Group Policy Updates when connected to VPN

I have a WatchGuard M370 Firebox with L2TP and IPSec.  My users login to the firebox and then to a terminal server or in some cases their desktops. It's basically a 2 factor system, they login to the firebox and then to the server - I want to keep that.   I have a bunch of users who take home laptops and work at home and I'm wondering if there's a way to have my Group Policy enforced while they are on VPN.  My VPN is a dmz so it's not actually part of the network,  however, if you type and IP address chances are you'll get where you need to go.  SO for example my home users connect to a terminal server in the DMZ.  They are using Laptops we created here, but if they are not acknowledged on the domain after 60 days I'm having to put them back on the domain because the trust relationship fails.  I want to try to avoid this.  Is there a way to do it?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jason ZondagSenior Managed Services Specialist

Commented:
The only solution I've ever seen for this would be to log into the client VPN before logging in to the workstation.  Some VPN Client support this (Cisco, SonicWall) on some OS's.  

Group Policies are often applied when the user logs in, but if the user is already logged in then the policies will not apply.  The same with cached credentials - they can't update if the user is already logged in - the workstation has to validate directly against AD before caching updated credentials.

Otherwise only Branch/Site to Site VPN connectivity would keep the PC 'active' on the corporate AD.

See if your Watch Guard VPN will support this feature - otherwise you may need to look for a different alternative.

Author

Commented:
Perhaps a different alternative, I can't do a branch/Site because it's different users in different spots.  I was hoping there was some way I can force the policies once the user logged in.
Distinguished Expert 2018

Commented:
See the first part of Jason's advice. That is what is applicable in your particular instance.

And since you're using IPSec, it looks like it is doable. However, it does look to be bit of a pain and I don't see the most users following this: http://customers.watchguard.com/articles/Article/Connect-the-IPSec-VPN-client-before-Windows-login/?l=en_US&fs=RelatedArticle
Shaun VermaakSenior Consultant
Awarded 2017
Distinguished Expert 2018

Commented:

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial