Archive for the ‘RRAS/VPN’ Category

Windows Phone 8 App for my Blog

I am pleased to announce my Windows Phone 8 Blog app has been published.  As of yet it is not compatible with Windows Phone 8.1 but should be by the time of “official” release.  The app, which is free,  can be downloaded from: http://www.windowsphone.com/en-us/store/app/lan-tech-blog/d0bd5f80-c223-48ae-a13e-a978913198b0   image

RASdial (automate VPN connections)

In the past I wrote a couple of articles explaining how to connect to a business network using a Windows VPN prior to logon, so that domain authentication takes place and group policies and logon scripts are applied.  See:  Win 7 and earlier and Win 8

As pointed out in the articles, this only works for domain joined computers.  It has been brought to my attention that some folks would like to automate the VPN connection process on non domain joined machines.   .

Automate VPN connection – AFTER logon:

Basically you need a one line batch file and add it to the startup folder, but in detail:

  • Open a text editor such as Notepad and enter the lines below, substituting the name of your VPN connection for Acme, and inserting your user name and password

rem   Batch file to establish a VPN connection
rasdial  acme  username  password
exit

    • Substituting  *  (an asterisk)  for the password, will prompt for the password during the connection.  This is more secure as the password is stored in clear text in the batch file.
    • Save the file to a location such as the desktop, but when doing so save using a .bat extension and enclose the name in quotes such as;  “VPN_Connect.bat”.  Notepad will add a txt extension if you do not use the quotes.
    • Saving to the desktop allows the user to double click on the file to establish the VPN connection.
    • If you want to automate the connection add the batch file to the startup folder and it will run after logon to the PC has completed.  The startup folder can be found in the following locations:

XP: Documents and Settings\All Users\Start Menu\ Programs\Startup
Win7:  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Deploy Windows VPN using GP Preferences

With the addition of Group Policy Preferences, released with Server 2008 and newer, it is possible to easily and automatically deploy a Windows VPN client to domain joined computers.  You might want to do so for a specific group of computers such as mobile users with notebooks.

  • First, within the Active Directory Users and Computers console, create an OU in which you will place the computers to which you wish to deploy the VPN client. This would normally be a sub-OU of your Computers OU.  For our Example I’ll call it Mobile Computers
  • Next open the Group Policy Management console, locate the OU, right click on it and choose “Create a GPO in this Domain and Link it here”

image

  • Name the new GPO

image

  • Then right click on the new GPO and choose edit

image

  • Browse to Computer configuration | Preferences | Control Panel Settings | right click on Network Options | choose New, VPN Connection

image

  • Group Policy Preferences will allow you to create a PPTP or L2TP/IPSec connection, but not SSTP.  For simplicity this will outline PPTP.  Under the “New VPN properties” you will want to configure as follows:
  • Action: I recommend “Replace”.  If no connection exists on the client it will “Create”  a new one and if you modify your policy, it will automatically replace the existing one.
  • All Users connection.  This is important if the user wants to connect the VPN before logon so that authentication can take place and policies and logon script be applied.  For details see: Connect to a Windows VPN at Logon
  • Connection Name: Can be anything you like and will be displayed under connections on the user’s PC
  • Address: You can enter the IP or check the box “Use DNS name” and enter the public FQDN of your site
  • Icon:  I would also check the box “Show icon in notification area when connected” to allow the user to view the status of the VPN connection

image

  • Next  under Options there are no requirements to configure any features but you may wish to set redial attempts, idle time settings, or other options.
  • Under Security choose Advanced, Use these other protocols, MS-Chap v2, the default protocol used with Server 2008 and newer

image

  • Networking: Automatic is fine, but in a few cases folk have reported they needed to set this to PPTP
  • Nothing needs to be configured under Common
  • Click OK and your new Policy will be complete and appear in the list of Network Options

image

  • The only remaining step is to run GPupdate /force on the client, while connected to the domain, or at some point reboot.

