Remove From My Forums

How do I prevent VPN users from automatically re-connecting to the VPN after being booted by the inactivity timer?

Question
0

Sign in to vote

I setup a VPN connection to our production network (server 2003 standard R2 SP2, Routing and Remote Access). I noticed that we were starting to receive overage charges from our co-location provider due to the increased bandwidth usage it caused. At first, I urged my users to restrict their VPN usage to only connect when absolutely necessary, then logoff immediately when finished. When administrative controls didn't work, I tried to restrict usage using technical controls by creating a Remote Access Policy that placed session and idle timeouts on the VPN users.

By default, in the Windows VPN Client in Vista settings, the "Redial if line is dropped" checkbox is checked. While the policy will drop the users after the timeout period is reached, the computer will simply reconnect again. Is it possible to apply a group policy that would prevent VPN users from automatically reconnecting when the connection is dropped? If so, is it possible to prevent them from changing that setting on their own?

This is a single domain environment, and the Domain Controller is Server 2003 R2 SP2.

Wednesday, May 20, 2009 9:03 PM

Answers

Hi,

Thanks for the post.

Please understand that we do not have a group policy to configure the "Redial if line is dropped" option. The configuration of VPN and dial-up connection is stored in the rasphone.pbk file. The "Redial if line is dropped" option is configured by the RedialOnLinkFailure option in rasphone.pbk. Generally speaking, the VPN and Dial-up connection settings can be configured via CMAK tool. Unfortunately, the RedialOnLinkFailure option could not be configured via CMAK tool as it does not have this option.

For your reference, please take a look at the following article on the CMAK tool:

Phase Three: Running the CMAK Wizard and Creating a Service Profile

http://technet.microsoft.com/en-us/library/cc780162.aspx

In this case, we may deploy a script file to disable the "Redial if line is dropped" option; however, please understand we cannot prevent the users from changing it back.

=======================
On Error Resume Next
Dim fso, linestring
	
linestring=""

Set fso = CreateObject("Scripting.FileSystemObject")

Set WshShell = WScript.CreateObject("WScript.Shell")
Set WshSysEnv = WshShell.Environment("Process")
sPath=WshSysEnv("SYSTEMDRIVE")+ WshSysEnv("HOMEPATH")+ "\Application Data\Microsoft\Network\Connections\Pbk\"

If fso.FileExists (sPath+"rasphone.bak") Then
fso.DeleteFile(sPath+"rasphone.bak")
End If

If fso.FileExists (sPath+"rasphone.tmp") Then
fso.DeleteFile(sPath+"rasphone.tmp")
End If

Set f1 = fso.OpenTextFile(sPath+"rasphone.pbk", 1)
Set f2 = fso.CreateTextFile(sPath+"rasphone.bak", true)

Do While f1.AtEndOfStream <> True

linestring = f1.ReadLine

If InStrRev(linestring, "[", 1, 1) Then 

f2.WriteLine(linestring) 
f2.WriteLine "RedialOnLinkFailure=0"

ElseIf InStr (1, linestring, "RedialOnLinkFailure") Then

Else f2.WriteLine linestring
End If

Loop

f1.Close
f2.Close

Set f3=fso.GetFile(sPath+"rasphone.pbk")
Set f4=fso.GetFile(sPath+"rasphone.bak")
f3.Move (sPath+"rasphone.tmp")
Set f3=fso.GetFile(sPath+"rasphone.tmp")
f4.Move (sPath+"rasphone.pbk")
f3.Move(sPath+"rasphone.bak")
===========================

Hope this helps.

Marked as answer by Miles Zhang Wednesday, May 27, 2009 1:41 AM

Tuesday, May 26, 2009 10:26 AM

All replies

Hi,

Thanks for the post.

For your reference, please take a look at the following article on the CMAK tool:

Phase Three: Running the CMAK Wizard and Creating a Service Profile

http://technet.microsoft.com/en-us/library/cc780162.aspx

In this case, we may deploy a script file to disable the "Redial if line is dropped" option; however, please understand we cannot prevent the users from changing it back.

=======================
On Error Resume Next
Dim fso, linestring
	
linestring=""

Set fso = CreateObject("Scripting.FileSystemObject")

Set WshShell = WScript.CreateObject("WScript.Shell")
Set WshSysEnv = WshShell.Environment("Process")
sPath=WshSysEnv("SYSTEMDRIVE")+ WshSysEnv("HOMEPATH")+ "\Application Data\Microsoft\Network\Connections\Pbk\"

If fso.FileExists (sPath+"rasphone.bak") Then
fso.DeleteFile(sPath+"rasphone.bak")
End If

If fso.FileExists (sPath+"rasphone.tmp") Then
fso.DeleteFile(sPath+"rasphone.tmp")
End If

Set f1 = fso.OpenTextFile(sPath+"rasphone.pbk", 1)
Set f2 = fso.CreateTextFile(sPath+"rasphone.bak", true)

Do While f1.AtEndOfStream <> True

linestring = f1.ReadLine

If InStrRev(linestring, "[", 1, 1) Then 

f2.WriteLine(linestring) 
f2.WriteLine "RedialOnLinkFailure=0"

ElseIf InStr (1, linestring, "RedialOnLinkFailure") Then

Else f2.WriteLine linestring
End If

Loop

f1.Close
f2.Close

Set f3=fso.GetFile(sPath+"rasphone.pbk")
Set f4=fso.GetFile(sPath+"rasphone.bak")
f3.Move (sPath+"rasphone.tmp")
Set f3=fso.GetFile(sPath+"rasphone.tmp")
f4.Move (sPath+"rasphone.pbk")
f3.Move(sPath+"rasphone.bak")
===========================

Hope this helps.

Marked as answer by Miles Zhang Wednesday, May 27, 2009 1:41 AM

Tuesday, May 26, 2009 10:26 AM

0

Sign in to vote

Thank you for your help Miles, I sincerely appreciate your time and effort. As you pointed out, it doesn't look like there's anyway to prevent users from tampering with this setting, but the script is at least a good start. Maybe there are some desktop lockdown tools available somewhere that might help restrict access to that feature. I'll keep looking and post back.

Thursday, June 4, 2009 9:26 PM
0

Sign in to vote

just wondering what happened to this post. where you able to stop the redialing to the VPN?

Friday, May 11, 2012 2:02 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

How do I prevent VPN users from automatically re-connecting to the VPN after being booted by the inactivity timer?

Question

Answers

All replies