Provisioning VPN client settings using Group Policy

Problem:

Today, Microsoft VPN client can be configured in two ways as discussed in this article – a) in-built VPN client b) CM based VPN client. The first method requires end user to know the VPN settings and then create a VPN connection – which needs to be repeated by each user and prone to errors. The second method requires VPN server administrator to create a VPN connection package (called as CM profile) and then send to end user through some mechanism (like uploading to a web server). The end user then manually installs the CM profile. The problem in this mechanism is end user may forget to do the same step when the configuration changes and VPN server administrator has no way to automatically push the changes.

 

Solution:

In this article we will discuss a group policy (GP) based provisioning solution for Microsoft VPN client. The key point of this solution is that it works as long as client machine is running following Windows OS releases: Windows XP, Windows 2003, Windows Vista, Windows Server 2008, Windows7, Windows 2008 R2.

 

The steps to create the VPN connection for a VPN server administrator are fairly simple:

1) Configure all the settings required by VPN client (like VPN server hostname) in an XML file.

2) Place a powershell script and the above mentioned XML file in a file server location on the network .

3) Create a group policy object (GPO) that points to network location containing the powershell script and XML file. Add the necessary end users/machines to the GPO.

 

Whenever the remote users logs on to their domain, they get group policy update and the VPN client gets created on their machine.

 

The details of the entire solution (along with the powershell script and sample XML file) can be seen here

 

How it works:

The solution involves following elements:

1. Remote access (RAS) APIs

2. PowerShell script and XML configuration file

3. Group Policy

 

The VPN server administrator configures a powerShell script to be run as a logon script in the Domain Controller. The instructions required for configuring VPN client settings are inside the script. The script takes the VPN client settings as input in form of a XML file which is configured by VPN server administrator.

 

When a domain user logs on to the machine, the group policy settings get applied on the client. As part of that process, the powershell script is run. The script reads the configuration from XML file and configures the VPN client entries on the client machine by calling RAS APIs.

 

The end users can then use the VPN client connection to connect to VPN servers.

 

Let us know your feedback

 

Cheers,

Rama Krishna Prasad S

Software Development Engineer

Windows networking

 

[This posting is provided “AS IS” with no warranties, and confers no rights.]

Comments

  • Anonymous
    September 28, 2009
    Why is there no option in Group Policy Preferences for configuring an SSTP connection? It supports PPTP and L2TP but not SSTP! Oh boy ...