There is one other parameter you may wish to configure.  When you manually create a VPN connection it automatically enables the “Use Remote Default Gateway” option.  This is a security feature that blocks local network access while connected to the corporate network by VPN.  For more information about the default gateway option please see Access local and VPN network Simultaneously .  You cannot configure this within the policy we created above but you can using a different GP Preference and an .ini file.  Peter Frederiksen has explained this nicely in the following TechNet forum: http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/f228d2ae-232d-4572-8eee-60252f6d03a3/

There are other ways to automatically create a VPN client:

Windows 8 connect to VPN before logon

Last year I did an article entitled “Connect to a Windows VPN at logon”.  Rather than duplicate, please refer to that article for details, but It has been pointed out the method outlined is not available in Windows 8.  Actually it is but Win 8 by default alters the standard domain logon that was present since Win NT of pressing “Ctrl+Alt+Del”.  Restore that and you will again have the option to connect to a VPN prior to logon so you authenticate to the domain, and have group policy and logon scripts applied.

To re-enable “Ctrl+Alt+Del” either open the Local Security Policy under Control Panel, Administrative Tools, or open the local Group Policy editor by entering in the “Run” box gpedit.msc.  The location of the policy is in pretty much the same location in both, and setting in one will update the other.

  • In the Local Security Policy editor (control panel) it is located under; Security Settings | Local Policies | Security Options | Interactive logon: Do not require CTRL+ALT+DEL
  • In the local Group Policy editor (gpedit.msc) it is located under; Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options | Interactive logon: Do not require CTRL+ALT+DEL

The default state of the policy in Win 8 is “Not Defined” which on a domain joined computer effectively results in enabled.  You need to set the policy to disabled which will force the use of “Ctrl+Alt+Del”.   After doing so, I recommend running from an elevated command prompt  gpupdate /force, though it should not be necessary when editing the local policy.  On that note; you can enforce the use of “Ctrl+Alt+Del” domain wide by creating a GPO on your Domain Controller and editing the same policy.

image

Once you do so, and log off, you will see the familiar “Press Ctrl+Alt+Delete to sign in” message in the top left corner of the logon screen.

image

After pressing “Ctrl+Alt+Del” there will be a small network icon in the lower left corner

VPNCapture2

Click on the network icon and you will be presented with any VPN connection created on that computer.  Note these VPN connections must have been created using the “Allow other people to use this connection” option.  This discussion also applies only to domain joined computers.

image

image

Enter you domain credentials, the VPN will connect, authentication to the domain will be processed, and group polices and logon scripts, including your mapped drives, will be pushed to the client.

 

UPDATE:  Should the PC not be domain joined and you wish to automate the VPN connection, please see: https://blog.lan-tech.ca/2013/06/08/rasdial-automate-vpn-connections/

Access local and VPN network Simultaneously

There are constantly questions in various forums; “how do I maintain internet access through my local router while connected to a VPN”, or “ how do I access my local TCP/IP printer while connected to a VPN”.  It is pretty basic but for those that don’t understand I thought I would address this in a blog so that in future I can just provide a pointer.

There is a security feature in almost all VPN configurations that blocks all local network connections while connected to the corporate network, via a VPN.  This is to provide some degree of security by preventing someone with malicious intent from reaching the corporate server using your PC/Laptop as a stepping stone.   It basically isolates your device from the world around you so that Johnny playing video games in the next room cannot route traffic through your PC to the corporate site.  Or, consider an Internet Cafe’ where you are on the same local network as total strangers.   Either through the shared Wi-Fi connection, or even an “Ad Hoc” wireless connection, the person at the next table could conceivably route packets through your wireless device directly to head office.  Granted, there are many security features in place, or at least there should be, such as firewalls and NTFS security permissions to protect your corporate data, similar to the security corridor from the 60’s & 70’s TV show Get Smart, but the more of these doors left open, the easier it is for hackers.  Everything can be hacked.  If you don’t believe me have a look at the following Ted Talks video by Avi Rubin; “All your devices can be hacked”.

