RE: SBS Standard VPN Setup using L2TP
- From: v-edtian@xxxxxxxxxxxxxxxxxxxx (Edward Tian)
- Date: Thu, 25 Aug 2005 09:49:59 GMT
Hi:
Thank you for your update.
I understand that the login script is not applied when users logon through
VPN.
The logon script in the user profile only runs when you select the "Log on
using dial-up connection" option in the "Log On to
Windows" dialog box and choose an appropriate connection to gain access to
a network through which the computer''s domain controller and account are
reachable. Considering the current situation, I suggest that you log off
and then logon by using dial-up connection option after you create the VPN
connection. In this way, the correct group policies will be applied.
First please help to confirm the following information:
1. Did you configure a login script group policy in AD or configure a logon
script for some specific users in the user profile properties?
2. Has this remote client joined the domain?
3. Does login script work on other remote clients?
I would like to provide the following suggestions:
1. One other issue users may encounter is slow link detection preventing
the client from applying policy. By default group policy slow link
detection is enabled which prevents some client side extensions from
processing if a slow wan link is detected from client to authenticating DC.
Below is the name of the setting you may determine needs to be disabled as
well as the path to the setting in the group policy editor.
Group Policy slow link detection
User Configuration\Administrative Templates\System\Group Policy
227369 Default Behavior for Group Policy Extensions with Slow Link
http://support.microsoft.com/?id=227369
227260 How a Slow Link Is Detected for Processing User Profiles and Group
Policy
http://support.microsoft.com/?id=227260
302104 The Logon Script Does Not Run During the Initial Logon Process
http://support.microsoft.com/?id=302104
Some computers may not be able to receive the group policy when it connects
to the server by VPN. You can add the following registry settings on the
clients:
HKLM\Software\Policies\Microsoft\Windows\System
REG_DWORD Value
GroupPolicyMinTransferRate=0"
2. You can use Secedit.exe with the /REFRESHPOLICY switch to impose GPO
settings upon a target workstation. For more
information, please refer to the following Microsoft Knowledge Base article:
227619 Remote Access Clients May Not Receive Domain-Based Policy in Windows
2000
http://support.microsoft.com/?id=227619
In addition, you can use the Connection Manager Administration Kit (CMAK)
which is tool included in the Windows Server 2003 Admin Pack
(CD-ROM:\I386\Adminpak.MSI). You can install it and use it with a logon
script. As I am not an expert on CMAK, I suggest you contact Microsoft PSS
or submit in the microsoft.private.directaccess.win2003.networking
newsgroup to get better support if you need more information on how to do
that.
3. How did client connect to the VPN server? If you use Cisco switches, you
may enable the "PortFast" option on the switch to test this issue. A
similar problem was resolved in the way before.
Please feel free to let me know if anything is unclear.
Have a nice day!
Best Regards
Edward Tian(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: SBS Standard VPN Setup using L2TP
| thread-index: AcWow6sNIFj543gJQ2iiqowMyPpUgw==
| X-WBNR-Posting-Host: 24.82.106.246
| From: =?Utf-8?B?a2V2YW5o?= <kevanh@xxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <7776A73E-E317-4266-B20A-FA51765849DA@xxxxxxxxxxxxx>
<pK4ftJxpFHA.940@xxxxxxxxxxxxxxxxxxxxx>
<379D54BD-A53B-44D3-A489-A9878513249C@xxxxxxxxxxxxx>
<yUPOVS9pFHA.3976@xxxxxxxxxxxxxxxxxxxxx>
<401F6696-2C34-48CB-BCB6-C6889BF7A35E@xxxxxxxxxxxxx>
<UyKTx$IqFHA.472@xxxxxxxxxxxxxxxxxxxxx>
| Subject: RE: SBS Standard VPN Setup using L2TP
| Date: Wed, 24 Aug 2005 08:51:19 -0700
| Lines: 318
| Message-ID: <4CE7A183-5AA6-40E1-A901-7E2EC54B2E11@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:147402
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| The drive mappings are in the default login script - they are not being
run.
| Is there a exception in one of the GPOs that say not to run them over a
VPN.
| THe SBSpackage only deploys a PPTP VPN connection but does not add a
entry
| under network connections --> Virtual Private Network. This is required
to
| select a Dial up networking option when checking the additional option
when
| you logon.
| The SBSPaCKAGE only deplys a "Connect to small business manager" under
| "connection Manager" not the expected VPN entry.
| Is there a additional limitation to the connection mamanger that stops
the
| logon script from been run.
| Even adding a manual VPN entry & login via that dial-up connection does
not
| run the login script & get me the drive mappings I require?
|
| Thanks
|
|
| "Edward Tian" wrote:
|
| > Hi:
| > Thanks for your reply!
| >
| > Do you mean that you want to use the map network drive feature? Based
on my
| > test, If you use a domain user account to establish the VPN connection,
you
| > can receive your drive mappings on this network without any
difficulties if
| > this user has been granted the permission to access the shares.
| >
| > Please feel free to let me know if you have any questions.
| > Have a nice day!
| >
| > Best Regards
| > Edward Tian(MSFT)
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| > ======================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > ======================================================
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| > --------------------
| > | Thread-Topic: SBS Standard VPN Setup using L2TP
| > | thread-index: AcWoBnt5ZPgymijUSk6FDDJjx5wNXQ==
| > | X-WBNR-Posting-Host: 24.82.106.246
| > | From: =?Utf-8?B?a2V2YW5o?= <kevanh@xxxxxxxxxxxxxxxxxxxxxxxxx>
| > | References: <7776A73E-E317-4266-B20A-FA51765849DA@xxxxxxxxxxxxx>
| > <pK4ftJxpFHA.940@xxxxxxxxxxxxxxxxxxxxx>
| > <379D54BD-A53B-44D3-A489-A9878513249C@xxxxxxxxxxxxx>
| > <yUPOVS9pFHA.3976@xxxxxxxxxxxxxxxxxxxxx>
| > | Subject: RE: SBS Standard VPN Setup using L2TP
| > | Date: Tue, 23 Aug 2005 10:17:04 -0700
| > | Lines: 285
| > | Message-ID: <401F6696-2C34-48CB-BCB6-C6889BF7A35E@xxxxxxxxxxxxx>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 7bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| > | Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA03.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:147049
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | Thanks
| > | Point #2: I wondered about the limitation of the sbspackage.exe, I
| > noticed
| > | that no VPN connection (just connection manager) is created so I
cannot
| > | select login using the VPN connection so I can receive my drive
mappings
| > on
| > | the network. Is this a limitation of the package also. Do I need to
| > create a
| > | separate VPN connection to facilitate this?
| > |
| > | Thanks
| > |
| > | "Edward Tian" wrote:
| > |
| > | > Hi:
| > | > Thanks for your update.
| > | >
| > | > The documents are applicable for SBS2003 environment. Please feel
free
| > to
| > | > follow the step-by-step instruction.
| > | >
| > | > To answer your questions:
| > | > 1. Yes, you can add a new policy and delete the existing PPTP
policy if
| > you
| > | > no long need it.
| > | >
| > | > 2. The sbspackage.exe created by Remote Access Wizard is designed
for
| > PPTP
| > | > connection. We may need to manually create the VPN connection.
| > | >
| > | > If you have a router on the SBS end, please open the following port
to
| > | > allow the traffic pass through.
| > | > 1. IPSec Encapsulating Security Protocol (ESP) (IP protocol 50)
| > | > 2. IPSec Network Address Translator Traversal NAT-T (UDP port
4500).
| > | > 3. IPSec Internet Security Association and Key Management Protocol
| > | > (ISAKMP) (UDP port 500)
| > | > 4. UDP 1701
| > | >
| > | > More information:
| > | > Step-by-Step Guide for Setting Up Network Quarantine and Remote
Access
| > | > Certificate Provisioning in a Test Lab
| > | >
| >
http://www.microsoft.com/downloads/details.aspx?FamilyID=fe902704-52dd-4bbe-
| > | > 8a75-f8fbb76cd28a&DisplayLang=en
| > | >
| > | > Hope it helps.
| > | > Have a nice day!
| > | >
| > | > Best Regards
| > | > Edward Tian(MSFT)
| > | > Microsoft CSS Online Newsgroup Support
| > | >
| > | > Get Secure! - www.microsoft.com/security
| > | > ======================================================
| > | > This newsgroup only focuses on SBS technical issues. If you have
issues
| > | > regarding other Microsoft products, you'd better post in the
| > corresponding
| > | > newsgroups so that they can be resolved in an efficient and timely
| > manner.
| > | > You can locate the newsgroup here:
| > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| > | >
| > | > When opening a new thread via the web interface, we recommend you
check
| > the
| > | > "Notify me of replies" box to receive e-mail notifications when
there
| > are
| > | > any updates in your thread. When responding to posts via your
| > newsreader,
| > | > please "Reply to Group" so that others may learn and benefit from
your
| > | > issue.
| > | >
| > | > Microsoft engineers can only focus on one issue per thread.
Although we
| > | > provide other information for your reference, we recommend you post
| > | > different incidents in different threads to keep the thread clean.
In
| > doing
| > | > so, it will ensure your issues are resolved in a timely manner.
| > | >
| > | > For urgent issues, you may want to contact Microsoft CSS directly.
| > Please
| > | > check http://support.microsoft.com for regional support phone
numbers.
| > | >
| > | > Any input or comments in this thread are highly appreciated.
| > | > ======================================================
| > | > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| > | >
| > | > --------------------
| > | > | Thread-Topic: SBS Standard VPN Setup using L2TP
| > | > | thread-index: AcWnOAHje5GEjfVMR+q+c4WAv2cdCw==
| > | > | X-WBNR-Posting-Host: 24.82.106.246
| > | > | From: =?Utf-8?B?a2V2YW5o?= <kevanh@xxxxxxxxxxxxxxxxxxxxxxxxx>
| > | > | References: <7776A73E-E317-4266-B20A-FA51765849DA@xxxxxxxxxxxxx>
| > | > <pK4ftJxpFHA.940@xxxxxxxxxxxxxxxxxxxxx>
| > | > | Subject: RE: SBS Standard VPN Setup using L2TP
| > | > | Date: Mon, 22 Aug 2005 09:39:04 -0700
| > | > | Lines: 151
| > | > | Message-ID: <379D54BD-A53B-44D3-A489-A9878513249C@xxxxxxxxxxxxx>
| > | > | MIME-Version: 1.0
| > | > | Content-Type: text/plain;
| > | > | charset="Utf-8"
| > | > | Content-Transfer-Encoding: 7bit
| > | > | X-Newsreader: Microsoft CDO for Windows 2000
| > | > | Content-Class: urn:content-classes:message
| > | > | Importance: normal
| > | > | Priority: normal
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| > | > | Newsgroups: microsoft.public.windows.server.sbs
| > | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| > | > | Path:
| > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA03.phx.gbl
| > | > | Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.sbs:146687
| > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > | > |
| > | > | THanks for all the links....
| > | > | I noticed a lot of them pertain to 2000/2003 server not SBS.
| > | > | I am looking for the specific steps to add L2TP to the RRAS
server
| > which
| > | > | will use the current SBS certificate. I assume that I can add a
4th
| > | > policy
| > | > | which specifies the NAS/Tunnel-type for L2TP & I wish to remove
the
| > PPTP
| > | > | policy to enforce this.
| > | > | THe VPN client is deployed by SBS but I notice that there is no
| > separate
| > | > VPN
| > | > | connection generated by this process that will allow the users to
| > login
| > | > via
| > | > | the dial-up VPN adapter. This is what is required for remote
users to
| > | > access
| > | > | their drive letters & data.
| > | > | Thanks
| > | > |
| > | > |
| > | > | "Edward Tian" wrote:
| > | > |
| > | > | > Hi:
| > | > | > Thank you for posting here.
| > | > | > From your description, I understand that you want to establish
a
| > L2TP
| > | > | > connection on SBS Standard Server.
| > | > | > There are two scenarios when we want to deploy L2TP/IPSec VPN.
| > | > | >
| > | > | > 1. Without ISA installed.
