have not tested this on 7 but do know it works on xp.  
0
 
DustinEWrightAuthor Commented:
Ok, we tried, but are not having any luck.  She has a slightly different dialog there than I do here, see attached.  When I try to select the top checkbox, I have to selete a connection in the drop down.  She's currently using a wireless on the PC (cable is on order) and this process seems to cripple her Internet when we tried the above advice.  What can I do?

Thanks

 VPN Connection - Remote
0
 
Larry Struckmeyer MVPCommented:
I am starting to sound like a broken record, and if you have considered this and have a reason not to consider it, please let us know.

I would much prefer to see the newly built system inside the LAN, and the remote user connect to it with RWW.  More secure, less chance of data corruption, and zero chance of malware coming in over the VPN from the remote computer.
0
 
DustinEWrightAuthor Commented:
We use Skype for our phone system and with RWW, she has to alt+tab to the desktop to dial and accept calls.  Simply put RWW will not meet the business need.  We have been limping along with that arrangement since July.  We need this.
0
 
DustinEWrightAuthor Commented:
She can't use Skype from thru a RDP session.
0
 
Larry Struckmeyer MVPCommented:
Ok, I see that having to press Alt+Tab could be a huge inconvienence.  I have never tried what you are describing, but wondering why the remote user could not use skype, or any other voip system on the desktop inside the LAN?  That is, if she were based in the office, could she not use skype?
0
 
scrabyCommented:
you're under the sharing tab and selecting internet connection sharing, this turns the workstation into a gateway where others on the local netork are then allowed to used her connection to connect to the internet.  YOU'RE IN THE WRONG PLACE. see the attached picture, when you SETUP the connection it gives you the option to "allow other people to use this connection" check that and this will make the connection availale at the logon screen.  the wireless connection should not be an issue, windows starts the wireless service before logon just make sure you're using windows to connect to wireless networks and not a third party or adapter solution. so to break it down:

1. setup the new vpn connection and allow other people to use this connection in the setup, i would put all the information (including password) to allow the vpn to connect without the user having to enter information (less steps to confuse people)
2. instruct to use the ease of access button during logon and select the vpn connection before logging on (set RASForce to 1 as indicated above to no give the user to logon without the VPN)
3. make sure they are using the correct domain to logon and once they commence logging on the VPN will connect and the user will be authenticated on the domain as if they were local with all resources available and group policies will be applied to their work station

I've done this many times on XP and it works great.  i setup the comptuers to automatically logon to everything so that the user does not have to make any decisions (auto connect to vpn and autologon to domain), of course this is not good security practice but it all depends on your envorionment.

good luck, and please reply with your results or othe issues
vpn-connection-setup.jpg
0
 
QlemoC++ DeveloperCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 3
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now