Windows Server 2012 R2 Dial-in SSL VPN

26 Aug

This is one I’ve been meaning to out up for a while, basically it’s a very easy way to allow users out in the field connect back to a central location using software you most likely already have.

The benefits of enabling this are as follows:

  • It runs over SSL/HTTPS/443, so ports that are most likely open anywhere that a laptop might be used.
  • It’s cheap and simple and also secure.
  • It’s easy for users, no extra software required and uses their current credentials.
  • I’ve been looking for various remote support options, but if users can Dial in and I can connect to their machine, VNC might work well rather than a paid for solution (obviously this wont help with troubleshooting VPN issues but it’s so simple there is really nothing to go wrong).
  • If machines can call home easily, any policy changes etc. that are required can easily be pushed to them once they are connected.
  • It also helps when users passwords expire and the laptop then needs call home to update this.

From the server side, you need to add the ‘Remote Access’ Role and then in RRAS (Routing and Remote Access) you can set the specific details. I won’t go into all the detail as it can already be found here.

I also used an external certificate as I had one from a previous VPN configuration. If you need one, 123-Reg or NameCheap will do you one for very little.

I then pushed out the VPN settings to the clients using this WMI filter so it only got pushed to laptops:

Select * from Win32_PhysicalMemory where FormFactor = 12

The Group Policy settingsĀ can be found under:

  • Computer Configuration
  • Preferences
  • Windows Settings
  • Control Panel Settings
  • Network Options

Then add a new VPN Connection wit your required settings and you’re done.

vpn

As I’m not currently using NPS (I’ll add this at a later date), I needed a way to change the Network Access Permission for all users in a specific OU, thankfully I came across this handy VB script (from here) to save me having to change it manually for all the users:

Option Explicit

Dim objOU, objUser

Set objOU = GetObject("LDAP://ou=Users,ou=Company,dc=mycomp,dc=local")
For Each objUser In objOU
    If (objUser.Class = "user") Then
        objUser.msNPAllowDialin = TRUE
        objUser.SetInfo
    End If
Next

References: