Jump to content

Remote users

Hamins

By Hamins
in Windows 2000/2003/NT4

 Share

Recommended Posts

Hamins

Hamins

Posted
Posted

Hi,

I manage a network that comprises of a Router connected to a Watchguard X500 firewall, which is connected to 2 Gigabit switches. We have one Multi-purpose Windows 2003 Std. server, and around 21 WinXP based workstations. The Win2k server acts as the Domain Controller, DNS & DHCP server, File & Print server etc.

There are around 25 users-accounts created in the AD. Each user has his/her own roaming profile that lies on this server. So far all users connect to the network/server from the same office (Physical location/site). However, now we have a requirement whereby certain existing users need to access information from the sever from any remote location, since they'll be travelling out of town frequently. The users will be provided company Laptops.

We have decided that the best way for the remote users to connect to our network would be via VPN. The Watchguard X500 has already been configured to act as the VPN server. It has it's own authentication Method, and a different set of user-accounts. Authencation with the Watchguard VPN server allow access to the network only, and assigns the remote users an IP from the local pool. Something like 192.168.1.... This has nothing to do with domain access. Authentication on VPN will not authenticate the users with the Win2k3 domain/server.

I would like to know the best way to allow remote users to securely connect to our Domain. How to configure the laptops & user accounts, to maintain security, configure user profiles, authentication on the domain, configure file and print sharing, offline access etc.. We want the remote users to be able to access only file/folders for which they have the rights. However, we may not want them to print anything from their laptops or any other computer, when working remotely.

Most of the users who'll be accessing the Domain/network remotely already have user-accounts on the Domain, along with Roaming profiles. However, we may not want the roaming profile to be downloaded on the laptop when they're working remotely. Is that possible ? or do we create seperate account for Remote users ? Would it be better to create local user-accounts on the laptops ? Would be it advisable to make the users log onto the domain via the standard login screen ?

I would like to know how to perform the above tasks. Security is out primary concern. Any suggestions would be welcome.

Thanks...

Link to comment
Share on other sites

chilifrei64

chilifrei64

Posted
Posted (edited)

Most devices have the capibilities of authenticating to a radius server. I would assume the watchguard would be one of them.

Or you could setup vpn passthrough on the watchguard and setup a Microsoft VPN Server. Beyond what many people beleive, Microsoft VPN is pretty secure(as long as your servers roll is a VPN server) and you can configure it to be even more secure depending on the configuration path you take. either way .. if you want to easily authenticate users to the domain.. just use Microsoft RRAS

Edited by chilifrei64
Link to comment
Share on other sites
Hamins

Hamins

Posted
  • Author
Posted

Hi Chili,

Thanks for yer response. The firewall has already been configured to act as a VPN server,and Authenticate users for the VPN. However, that authentication is exclusive of the authentication done on the DC. Authentication on the firewall only creates a VPN, and allows the remote users access to the physical network, and assign an IP from the pool.

However, more importantly I would like to know how to configure the laptops & user accounts, to maintain security, configure user profiles, authentication on the domain, configure file and print sharing, offline access etc.. We want the remote users to be able to access only file/folders for which they have the rights. However, we may not want them to print anything from their laptops or any other computer, when working remotely.

Most of the users who'll be accessing the Domain/network remotely already have user-accounts on the Domain, along with Roaming profiles. However, we may not want the roaming profile to be downloaded on the laptop when they're working remotely. Is that possible ? or do we create seperate account for Remote users ? Would it be better to create local user-accounts on the laptops ? Would be it advisable to make the users log onto the domain via the standard login screen ?

A coupla other things that I did not mention in the first post are :

Surfing the internet while connected to the VPN is noticeably slow. I guess this is cause all traffic gets routed through the vpn connection. Does this happen if the "Use default Gateway on remote network" option is selected ? What would happen if I un-checked that option ?

How do I optimize the VPN bandwidth ?

Thanks

Link to comment
Share on other sites
jondercik

jondercik

Posted
Posted
Surfing the internet while connected to the VPN is noticeably slow. I guess this is cause all traffic gets routed through the vpn connection. Does this happen if the "Use default Gateway on remote network" option is selected ? What would happen if I un-checked that option ?

Yes. If you unchecked that option all traffic not destined for the VPN network would go out the computers normal default route. This is not reccomended though because it is a security vulnerability.

If the firewall CAN pass authentication requests to the domain, why not have it do it. It makes things simpler for the user, because it is one less thing they have to remember.

For user profiles and such I believe you can select an option in group policy to enable to slow link detection and not download a profile in that condition.

I am not aware of any way to prevent them from accidentally printing to a printer their user account has access to when remotely connected.

File access will act just the same remote as it does locally. If permissions are set up correctly then they cant get access to material they arent supposed to.

Jim

Link to comment
Share on other sites
Hamins

Hamins

Posted
  • Author
Posted

Would it be advisable to create local user accounts on the laptops, along with local security policies, and then allow the user to access the files/folders to access to access the shares by them typing the UNC of the folder/file (\\servername.domainname\folder path), and then authenticating themselves when the "Connect to ...." box appears. Would that be a secure way ?

Link to comment
Share on other sites
fizban2

fizban2

Posted
Posted

i would suggest having the laptop users use local profiles on their laptops, configure the router to pass vpn information to a MS VPN server, (again as chili stated, it can be secure you just have to put a little more effort into making sure the server is secure) this way credentials can be used based on what the user logged on with (ie in this case their domain creds) this will allow access to normal network functions and functionality (for mapped drives and homeshares you may need script or create a batch file for those to be remapped) this really doesn't solve your printing issues. is there a reason for the roaming profiles with the laptops? do people go from laptop to laptop or is each one assigned to a user? if so roaming profiles don't seem to be the way to go (better to route my docs folders and such to a homeshare if you want their info saved on a server)

when you create the VPN connection there is overhead with all the encryption that happens, when a remote user makes a internet request while on VPN, it has to be encryted, sent through the VPN, decrypted passed to the gateway, retrieve the page encrypt the data again pass it back across the vpn and decrypted by the remote user, a much longer proccess and probably the reason for the delay

Link to comment
Share on other sites
Hamins

Hamins

Posted
  • Author
Posted (edited)

Hi guyz,

Once again, thanks for your suggestions

I think that having the VPN authenticate the remote users before having the Domain Authenticate them provides an extra layer of security.

First the remote user logs onto his laptop using a non-administrative local profile. The Local group policy set on the laptop will be applicable. Then he dials into the network using his VPN loginID & password. Once he is authenticated by the VPN server (In this case the Watchguard X500 firewall), he is presented with the usual interactive login screen (Ctrl Alt Del screen) through which he logs onto the Domain. We're not too keen on the Win2003 Domain Controller server acting as the VPN sever, since it's already acting as a DNS, DHCP, file, print server.

Ideally, we want the remote users to be authenticated on Domain, using their existing accounts. However, we don't want their roaming profile to be downloaded each time they authenticate.

Is the above possible ? If yes, is it a good implementation ?

Edited by Hamins
Link to comment
Share on other sites
jondercik

jondercik

Posted
Posted

Sorry man. For the romaing profiles not to be downloaded to the client on a VPN connection enable slow link detection in group policy as described in the following link:

http://support.microsoft.com/?id=227260

That will make sure that roaming profiles do not get downloaded.

For my response, the DC will not have to be the VPN server for this scenario. The firewall will just have to pass the credentials the user specifies and have them authenticated by the DC using IAS. The firewall will still manage the connections, but the domain controllers will authenticate users.

Jim

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...