| > | > | >
| > | > | > The white paper below is for the scenario that CA and RRAS are
on
| > the
| > | > | > different Windows 2K3.
| > | > | > Step-by-Step Guide for Setting Up Network Quarantine and Remote
| > Access
| > | > | > Certificate Provisioning in a Test Lab
| > | > | >
| > | >
| >
http://www.microsoft.com/downloads/details.aspx?FamilyID=fe902704-52dd-4bbe-
| > | > | > 8a75-f8fbb76cd28a&DisplayLang=en
| > | > | >
| > | > | > Step-by-Step Guide for Setting Up VPN-based Remote Access in a
Test
| > Lab
| > | > | >
| > | >
| >
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
| > | > | > networking/rmotevpn.mspx
| > | > | >
| > | > | >
| > | > | > 2. With ISA installed.
| > | > | >
| > | > | > 1) Please DO NOT manually configure the RRAS settings. If you
have
| > | > already
| > | > | > configured the RRAS settings, please open RRAS console,
right-click
| > the
| > | > | > server name and choose to remove the configurations and disable
the
| > | > service.
| > | > | >
| > | > | > 2) To properly configure the VPN server settings on a ISA
server,
| > you
| > | > may
| > | > | > want to use the ISA VPN wizard. Open ISA Management console,
| > navigate
| > | > to
| > | > | > ServerName\Network Configuration. Right-click it and choose
''Allow
| > VPN
| > | > | > client connections''
| > | > | >
| > | > | > 3) For the L2TP/IPSec VPN connection, a computer certificate is
| > | > required
| > | > | > for the remote clients. You can setup a CA on ISA or other
server
| > | > boxes.
| > | > | > Publish the Certificate web site to the Internet through ISA.
Let
| > the
| > | > | > remote client computer request a Computer Certificate from the
CA.
| > | > Please
| > | > | > note that if the remote client computers are not members of the
| > domain,
| > | > you
| > | > | > may want to setup the CA in ''Stand alone root'' mode.
| > | > | >
| > | > | > 253498 HOW TO: Install a Certificate for Use with IP Security
| > | > | > http://support.microsoft.com/?id=253498
| > | > | >
| > | > | > For more information, please refer to the following links:
| > | > | >
| > http://www.microsoft.com/technet/community/columns/cableguy/cg0502.mspx
| > | > | >
| > | > | >
| > | >
| >
http://www.microsoft.com/technet/itsolutions/network/security/vpnclnta.mspx
| > | > | >
| > | > | > Computer certificates for L2TP/IPSec VPN connections
| > | > | >
| > | >
| >
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise
| > | > | >
| > | >
| >
/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/en
| > | > | > terprise/proddocs/en-us/sag_VPN_us26.asp
| > | > | >
| > | > | > L2TP-based remote access VPN deployment
| > | > | >
| > | >
| >
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise
| > | > | >
| > | >
| >
/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/en
| > | > | > terprise/proddocs/en-us/sag_RASS_scen_l2tp_rc.asp
| > | > | >
| > | > | > 818754 White Paper: Virtual Private Networking with Windows
Server
| > | > 2003:
| > | > | > Overview
| > | > | > http://support.microsoft.com/?id=818754
| > | > | >
| > | > | >
|
.
- References:
- SBS Standard VPN Setup using L2TP
- From: kevanh
- RE: SBS Standard VPN Setup using L2TP
- From: Edward Tian
- RE: SBS Standard VPN Setup using L2TP
- From: kevanh
- RE: SBS Standard VPN Setup using L2TP
- From: Edward Tian
- RE: SBS Standard VPN Setup using L2TP
- From: kevanh
- RE: SBS Standard VPN Setup using L2TP
- From: Edward Tian
- RE: SBS Standard VPN Setup using L2TP
- From: kevanh
- SBS Standard VPN Setup using L2TP
- Prev by Date: Re: Encrypted files do they work for backups?
- Next by Date: RE: Service Pack 1 - No ISA 2000
- Previous by thread: RE: SBS Standard VPN Setup using L2TP
- Next by thread: companyweb dns problem
- Index(es):
Relevant Pages
|
