Remote users

[Hamins]

Hi Jim,

Thanks for yer help n suggestions.

IAS ? do you mean ISA ? If yes then, we have not implemented ISA.

Also, how is a slow-link determined by the server ? What is the user logs in through a 1mbps line ?

Also, if the user access the internet (surfing, emails etc) after logging onto our network via VPN, does he/she utilize our internet bandwidth too ?

[fizban2]

IAS ?

Internet Authentication Service

"Internet Authentication Service (IAS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy. As a RADIUS server, IAS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. As a RADIUS proxy, IAS forwards authentication and accounting messages to other RADIUS servers. This page includes links to resources about IAS in Windows Server 2003."

Also, how is a slow-link determined by the server ? What is the user logs in through a 1mbps line ?

Detemermining slow link speed

this is based on windows 2000, was not able to find a corrisponding 2003 article, so i am not sure if it has changed or not

Also, if the user access the internet (surfing, emails etc) after logging onto our network via VPN, does he/she utilize our internet bandwidth too ?

Correct if the user is VPN'd through to your server, they are using your internal bandwidth for internet requests

Edited February 22, 2006 by fizban2

[Hamins]

Hi,

Thanks to all you guyz for yer help. I probably sound like a lame sysadmin. That's cause I've just started working on live Windown server plathform only since the past 4-5 months or so.

Fizban2, I checked out the links. They're quite useful.

A few more questions :

How do I make sure that the remote users can log into our network & Domain only from the laptop provided by the company, and no other PC ? What would be the different methods of doing this at no extra cost ?

Also, once the user gains access into our physical network by authenticating on the VPN server (Which is also the Watchguard Firewall), how do I present him with the log in screen for access to the domain ?

Edited February 23, 2006 by Hamins

[Hamins]

anyone ??

[jondercik]

Sorry man.

The only way I can think of to make sure they only use the company's laptop and no other machine is to use certificates for validation as well. This may not be true cause certificates are not my strong point.

One I am unaware of anyway to automatically make the users log in to the domain when the watchguard vpn is established because the Windows logon process takes place at the ctl+alt+del screen.

Jim

[fizban2]

Thanks to all you guyz for yer help. I probably sound like a lame sysadmin. That's cause I've just started working on live Windown server plathform only since the past 4-5 months or so.

no biggie, you are doing the right thing and trying to learn more about your job, that is what forums are for. and don't worry, some of us aren't admins anyway

How do I make sure that the remote users can log into our network & Domain only from the laptop provided by the company, and no other PC ? What would be the different methods of doing this at no extra cost ?

In this cause you have the watchgaurd firewall, i am not to famililar with but i will assume either you use a VPN client that is installed on the laptops, or use the vpn that is built into windows, in either case depending on the level of security that you want to use (IPsec is my suggestion not sure if the watch Guard has this available but it should) in either case your computing policy should state at some point that only company computers can connect to the network, based on the fact you cannot control and manage home/personal computers so that they can comply with your network standards(Ie patch levels, OS versions, Antvirus deployment and management etc).

Also, once the user gains access into our physical network by authenticating on the VPN server (Which is also the Watchguard Firewall), how do I present him with the log in screen for access to the domain ?

this is where the local profile on the laptop come into play, by having the users use local profiles on the laptops they effectively cache their profile and logon for the domain on the laptop, this will them to log onto their domain account even while not on the domain, at this point they can connect to the VPN and then become connected to the domain, Since they logged into their laptop with their domain credentials already, once they have logged onto the domain they have effectively connect and authenticated to the domain. several downfalls to this method, password syncronization becomes an issue(the cached password and the AD password become unsynced(one is different then the other or at least AD thinks so) not so hard to fix. GPO's and Logon scripts will not fire like when a user normally logs on to the domain since that time has passed, if you are using a logon script there should be place to fire that off after they are connected to the VPN, if all that the users need are some drives mapped, then a simple batch file should suffice. if you want to get fancy, logon script would be the way to go.

[Hamins]

This is where the local profile on the laptop come into play, by having the users use local profiles on the laptops they effectively cache their profile and logon for the domain on the laptop, this will them to log onto their domain account even while not on the domain, at this point they can connect to the VPN and then become connected to the domain, Since they logged into their laptop with their domain credentials already, once they have logged onto the domain they have effectively connect and authenticated to the domain. several downfalls to this method, password syncronization becomes an issue(the cached password and the AD password become unsynced(one is different then the other or at least AD thinks so) not so hard to fix. GPO's and Logon scripts will not fire like when a user normally logs on to the domain since that time has passed, if you are using a logon script there should be place to fire that off after they are connected to the VPN, if all that the users need are some drives mapped, then a simple batch file should suffice. if you want to get fancy, logon script would be the way to go.

Hi Fizban,

I don't understand. If they log onto the laptop locally, how can they be logged onto the domain credential alerady. Can you explain the whole thing in a better way ?