In order to simultaneously access the local and remote VPN network you need to enable a feature called split-tunneling.  Due the security reasons outlined above, I do not recommend enabling this, however in some cases it is necessary or perhaps you just wanted to know why.  If you have an Enterprise VPN solution such as Cisco, Watchguard, Sonicwall, or others, as an end user cannot enable split-tunneling.  It is managed by the VPN appliance and will require the administrator to configure and enable if they see a need to do so.   However if you are using a Windows VPN client you can edit the configuration to allow split-tunneling.  To do so open Control Panel, select Network and Sharing Center, and then choose “Change Adapter Settings”.   This will work on XP and earlier clients as well but the path to the adapters is slightly different.  Locate the VPN/PPP adapter, right click on it and choose properties.  In the resulting window select Networking, highlight Internet Protocol Version 4 (TCP/IPv4) and click properties, click Advanced, and in the resulting window un-check “Use Default Gateway on remote network.  When checked, its default state, it forces all traffic through the remote site.  Un-checking allows access to the local network and gateway.

image

Again remember this is a security feature and should not be reconfigured unless necessary and you are aware of the risks.

Configure Siemens SE567 router to allow VPN access

 

I have been asked a few of times how to configure a BellAliant Siemens SE567 router / modem to allow VPN access to a server, using PPTP.

When accessing a PPTP VPN server through a router, three primary conditions must exist.  Numbers 1 and 2 we can configure, 3 is dependent on your ISP.

  1. The router must be configured to  forward PPTP traffic to the VPN (RRAS) server using port 1723
  2. The router must be configured to allow GRE traffic (Generic Routing Encapsulation).   GRE  like, TCP and UDP, is a protocol.  GRE is protocol 47, not port 47 which is often incorrectly documented.  GRE is not really forwarded like services, but rather enabled.
  3. The ISP must allow PPTP/GRE traffic.  A few ISP’s intentionally block PPTP/GRE traffic.

GRE is enabled in different ways on different routers. Some have an option “Enable PPTP pass-through” others you forward the PPTP service which includes port 1723 and enabling GRE, and still others require specific commands.  The Siemens SE567 requires two rules, one for PPTP and one for GRE.  Generally Bell Aliant does not block this traffic.

Log into the Seimens unit and click “Advanced” at the top, then “Applications” on the left, followed by “Port Mapping Setup” in the menu.

image

First select the application “PPTP” and in the “redirect selected protocol/application to IP Address” box put the IP address of the server, in this case 192.168.2.20, and click “Apply.”

image

Next in the protocol box select GRE and again in the “redirect selected protocol/application to IP Address” box put the IP address of the server.

image

Done !

image

Note:  the other ports shown in the example, 443 and SMTP/25, are unrelated to the PPTP VPN and just there to show other service configurations.

How to join a Windows Domain using a VPN

There may be occasions where you need to join an off-site computer to an existing domain at a remote office.  Most often this would be in a situation such as a satellite office which is part of a larger corporate network and there is a site-to-site VPN in place.  Though a site-to-site VPN is by far the easiest way to join, it can be done using a Windows VPN client, which will be discussed further on in this article.  The primary problem encountered when joining the domain is DNS, but this is easily dealt with.

Joining the domain using a site-to-site VPN

  • Only 1 network adapter can be enabled on the PC joining the domain, and preferably a wired connection.  If any others exist such as a wireless card, disable until domain joined.  On occasion Bluetooth adapters will also conflict, so I recommend disabling them as well.
  • Configure the connecting PC’s network adapter either statically or through DHCP to point ONLY to the domain controller at the corporate office for DNS.  Do not add an alternate external DNS server such as an ISP or router as these will often respond first and name resolution will fail.
  • In the NIC configuration, under Internet Protocol Version 4 (TCP/IPv4) properties, click advanced, and under the DNS tab insert the corporate internal DNS suffix, such as CompanyDomain.local in the box entitled “DNS suffix for this connection”
  • image
  • Then join the domain using the traditional method of Computer (formerly My Computer) | Properties | Change Settings |  Change | enter the internal domain name | click OK | and you should be prompted for credentials for an account authorized to do so, a Domain Admin account.  If the Domain Controller is a version of Small Business Server the SBS option to use  http://SBSname/connectcomputer  or http://connect most often will not work.  (more detail and screen shots for the joining the domain process can be found below in the using a VPN client section).
  • If you wish to simultaneously import an existing local user profile, you can use ProfWiz as outlined in the following link which will both join the domain and move the profile. Though the article references SBS, it can be used with any Windows Server Version.  https://blog.lan-tech.ca/2011/05/19/sbs-and-profwiz/

Joining the domain using a Windows VPN client

Joining a domain using a VPN client is a little more involved, but not complicated. This method may work with other VPN clients, so long as they have the option to connect to the VPN before logon, but this explanation uses only the Windows built-in VPN client.  Without the ability to connect before logon, there is very little advantage even if you can join the domain, as you would not actually be authenticating to the domain.  I will assume the server end, RRAS, is configured and working for VPN client connections.

  • Log on to the PC you wish to join the domain with a local administrator account
  • Only 1 network adapter can be enabled on the PC joining the domain, and preferably a wired connection.  If any others exist such as a wireless card, disable until domain joined.  On occasion Bluetooth adapters will also conflict, so I recommend disabling them as well.
  • Establish a VPN connection.  If not familiar with doing so:
    • From the network and sharing center choose “Set up a new connection or Network”
    • Select “Connect to a workplace”
    • Choose “Use my Internet connection (VPN)”
    • Enter the public facing FQDN of the corporate VPN server such as VPNserver.MyDomain.com and enter a friendly name for the connection, anything you like.  It is also very important to check the box “Allow other people to use this connection” as you will soon have a domain account which will require access to this VPN connection.
    • image
    • Enter a User name, which ideally is the user that will be using the connection once joined to the domain, but can be any user name that is authorized to connect to the corporate network via VPN.  If you use a name other than the ultimate user of the PC they will simply have to change the user name during in the connection wizard, the first time they try to connect.  Enter the password and choose connect.  For security reasons I don’t recommend checking “Remember this password”.
    • image
    • If prompted for a network type after connecting, choose “Work Network”.

  image

  • Presumably you were able to establish a connection.  However while connected if you did an NSlookup from a command line for the server name, you will see it fails. Try an NSlookup for the FQDN of the server, and it will succeed.  Thus, we need to configure DNS for the VPN clientbefore proceeding.
    • image
    • Disconnect the VPN client
    • In the network connections window right click on the VPN/PPP connection and choose properties | Networking tab | highlight Internet Protocol Version 4 (TCP/IPv4) and choose properties | Advanced | DNS tab | and enter the IP of the corporate DNS server under DNS server addresses and the internal domain suffix such as MyDomain.local in the “DNS suffix for this connection box.  If admins need to connect to the remote client PC for administration by name check the box “register this connection’s address in DNS” but I would discourage this as the IP can change frequently and cause issues.  Also on the “IP Settings” tab leave the option “Use default gateway on remote network” checked, at least for now, so that all traffic is forced to the corporate network while the VPN is connected.
    • image
  • Now you can try joining the domain
    • Connect the VPN client
    • Right click on “Computer” (formerly My Computer) and choose properties.
    • In the resulting window select “Change Settings”
    • image
    • Slect “Change” again
    • image
    • Enter the corporate internal Domain name, such as MyDomain.local in the Domain box and click OK
    • image
    • You will be prompted for a domain account with privileges to join a PC to the domain, a Domain Admin.  Enter it and the password and you should receive a message advising you have been joined to the domain.  Be patient it takes a little longer as this is a slow link compared to the LAN.
    • image
    • You now need to reboot the connecting PC.
  • In order to authenticate to the corporate network at logon and work as if on the corporate LAN, you need to connect the VPN before logging on to the PC.  When the PC reboots press Ctrl+Alt+Delete as you normally would, and then choose  “Switch User”
    • image
    • You will then be presented with a new option, a little blue icon in the lower right corner.
    • image
    • Clicking this allows you to choose to connect to the corporate network, by using the VPN.  After entering your credentials you will see the familiar VPN connection automatically start, it will connect, and you will be authenticated to the domain.
    • image
    • Logon is a little slower of course due to the slow link, and the first time you connect it will have to set up the local domain profile.  If you make use of redirected my documents, offline files, or have a lot of group policies logon can take a very long time while they apply and sync.  If logon is too slow, you may want to review options available to the remote user.  You will note that if you now try nslookup <servername> works as it should.

Note:  If connecting from Windows 8, please see the following updated article:  https://blog.lan-tech.ca/2013/03/02/windows-8-connect-to-vpn-before-logon/

 

Depending on the performance of the VPN connection, it is sometimes necessary for the network administrator to “tweak” a few Group Policies for slow network detection. The following policies can assist with this:

Server 2008 / 2008 R2 / SBS 2008 / SBS 2011:
  • Computer Configuration | Policies | Administrative Templates | System | Group Policy | Group Policy slow link detection
  • Computer Configuration | Policies | Administrative Templates | System | Scripts | Run logon scripts synchronously
  • Computer Configuration | Policies | Administrative Templates | Network | Offline Files | Configure slow-link mode
  • Computer Configuration | Policies | Administrative Templates | Network | Offline Files | Configure slow link speed
Server 2003 / SBS 2003 / SBS 2003 R2:
  • Computer Configuration | Administrative Templates | System | Logon | Always wait for the network at computer startup and login
  • Computer Configuration | Administrative Templates | System | Group Policy | Group Policy slow link detection
  • Computer Configuration | Administrative Templates | System | Scripts | Run logon scripts synchronously
  • Computer Configuration | Administrative Templates | Network | Offline Files | Configure slow-link mode
  • Computer Configuration | Administrative Templates | Network | Offline Files | Configure slow link speed

 

Toast For Our Tables

Connect to Windows VPN at Logon

The internet is littered with questions about VPN connection and authentication issues as a result of using cached credentials.

  • How can I automatically connect my Windows VPN at start up?
  • Why do I have to re-enter my user credentials when connecting my corporate VPN?
  • How do I get Group Policy to apply to VPN connected users?
  • How do I use my work domain user account when I work from home using a VPN?
  • Why won’t my logon script run when connecting by VPN?

You can connect from any PC using a VPN, but in most cases you do so after having logged onto the PC first. If this is a “domain joined” corporate PC, when you logon without the domain controller present, you are not authenticating to the domain but rather using the credentials cached on the local computer from a previous logon.  As a result Group Policy cannot be updated, logon scripts are not applied, and most often you have to re-enter your user credentials when you do choose to connect to the office via VPN.

It is possible to connect to the VPN at logon resulting in an experience similar to that of the office, except of course for the reduced file transfer speed,  However, there are few conditions that must be met to do so:

  1. This applies only to the Windows VPN client. Newer Cisco VPN clients and a few others do offer methods to connect the VPN before logon, but they use different processes.
  2. The computer must be a member of the domain, and therefore Pro, Ultimate, or Enterprise versions of the operating system.  At logon you will be providing domain credentials which are automatically passed to the local logon, thus they must be the same.  Using the same username and password is not enough as logon credentials include domain or computer names.  Domain\JDoe is not the same as LocalPCname\JDoe.  If the computer is not already a member of the domain, it is possible to join a remote domain using the VPN connection.  To do so please see:  https://blog.lan-tech.ca/2012/07/25/how-to-join-a-windows-domain-using-a-vpn/
  3. Should the PC not be domain joined and you wish to automate the VPN connection, after logon, please see: https://blog.lan-tech.ca/2013/06/08/rasdial-automate-vpn-connections/
  4. When you create the VPN connection you must check the box “allow other people to use this connection”.

image

Having met these conditions, at logon there is now an option to connect using the VPN during logon.

Windows Vista and Windows 7:

At logon select “Switch User” and a new blue icon will appear in the lower right next to the familiar red Shut Down icon.

image

Clicking the icon will allow you to use the VPN connection, and simultaneously connect and authenticate to the corporate domain, and log on to your local PC

image

Windows XP:

At logon after pressing ctrl+alt+del, if you click the “Options” button there will new be a check box “Logon using Dial-up connection” which will use the VPN connection, and simultaneously connect and authenticate to the corporate domain, and log on to your local PC

image

Windows 8:

Please see the more recent post to enable on a Win 8 PC

Slow Links:

Depending on the performance of the VPN connection, it is sometimes necessary for the network administrator to “tweak” a few Group Policies for slow network detection.  The following policies can assist with this:

Server 2008 / 2008 R2 / SBS 2008 / SBS 2011:

  • Computer Configuration | Policies | Administrative Templates | System | Group Policy | Group Policy slow link detection
  • Computer Configuration | Policies | Administrative Templates | System | Scripts | Run logon scripts synchronously
  • Computer Configuration | Policies | Administrative Templates | Network | Offline Files | Configure slow-link mode
  • Computer Configuration | Policies | Administrative Templates | Network | Offline Files | Configure slow link speed

Server 2003 / SBS 2003 / SBS 2003 R2:

  • Computer Configuration | Administrative Templates | System | Logon | Always wait for the network at computer startup and login
  • Computer Configuration | Administrative Templates | System | Group Policy | Group Policy slow link detection
  • Computer Configuration | Administrative Templates | System | Scripts | Run logon scripts synchronously
  • Computer Configuration | Administrative Templates | Network | Offline Files | Configure slow-link mode
  • Computer Configuration | Administrative Templates | Network | Offline Files | Configure slow link speed

Client Deployment:

Network administrators may also want to considered creating a deployable VPN client for consistency, security, and with a company logo.  An earlier post outlines how to do so in detail:

https://blog.lan-tech.ca/2012/01/30/windows-vpn-client-deployment/

Hosts and LMHosts files

Though rare, there still is an occational need or advantage to using Hosts and LMHosts files.  Though simple text files, the syntax used is critical.  The following is a repost from an older blog of mine.  I have done so in hopes that it may be helpful to some folk, and also it will be useful in and upcoming post regarding Hyper-V configuration and management.

There are two files in the %systemroot%\system32\drivers\etc directory that can be used for name resolution. The Hosts file, used for DNS name resolution, and the LMHosts.sam file used for NetBIOS name resolution. In an age where DNS dominates your network both locally and throughout the Internet, these two files are seldom ever used, but they can be very useful in a few situations. Both are simple text files that match names to IP addresses, and are very easy to create and implement. Most people are familiar with these files, but are often frustrated when they do not work as expected. This is usually due to the fact that they have some very simple, but specific requirements, for them to work at all.

LMHosts (NetBIOS names):

The primary use today for an LMHosts file, is for name resolution over a VPN. If DNS is configured on the host and client machines there should be no need of static text files for resolving names, but it does work well, and many folks uses them as a dependable simple solution. The catch is there are a few gotcha’s you need to be aware of:

  • The LMHosts file in it’s default form, is named lmhosts.sam The .sam represents sample. If you are planning on using this file it needs to be saved without a file extension – lmhosts. Be careful if using a text editor like NotePad as it will add a .txt file extension to the name. The safest method is to save the file using quotes, “lmhosts” to assure no extensions are added.
  • Text following a # in the LMHosts file is a comment and can be ignored or deleted.
  • A typical entry would look like:

192.168.100.101 COMPUTERNAME #PRE #my notes

  • When making a new entry you must hit enter at the end of the line, which adds a “carriage return”
  • Use the Tab key between items in each line rather than spaces (recommended but not necessary), but there must be a space.
  • Though it is not needed, adding the #PRE parameter or extension will load the entry into the local NetBIOS name cache when the computer boots. This allows for a slightly faster resolving of the name, before it has been added to the cache.
  • Most entries such as #PRE, #DOM, DOMAIN names and such are case sensitive. Always use uppercase to be safe.
  • It is a good idea to add the domain name as well. This requires two lines, and uses extremely critical formatting. A sample would be:

192.168.100.10 DCNAME #PRE #DOM:YOUR-DOMAIN
192.168.100.10 “YOUR-DOMAIN x1b” #PRE

There must be exactly 20 characters, including spaces, between the quotes in “YOUR-DOMAIN x1b”, and the spaces need to be between the domain name and the x1b. The domain name used is the NetBIOS name, not the FQDN. If your domain name exceeds 15 characters, you must truncate it at the 15th character, it will still work.

If you find this last step tedious, the University Of Sait Louis has a little Java script that will create these two lines for you: http://bflinux.slu.edu/LSI/tools/lmhosts.html

Hosts (DNS names):

The Hosts file today seems to be more used for blocking unwanted web sites. This is done by simply entering the website address and substituting the IP address with the localhost IP address such as:

127.0.0.1 www.unwantedsite.com#advertising site

There are subscription services that will actually update your Hosts file, according to a schedule, with a list of known unwanted sites.

Another handy use of the Hosts file is to create abbreviations for your own use. For example quick access to a website like Google can be achieved adding an abbreviation like ‘G”, or your firewall with ‘F”, or I frequently uses it for accessing client sites with remote desktop using 3 letter acronyms such as ACL for Acme Corp Ltd. :

64.233.187.99 G #Google

192.168.100.254 F #my firewall

123.123.123.123 ACL #Acme Corp Ltd

Most of the rules that apply to the LMHosts file, apply to the Hosts file as well:

  • The Hosts file already has no file extension, so there is no need to change it like the LMHosts file. Just be careful when editing you don’t accidentally add one such as .txt when using NotePad or a similar editor.
  • Text following a # in the Hosts file is a comment, and can be ignored or deleted
  • A typical entry would look like:

123.123.123.123 ftp.acme.com#company FTP site

  • When making a new entry you must hit enter at the end of the line, which adds a “carriage return”
  • Use the Tab key between items in each line rather than spaces (recommended but not necessary), but there must be a space.

Keep in mind when editing these files you can run into conflicts, or ineffective changes if you do not reboot or purge the local name caches. To clear the NetBIOS cache ( and PREload), at a command line enter (R is case sensitive):

nbtstat -R

To clear the DNS cache, at a command line enter:

ipconfig /flushdns

For the record, the Hosts file can also be used for IPv6 addressing. Vista for example includes the IPV6 localhost entry, by default:

::1 localhost

Windows VPN Client Deployment

      subtitled: What happened to the SBS Connection Manager?

VPN name resolution is a common problem for many IT folk.  I have addressed in in previous blogs by manually configuring the VPN client to point to the corporate server for DNS, and adding the corporate domain suffix.  This is not practical as it has to be done on every computer on which the VPN client was configured.

Small Business Server 2003 had a very nice little wizard that would create a deployable VPN client called “Connection Manager” which contained server connection information and allowed for proper name resolution over the VPN.  Though the missing feature from subsequent SBS versions inspired this article, it can be used to create a deployable VPN client for any Windows Server.  The SBS wizard basically ran a mini version of a standard Windows tool called CMAK.

Firstly you need to install CMAK, the Connection Manager Administration Kit.  To do so, on a 2008 or newer server, open Server Manager under Administrative Tools, choose Features, and Add Features.  In the features wizard choose Connection Manager Administration Kit, and complete the wizard.

image

Though there are many configurable options and features that can be added with CMAK, for the purposes of this article only the basics will be configured to allow for VPN name resolution, automatic installation, and to try to replicate the old SBS 2003 Connection Manager experience.  One of the additional advantages of the Connection Manager Client is it limits the options with which the client can “tinker”, thus reducing support calls and increasing security.

In this example CMAK is being run on a 64bit machine. The deployable VPN client created can only be used on other 64bit machines. If you need to deploy on a 32bit machine you will need to install and run CMAK on a 32bit computer/server.  CMAK may not available from the built-in windows options on older operating systems.  If so, it can be downloaded as part of the Windows Server 2003 Administration Tools Pack (32bit) http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16770

Start The Connection Manager Administration Wizard from Administrative Tools, accept the UAC warning, click next, and select the O/S on which the client will be deployed, remembering the above warning about 32/64 bit.

image

Select New Profile,

image

Enter a ‘Friendly’ name for the connection and a file name (<9 characters) for the deployment package.

image

Rather than cluttering this post with unnecessary images, accept the defaults on the next two pages, “do not add a realm name to the user name” and leave the merge profiles boxes empty. In the next window, as per the image below, check Phone book from this profile, always use the same VPN server, and insert the public FQDN or IP of the VPN server.

