How to use scripts with VPN and AD

[cepacs]

We are using a Cisco ASA 5510 and we have it integrated with Active Directory (using Server 2008). I did notice that we have a group policy called VPN Access. I'm thinking I can just put a script in this group policy mapping a home directory, is this correct? If this is correct, how do I get this to only run when people login from home and not when they are at work?

 

[Supergrrover]

Several ways to attack this. Here's 2 -

1. In the VPN client, there is a place to put a executable/bat/script to run at connection.

2. You can do a group policy with a script checking the IP. If it matches the first 3 octets of the VPN pool then run, if not then fail it to end the script.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[cepacs]

Option 2 sounds perfect! In the logon script of my VPN Access policy, I have a vpn.bat file. This script is suppose to launch the command "notepad.exe" just as a test. It works on my work PC, but unfortunately the command does not seem to launch when I connect with the Cisco AnyConnect client. How do I get scripts to run from a group policy when making a vpn connection?

 

[Supergrrover]

there is a reg edit to process gp over slow wan links. I would have to google it

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[cepacs]

I'm not sure if it's a slow wan link problem, or if I just don't know how to setup the GP to run when connecting with AnyConnect.

 

[Supergrrover]

you could put a gpupdate /force in the vpn startup but that kind of brings you back full circle.

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[cepacs]

I tried a "gpupdate /force" and it says that it completed successfully, but still notepad does not launch. I think I'm missing a step though. I have a GP that runs for my account, but only when I logon to my work PC, not thru a VPN. Don't I need to do something to allow the GP to be processed when connecting thru a VPN, or does it just happen when a user connects?

 

[Supergrrover]

is the pc part the domain and authenticating against it for login or are you just authenticating to a share?

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[cepacs]

It's not part of the domain and the people connecting will be doing so on their home PC. In other words, the PCs using the VPN will not be part of the domain.

 

[Supergrrover]

Then GP will never process and the scripts will never run. It must be part of the domain and they must be authenticating against it for those to run. You will have to set a script on each client for the VPN client to run on connect.

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[cepacs]

Once I connect thru VPN, I cannot map a drive to my home directory with my credentials, which makes sense because I'm not authenticated to the domain. I was able to connect giving the admin credentials of the server to which my home directory resides. I'm assuming that in order to give my users access to their home directory thru a VPN, they either need to join the domain, or they will need to use a local account on the storage server where their home directory resides, is this correct?

 

[Supergrrover]

You only need credentials with permissions to the share - admin isn't needed. You do need to be an admin on the local pc. I wouldn't add them to the domain. Just give them a domain account with rights to that share.

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[cepacs]

Right, I know I didn't need to use the admin account, but my credentials wouldn't work (which do have rights to the share), so I used the admin credentials.

Here's what I think is happening. I connect thru VPN and I can see and ping the servers. I can connect with a local account on the server that has rights to the share. I cannot connect with a domain account because my PC is not in the domain. Is this correct? Can I still use a domain account to connect to a share even if my PC is not in the domain?