none
Can I enable "Use default gateway on remote network" on VPN connection using Group Policy?

    Question

  • Hi,

    First timer here so please bear with me!

    Environment: Domain Windows 2003, Clients: Windows 7 and Windows XP (with Client Side Extensions pushed out)

    When creating a VPN connection on a client machine manually with default settings the "Use default gateway on remote network" found in [Connection Properties - Networking - IPv4 - Advanced] is enabled, which is good as we don't allow split-tunneling.

    I have a test GPO that creates a new VPN Connection [Computer Config - Preferences - Control Panel - Network Options], but the above setting is unticked.

    Am I missing something on the options for the GP preference to set this automtically?

    I can write a script to directly change the C:\Users\All Users\Microsoft\Network\Connections\Pbk\rasphone.pbk file but would prefer if I could sort it all out using Group Policy.

    Any help would be greatly appreciated!

    Thanks a lot!

    David

    Wednesday, May 11, 2011 3:59 PM

Answers

  • Shane,

    There is actually a way to set the "Use default gateway on remote network" through Group Policy Preferences. And this may even be a better way to do it, because you may change this flag without touching any other settings, or other VPN connections. (All VPN connections are stored in the same .pbk file.)

    Here's the trick: Opening the .pbk file in notepad, I realized that this is actually an oldstyle ini-structured file. And Group Policy Preferences can update ini files! In the .pbk file the section names are the VPN connections names, like [My VPN], and the property IpPrioritizeRemote is the flag "Use default gateway on remote network".

    So, in Group Policy Management Editor, go to Preferences / Windows Settings / Ini Files.
    Create a new object with Action = Update, and File Path =
    C:\ProgramData\Microsoft\Network\Connections\pbk\rasphone.pbk
    (If this is where your file is located, I guess it is in c:\users if the VPN connection is made for a single user.)
    Section Name should be the display name of your VPN connection, without the brackets.
    Property Name = IpPrioritizeRemote
    Property Value = 1

    Peter, www.skov.com, Denmark

     


    Peter :-)
    Monday, September 12, 2011 8:35 PM
  • David,

     

    its quite obvious Rick Tan has not understood your question and issue here.

     

    If i can clarify, the default behavior when creating a manual VPN connection results in the setting: Networking > IPv4 > Properties > Advanced > IP Settings > "Use default gateway on remote network" to be selected. This is a desired setting i believe in most cases.

    When automating this as most organisations would want to achieve via Group Policy, using Computer Configuration > Preferences > Control panel Settings > Network options > VPN Connection.

    - there isn't an option to set this in the GP Preference item.

     

    As you mention David, you may be able to script up an edit of this .pbk file. A better solution is to create the .pbk file from your manual VPN setup, make sure you have all the correct settings, no username/password.

    Copy the file to your Netlogon share, then use GP Preferences to do a simple file deployment with an Update or Replace method.

    Ill be trialing this now and post an update ASAP.

    EDIT: Works perfectly! Just make sure you make the file preference item with a Replace method. Dear Microsoft, this is a terrible default behaviour. Please look at this for the next versions of Group Policy.

    Hope this post helps others in the future.


    • Proposed as answer by Shane Borczuch Wednesday, July 13, 2011 7:12 AM
    • Edited by Shane Borczuch Wednesday, July 13, 2011 7:15 AM solution works, editing results. proposed as answer.
    • Marked as answer by Rick TanModerator Friday, July 15, 2011 9:24 AM
    Wednesday, July 13, 2011 4:21 AM

All replies

  • Hi David,

    You could disabled split-tunneling by remote access policy IP filters.

    Open RRAS console--Remote Access Policy--Connections to Microsoft Routing and Remote Access server--edit profile--ip--ip filter, inbound filter only permit source ip from VPN clients, outbound filter only permit destination ip to VPN clients.

    Split-tunneling Security Issues

    http://technet.microsoft.com/en-us/library/bb878117.aspx

     


    Regards,

    Rick Tan

    Thursday, May 12, 2011 9:05 AM
    Moderator
  • David,

     

    its quite obvious Rick Tan has not understood your question and issue here.

     

    If i can clarify, the default behavior when creating a manual VPN connection results in the setting: Networking > IPv4 > Properties > Advanced > IP Settings > "Use default gateway on remote network" to be selected. This is a desired setting i believe in most cases.

    When automating this as most organisations would want to achieve via Group Policy, using Computer Configuration > Preferences > Control panel Settings > Network options > VPN Connection.

    - there isn't an option to set this in the GP Preference item.

     

    As you mention David, you may be able to script up an edit of this .pbk file. A better solution is to create the .pbk file from your manual VPN setup, make sure you have all the correct settings, no username/password.

    Copy the file to your Netlogon share, then use GP Preferences to do a simple file deployment with an Update or Replace method.

    Ill be trialing this now and post an update ASAP.

    EDIT: Works perfectly! Just make sure you make the file preference item with a Replace method. Dear Microsoft, this is a terrible default behaviour. Please look at this for the next versions of Group Policy.

    Hope this post helps others in the future.


    • Proposed as answer by Shane Borczuch Wednesday, July 13, 2011 7:12 AM
    • Edited by Shane Borczuch Wednesday, July 13, 2011 7:15 AM solution works, editing results. proposed as answer.
    • Marked as answer by Rick TanModerator Friday, July 15, 2011 9:24 AM
    Wednesday, July 13, 2011 4:21 AM
  • Shane,

    There is actually a way to set the "Use default gateway on remote network" through Group Policy Preferences. And this may even be a better way to do it, because you may change this flag without touching any other settings, or other VPN connections. (All VPN connections are stored in the same .pbk file.)

    Here's the trick: Opening the .pbk file in notepad, I realized that this is actually an oldstyle ini-structured file. And Group Policy Preferences can update ini files! In the .pbk file the section names are the VPN connections names, like [My VPN], and the property IpPrioritizeRemote is the flag "Use default gateway on remote network".

    So, in Group Policy Management Editor, go to Preferences / Windows Settings / Ini Files.
    Create a new object with Action = Update, and File Path =
    C:\ProgramData\Microsoft\Network\Connections\pbk\rasphone.pbk
    (If this is where your file is located, I guess it is in c:\users if the VPN connection is made for a single user.)
    Section Name should be the display name of your VPN connection, without the brackets.
    Property Name = IpPrioritizeRemote
    Property Value = 1

    Peter, www.skov.com, Denmark

     


    Peter :-)
    Monday, September 12, 2011 8:35 PM
  • Shane,

    There is actually a way to set the "Use default gateway on remote network" through Group Policy Preferences. And this may even be a better way to do it, because you may change this flag without touching any other settings, or other VPN connections. (All VPN connections are stored in the same .pbk file.)

    Here's the trick: Opening the .pbk file in notepad, I realized that this is actually an oldstyle ini-structured file. And Group Policy Preferences can update ini files! In the .pbk file the section names are the VPN connections names, like [My VPN], and the property IpPrioritizeRemote is the flag "Use default gateway on remote network".

    So, in Group Policy Management Editor, go to Preferences / Windows Settings / Ini Files.
    Create a new object with Action = Update, and File Path =
    C:\ProgramData\Microsoft\Network\Connections\pbk\rasphone.pbk
    (If this is where your file is located, I guess it is in c:\users if the VPN connection is made for a single user.)
    Section Name should be the display name of your VPN connection, without the brackets.
    Property Name = IpPrioritizeRemote
    Property Value = 1

    Peter, www.skov.com, Denmark

     


    Peter :-)
    Great answer Peter, thanks
    Friday, November 04, 2011 9:44 AM
  • I can confirm that this solution is working. Before this I deployed VPN connections with .CMP profile. Actually path for single user is %appdata%\microsoft\network\connections\pbk\rasphone.pbk

    Thanks for the tip with .INI.

    Regards

    Jiri


    • Edited by Jiri Pihik Tuesday, November 20, 2012 2:16 PM
    Tuesday, November 20, 2012 2:14 PM
  • Shane,

    There is actually a way to set the "Use default gateway on remote network" through Group Policy Preferences. And this may even be a better way to do it, because you may change this flag without touching any other settings, or other VPN connections. (All VPN connections are stored in the same .pbk file.)

    Here's the trick: Opening the .pbk file in notepad, I realized that this is actually an oldstyle ini-structured file. And Group Policy Preferences can update ini files! In the .pbk file the section names are the VPN connections names, like [My VPN], and the property IpPrioritizeRemote is the flag "Use default gateway on remote network".

    So, in Group Policy Management Editor, go to Preferences / Windows Settings / Ini Files.
    Create a new object with Action = Update, and File Path =
    C:\ProgramData\Microsoft\Network\Connections\pbk\rasphone.pbk
    (If this is where your file is located, I guess it is in c:\users if the VPN connection is made for a single user.)
    Section Name should be the display name of your VPN connection, without the brackets.
    Property Name = IpPrioritizeRemote
    Property Value = 1

    Peter, www.skov.com, Denmark

     


    Peter :-)

    This is great, but just one question. I also want to append a list of DNS Sufixes in order (when viewing a VPN properties, this is buried in "Networking --> IPv4/6 --> Advanced --> DNS --> Append these DNS Suffixes (in order)". However, for the VPNs I have manually created with this list populated, I can't see any entries in the rasphone.pbk. Does anyone know where these are stored?

    Cheers.
    • Edited by Swinster Tuesday, April 07, 2015 12:23 AM
    Tuesday, April 07, 2015 12:23 AM
  • To answer this, I thnk this is something that is carried across all network connections?

    Chris

    Tuesday, April 07, 2015 2:41 AM
  • Push VPN without Default Gateway Checked via Group Policy

    For Enable Default Gateway

    Input the File path of the rasphone.pbk file: C:\ProgramData\Microsoft\Network\Connections\pbk\rasphone.pbk

    Section Name should be the display name of your VPN connection

    Property Name = IpPrioritizeRemote

    Property Value = 1


    MCITP, MCSE. Regards, Oleg

    Wednesday, August 03, 2016 8:24 PM