image

Next highlight your new connection and choose edit.  Under General select Only IPv4 addresses.  If you like, for added security you can disable file and printer sharing, which blocks access to shares on the connecting client’s computer while connected to the VPN.

image

Under IPv4 add the internal IP for your corporate DNS server.  If you have multiple corporate DNS servers you can add a second, and if you have WINS servers you can add those as well.  Do not add public DNS servers here.  I recommend checking “Make this connection the client’s default gateway” (disabling split-tunneling) which blocks access to to the client’s local LAN while connected to the VPN.  By doing so Internet access is actually made via the VPN, rather than through the local router.  One reason you may need to un-check this is it also blocks access to a local networked printer, i.e. one that is not physically attached to the connecting computer.  Leave “Use IP Header compression” checked.  Note that in a user created VPN client using the tools built into a Windows PC, the “default gateway” option can be changed.  When created with CMAK it cannot be changed.  This is intentional for security reasons.  Split-tunneling, allowing the client simultaneous local and remote network access, is considered a security risk.

image

Under security you can leave the defaults or change to “Only use Point to Point Tunneling Protocol (PPTP)”.  If you are connecting to an old server it may also be necessary to also check CHAP authentication, but this is less secure than MS-CHAP v2, so only do so if absolutely necessary.  All 2008 and newer servers use MS-CHAP v2 by default.

image

Under advanced add the internal corporate domain suffix.  Check “Register this connection’s DNS address in DNS” if for some reason LAN clients need to resolve the name of the remote computer.  I recommend not doing so if not needed as it adds unnecessary entries to DNS that may not be cleaned up if DNS scavenging is not properly configured.  Select OK, Next, and move on to the next window.

image

We are not using “phone books” so uncheck “Automatically download phone book updates”

image

From here accept all defaults in the next 4 windows; Configure Dial-up Networking, Specify Routing Tables, Configure Proxy Settings, and Add Custom Actions.

Note: it is assumed the server VPN configuration is basic, assigning IP’s in the same subnet for VPN clients as LAN clients, which is typical of SBS.  However, if the VPN clients are assigned addresses outside of the LAN subnet, and you want to access resources on the corporate LAN other than the VPN server, you will need to add a routing table file, on the “Specify Routing Tables” page, to have the route pushed out to VPN clients.

Though not necessary at all you may want to add a custom graphic or logo to the connection client. This is done on the “Display Custom Logon Bitmap” page followed by the ability to add a custom graphic in the phone book (list of connections), and on the 3rd related page you can choose to use  custom Icon for the deployed VPN connection.

Leave the “Include Custom Help File” as default, and under “Display Custom Support Information”.  You may want to add contact information. This is displayed on the VPN connection client where they enter their user name and password, when trying to establish a connection.

image

Accept the defaults in the remaining windows; “Display a Custom License agreement” and “Install Additional Files…”.  In the final Window “Build the Connection Manager Profile and its Installation Program” leave Advanced uncheck, and assuming you do not wish to make any changes, click Next, and Finished.  The deployable package will be saved in a folder named profiles in the CMAK folder, the default location being: C:\Program Files\CMAK\Profiles\Windows 7 and Windows Vista\   You only need to copy the .exe file to the client computer, in this case AcmePkg.exe

image

To configure the client, simply double click on the .exe file.  You will be prompted if you want the client to be available to all users or just the current user.

image

Click OK, and wizard will complete, add a connection icon to the desktop, add the connection to task bar network icon………

image

…….and launch the VPN client.

If you wish to connect enter the user name of a member of your VPN User group, their password, and internal domain name.  The domain name does not have to be present just to connect to the VPN, but in most cases if the PC is not domain joined, it needs to be there to access files using server names, rather than IP’s.

image

You should now have access to resources on the remote server, assuming the VPN at the server end is properly configured, and you have the appropriate Share and NTFS/Security permissions on the server to do so.

If needed, I have bloged in the past about configuring the VPN server.

Configuring a Windows SBS 2003 as a RRAS/VPN Server

SBS 2011 Essentials – Configuring VPN access

Configuring a Windows 2003 RRAS/VPN Server with 1 network adapter

Tag Cloud