Deploying VPN connections to Windows 7 and 8 with Group Policy

• Author
• Recent Posts

Geoff Kendal

Geoff Kendal is a Windows/Linux systems administrator, scripter and problem solver, with over 12 years experience, based in Leeds, UK.

Latest posts by Geoff Kendal (see all)

• How to add holidays to the Exchange calendar with PowerShell - Wed, Apr 23 2014
• How to change the domain name in Exchange Server 2010 - Tue, Apr 8 2014
• How to enable Unsolicited Remote Assistance in Windows 7 / 8 - Tue, Oct 1 2013

When deploying VPN connections via Group Policy Preferences, we have two options. Firstly, we can deploy it to the computer which is same as selecting the ‘make this connection available to all users’ checkbox when manually creating the connection. The main benefit of doing this is that the VPN connection is available before the user has logged on, so we can use it to log on to our domain from a remote location. This is great when you have a user out in the field that needs to log onto a laptop without cached credentials.

Our second option is to deploy to the user – this route won’t allow us to use the connection to log into Windows, but non-admin users will have the ability to modify the connection if they wish. A common change my users make is toggling the ‘use default gateway on remote network’ setting. This allows them to access systems that only permit connections from the main office IP range.

In my example, I’ll be deploying the connection to the computer, and I will also show how we can use the VPN connection to log on to Windows. It’s a little less obvious in Windows 7 than it was in previous versions of Windows.

Firstly, we’ll need to start the Group Policy Management Console, and then select the Group Policy object that you wish to add the VPN connection to. Right click it and select ‘Edit’. Based on which of the two options (user/computer) you’ve chosen, select the appropriate section on the left, then navigate to Preferences/Control Panel Settings/Network Options. Right click network option, and select New > VPN connection.

New VPN connection

Fill in the details for our VPN connection, ensuring ‘all users connection’ is selected if you’re deploying to computers rather than the users. As we’re using a SSTP VPN, we will need to also tick the DNS name box, and enter the name that appears on our SSL certificate for the VPN server.

I then enable “Display progress while connecting” so that users get some feedback to what’s going on during the connection. Under she security tab I select the ‘Use windows logon name…’ option to avoid them having to enter their password again. Finally under the ‘networking’ tab, ensure that the VPN type is set to automatic, as there isn’t a way to force SSTP here.

Click ‘OK’ to save the VPN connection, and then close the GPO window that we’ve been editing. If you restart a computer that the Group Policy applies to, we should now see the VPN connection available in the connections list.

Connection list

As I’ve created the VPN connection with a computer policy, we can use the VPN connection to allow new users, or those without cached credentials on a system to log in.

Login button

At the Windows login screen, click the ‘switch’ user button. As computer-wide VPN connections are available, you’ll now see a network login button beside the power button in the bottom right corner of the screen. Once you click this, you’ll be presented with a VPN login window. For this to work you’ll obviously need an active network connection.

VPN Login

Hopefully, you’ve now got a SSTP VPN solution rolled out to your client systems.