For more information, please check Part 1 and 2 from this series.
In this part we will be discussing the Client side and how to setup the VPN on Windows machines (Screen shots will be on Windows 10 machine) and common issues after installation.
VPN Client Configuration:
- On a windows 10 computer, open the Setting - Network and Internet - VPN and Add a VPN connection
- Connection type will be Windows (built-in) and you can pick any name for the connection name. The server name/address should be the FQDN that you have HTTPS traffic directed on your network. This name should match the name of the SSL certificate you bought and configured during the VPN (Security TAB - Please check Part 2). We will be using in our scenario SSTP as agreed (we only allowed HTTPS). Sign-in will be using Username/Password and remove the check box to remember my sign-in.
- One common issue after the user gets VPN connected being unable to connect to normal Internet sites (Google, Microsoft) because all traffic is now pushed through the VPN tunnel (Your machine looks as if its inside the domain) so if you have proxy server in your network then you need to add it to your browser. A quick fix is split tunneling where all corporate traffic go through the VPN and normal Internet traffic from your normal Wireless or Home connection. In order to do this you need to go to the Network connections and get the properties of the newly created network (Test VPN in our case) - Properties - IPV4 - Advanced and remove the check box of "Use default gateway on remote network" - Check below screen shots
- Now you are ready and the user can double click the Test VPN from the VPN tab in the settings or from the Wireless connections and enter his/her user name and password. Make sure to enter it in the format domain\username (remember this is Home computer or work group device with no information on your domain.)
Frequently asked questions (FAQ):
- I can't map any share or RDP to my client/Server ?
We need always to remember that this VPN connected machine is a work group machine which is not connected or joined to your domain. Always use FQDN when connecting to resources (There is no default DNS suffix on the client and we even can't push it by Group Policy).
For example: RDP to computer.domain.com Not just computer name. Also map the share in FQDN as \\server.domain.com\share. Everything should be in FQDN. Ping by either IP or FQDN.
If you can't ping by IP or FQDN a corporate resource then its not reachable (No route on the VPN server) - Remember the internal NIC of the VPN server has no Gateway. Make sure to add the route first to all resources/VLANs on the VPN server (Manually using Route Add Command).
- I can't map or access my DFS root shares ?
The solution is configuring the DFS to use FQDN in Referrals because its normal behavior is to reply to queries in Net BIOS names only.
To fix this issue you need to follow the below article
Example: Your DFS server "Server01" with DFS Root "RootShare" and all users access it using \\Mycompany.com\RootShare
Remove-DfsnRootTarget -TargetPath \\Server01\RootShare
Set-DfsnServerConfiguration -ComputerName Server1.mycompany.com -UseFqdn $true
New-DfsnRootTarget -Path \\mycompany.com\RootShare -TargetPath \\Server01.mycompany.com\RootShare
This should cover most of the issues the VPN/Work group users face while connected. Hopefully you enjoyed this part and stay tunes for our last part with the Azure Multi Factor Authentication.