Thanks

[fizban2]

by logging onto the domain once with the laptop, with a computer local domain account you create a local cache of user information that goes with the laptop, try this with a laptop, join it to the domain and the logon with your account, or a account that will create a local profile on the PC. make sure that you can connect to so network rescource and that network access seems to be good. log of the domain and unplug your network cable, now try logging onto the domain, you should be to log onto the laptop with the domain account while not of the network. by logging on this way then logging onto the VPN, the user will use their network credentials when trying to hit network resoucres (exchange, webpages, sharepoint pages, etc) again i will state that are down falls as i posted above but for a roaming user, it is very nice to be able to work on their profile while on the road and not have to worry about downloading/updating their profiles to the network each time. let me know if this helps, i can try and work out a scenerio if needed

this is how caching works, can be configured under GPO, so you can push it out to all your users, or to maybe just a OU of remote users. i would recomend setting it to remeber just that last logon, which should be the user of the laptop, that way you don't have to worry about how many different people logged on to a laptop and now can still logon to it with their domain credentials

Interactive logon: Number of previous logons to cache (in case domain controller is not available).

This policy setting is found under:

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options

Edited February 24, 2006 by fizban2

[Hamins]

Hi Fizban,

Thanks for the help, m8.

Ok, now I understand what you're trying to say. Is there anyway to Sync the passwords ? Will this synchronisation scenario arise only if the password changes, either on the main AD or the profile on the laptop ? Is there any way to sync the passwords ?

Also, the caching should be enabled in the GPO of the Domain, and not the local GPO of the laptop, right ?

Another thing is .... what if the remote user logs off while connected remotely via VPN ? I ask this cause usually when a user logs off the domain the local user-profile is synced with the user's roaming profile on the server. So, if the user logs off the domain while still being connected to the VPN, will the profiles be synced over the internet ?

Based on what you suggested ,here's what I am gonna do :

(1) Change the GPO (On the domain or the laptop) to allow caching of logins

(2) Join the laptops to the Domain

(3) Let the user log onto the laptop in, with his/her Domain account, so that the roaming profile is loaded onto the laptop.

(4) disconnect the laptop from the network.

(5) Check whether the user can log onto the laptop with the Domain profile.

Are these above steps correct ? If yes, should I let the laptop still be a member of the domain ?, or should I change the MEMBER OF settting on the latop back to WORKGROUP ?

Sorry for the gazzilion questions.

Thanks, once again.

[Hamins]

Anyone ??

[fizban2]

Sorry away for the weekend,

issue at #3 going this route means that you will not be able to use roaming profiles anymore. local profiles will be used, the roaming profile are too hard to update or the wire and do not afford any real advantages ofr traveling users, if there are features of it that your users like find out what those are and we can see if there is anyway to recreate those features with the local profile. everything else looks good, you will want to leave the laptop in the domain since the users will logon to the laptop with their domain creds,

[Hamins]

Yes, I understand the issue with the roaming profiles. However, I just mentioned this step cause to told me to do so :

by logging onto the domain once with the laptop, with a computer local domain account you create a local cache of user information that goes with the laptop, try this with a laptop, join it to the domain and the logon with your account, or a account that will create a local profile on the PC. make sure that you can connect to so network rescource and that network access seems to be good. log of the domain and unplug your network cable, now try logging onto the domain, you should be to log onto the laptop with the domain account while not of the network. by logging on this way then logging onto the VPN, the user will use their network credentials when trying to hit network resoucres (exchange, webpages, sharepoint pages, etc)

Also, where should I make the GPO changes, on the DC or on the local laptop ?

[fizban2]

ahh i understand now, sorry for the confusion,

lets see if i can be clearer,

you will need a user account that is not attached to a roaming profile, so that when you log on to the laptop, a local profile is created, you will have to set the domain GPO to apply this

Interactive logon: Number of previous logons to cache (in case domain controller is not available).

This policy setting is found under:

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options

if you want to set it too the laptop first as a local policy first to test you can do that also

[Hamins]

Hi Fizban,

Here's what I finally did ....

(1) I did not attach the laptop to the Domain

(2) Created a local limited user account for the user whos going to use the laptop.

(3) Created a VPN connection for the user..

Now, if the user wants to connect remotely, he/she will first connect to our network via VPN. Once the user VPN authentication is successful, then the user will have to enter the UNC path of the file/folder that he/she wants to access. For example : Start - Run -> \\<servername>\<Shared Foldername>\. When the user enters the UNC he/she will get a prompt to enter the Domain Login name and password. If the user enters a valid ID and password, he/she can access that resource.

Is this a good way of accessing remotely ?

Now, what is the user needs to change his/her Domain password remotely ? How can that be accomplished ?

[fizban2]

this is a good way to do it, but it does cause limitations,

becuase the laptop was never on the domain, the users won't have anyway to change their domain passwords, they will have to call to someone to have that done.

Is there a reason you don't want to cache the domain profile on the laptop? this would allow the user to be able to log onto shares and programs the requie domain credentials without have to type them in each time, also they can change their domain passwords then. the only time they would have to call in is if their account got locked out, or if the password expired and they hadn't changed it yet (for remote users they wouldn't get the days count down when they came in through the VPN) if you don't want to cache the domain profile then the way you have done it is a good way to do it, just know that the user with not be able to change their domain password.