In my last article, we looked at how to setup a SSTP VPN server on Widows 2008/20012. SSTP VPNs work by transporting the VPN traffic encapsulated in a SSL link, so that they can traverse through most firewalls. Today we will look at how we can quickly setup a VPN connection on all of our systems via Group Policy Preferences (GPP).
Avatar

When deploying VPN connections via Group Policy Preferences, we have two options. Firstly, we can deploy it to the computer which is same as selecting the ‘make this connection available to all users’ checkbox when manually creating the connection. The main benefit of doing this is that the VPN connection is available before the user has logged on, so we can use it to log on to our domain from a remote location. This is great when you have a user out in the field that needs to log onto a laptop without cached credentials.

Our second option is to deploy to the user – this route won’t allow us to use the connection to log into Windows, but non-admin users will have the ability to modify the connection if they wish. A common change my users make is toggling the ‘use default gateway on remote network’ setting. This allows them to access systems that only permit connections from the main office IP range.

In my example, I’ll be deploying the connection to the computer, and I will also show how we can use the VPN connection to log on to Windows. It’s a little less obvious in Windows 7 than it was in previous versions of Windows.

Firstly, we’ll need to start the Group Policy Management Console, and then select the Group Policy object that you wish to add the VPN connection to. Right click it and select ‘Edit’. Based on which of the two options (user/computer) you’ve chosen, select the appropriate section on the left, then navigate to Preferences/Control Panel Settings/Network Options. Right click network option, and select New > VPN connection.

New VPN connection

New VPN connection

Fill in the details for our VPN connection, ensuring ‘all users connection’ is selected if you’re deploying to computers rather than the users. As we’re using a SSTP VPN, we will need to also tick the DNS name box, and enter the name that appears on our SSL certificate for the VPN server.

I then enable “Display progress while connecting” so that users get some feedback to what’s going on during the connection. Under she security tab I select the ‘Use windows logon name…’ option to avoid them having to enter their password again. Finally under the ‘networking’ tab, ensure that the VPN type is set to automatic, as there isn’t a way to force SSTP here.

Click ‘OK’ to save the VPN connection, and then close the GPO window that we’ve been editing. If you restart a computer that the Group Policy applies to, we should now see the VPN connection available in the connections list.

Connection list

Connection list

As I’ve created the VPN connection with a computer policy, we can use the VPN connection to allow new users, or those without cached credentials on a system to log in.

Login button

Login button

At the Windows login screen, click the ‘switch’ user button. As computer-wide VPN connections are available, you’ll now see a network login button beside the power button in the bottom right corner of the screen. Once you click this, you’ll be presented with a VPN login window. For this to work you’ll obviously need an active network connection.

VPN Login

VPN Login

Hopefully, you’ve now got a SSTP VPN solution rolled out to your client systems.

1 Comment
  1. Avatar
    Jeff S. 7 years ago

    Hello Geoff!

    Thanks for the article! One question: Is there a way to create a GPO to deploy a L2TP VPN connection with a pre shared key? It looks like there’s no option to do this (I’m using WIN10 ADMX templates.

     

    Thanks!

    Jeff

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account