locked
How to Deploy VPN Connection to Domain Users with GPM - Server 2008 R2 RRS feed

  • Question

  • So, I think I have a good question here, but someone may have an immediate answer. (Hopefully I'm not missing something obvious or astounding)

    I am running Server 2008 R2 - Standard (x64) (and a Hyper-V Server 2008 R2 - Standard also, but irrelevant to this question), and I have successfully setup a NAP Policy for my domain VPN Users/Computers.  Manually, I have setup a VPN connection on Windows 7 machine then connected remotely, successfully with  NAP Enforced.  Now here is my issue, my final step is to deploy the VPN Network Connection to my users (so I don't have to set it up on all the machines and if I have to make a change in the future, it can be remotely implemented), I have been trying to use the Group Policy method, by adding a New Network Option - VPN.  The problem is that the new network options for VPN is extremely limited, it looks like it was developed for Windows XP only.  My biggest limitation seems to be that I cannot choose "Extensible Authentication Protocol" (Protected EAP/PEAP) as my Authentication method.  I am using PEAP with my server's certificated to authenticate VPN users, then validating Windows Security Health with a custom configuration.  I have the VPN, NAP and Remote Access and Routing working perfectly, I just have no means of deployment.  Has anyone run into this, or is there a Guide somewhere that I missed, maybe an update for Server that I haven't seen?

    I love the ease of NPS and NAP security for server connections.  I would like to look at implementing this down the line for all of my server connections.  Even local domain connections, this is a good way to make sure users are keeping Windows Updated and Virus Protection enabled.  I am a Small Business Owner, and I come from the Small Business Server 2008 platform.  After a lengthy migration this past weekend, it is refreshing to have come this far and learn so much.  I am struggling a little bit with managing Group Policy settings for our many workstation OS Platforms.  It is becoming very time consuming to switch between users with XP and Windows 7, as soon as I solve one problem with XP, another one seems to pop up again.  If I could just wipe XP out of the office for less than $2k, I would be in heaven.  

    I would appreciate any tips or notes on this subject.  

    Also, I would like to say to anyone who frequently exchanges Questions and Answers on the social.technet.microsoft.com forums, Thank You so much.  Without the technet guides and the Q&A sessions I have been reading through, I would have never been able to successfully setup and maintain our Domain here.  It is a real life saver to find safe reliable solutions here, and sometimes it is refreshing to see that you are not the only one who feels lost in the vast flexibility of Microsoft Server Platforms.  (So many choices, so little time)

    Thanks, 

    WesRack0

    Thursday, June 14, 2012 3:48 PM

Answers

  • I have successfully deployed the VPN Connections to my clients using a CMAK configuration file.  This was not really the solution I was looking for, mainly because it isn't as clean as I would like it to be, but I have seen a lot worse from much bigger corporations.

    The solution that worked for me was to just create a CMAK package that I could just deploy with a log-on script.  After a little research I found some configuration and installation notes for the Connection Manager Install (cmstp.exe).  I have listed a link below.   

    CMSTP.exe Library

    http://technet.microsoft.com/en-us/library/dd672647(v=ws.10).aspx

    I have learned a lot from this exercise, especially regarding NPS and PEAP.  I am considering setting up a Radius server to use with my WLAN next.  


    WesRack0

    • Marked as answer by WesRack0 Saturday, June 16, 2012 4:59 PM
    Saturday, June 16, 2012 4:59 PM

All replies

  • After a lot of digging and a little more digging, I have found a few things out, but no solution.  I have created a CMAK .exe that can be run on the client machines and install the VPN connection I need.  I still have to go in and change a few properties, but I'm sure I could fix this by editing the code just a tad.  However, I still do not like this option, because it does NOT automatically deploy the connection to all of my clients.  I also found an option to convert this exe to a msi package that will automatically deploy, this still isn't quite what I am looking for.   So while reviewing another option, I found that I can use Windows Powershell to deploy the connection using an .xml file.  I like this option the best, as I am trying to make it work.  This option is still not simple, but I am getting closer.  The biggest problem here is that I am using Extensible Authentication Protocol PEAP, this uses a certificate that is automatically installed on all of our Authenticated Domain Users.  The problem here is that I cannot find commands or a way to implement the certificate using .xml format.  I have tried exporting/dumping the settings from RAS on the Server and on the working client computer.  This has yielded no success to me.  

    I have been using the guide shown here:

    http://technet.microsoft.com/en-us/library/ee431701(v=WS.10).aspx

    and here:

    http://www.microsoft.com/en-us/download/details.aspx?id=2555

    (These links are the same, one is a downloadable guide with samples).

    If anyone has an details regarding the .xml hints for VPN PEAP details, I would be greatful.


    WesRack0

    Thursday, June 14, 2012 9:03 PM
  • I have successfully deployed the VPN Connections to my clients using a CMAK configuration file.  This was not really the solution I was looking for, mainly because it isn't as clean as I would like it to be, but I have seen a lot worse from much bigger corporations.

    The solution that worked for me was to just create a CMAK package that I could just deploy with a log-on script.  After a little research I found some configuration and installation notes for the Connection Manager Install (cmstp.exe).  I have listed a link below.   

    CMSTP.exe Library

    http://technet.microsoft.com/en-us/library/dd672647(v=ws.10).aspx

    I have learned a lot from this exercise, especially regarding NPS and PEAP.  I am considering setting up a Radius server to use with my WLAN next.  


    WesRack0

    • Marked as answer by WesRack0 Saturday, June 16, 2012 4:59 PM
    Saturday, June 16, 2012 4:59 PM