Laptop on a domain - VPN Options?

[Chandler]

I just purchased a Dell M4800 for myself. I want to use my domain profile as it will replace my desktop at work. When I take it home, how can I effectively use my domain credentials/ remain on the network while traveling?

I have a RV325 at my work location which is remote to the Hub office. The Hub has an Untangled box using IPSec tunnels. My office can see all the spokes on the hub because I used the .252 subnet on it's tunnel.

On my laptop now I am connected to Wireless and have a PPTP connection setup with my RV325. The wireless connection is managed by Intel ProSet and set to persistent so it re connects when a user logs off. This is okay... but sometimes the PPTP connection does not reconnect. This causes login issues.

I have a VPN router at home was well so technically my LAN can see my office, but I also travel a lot. I intend to get a WWAN card and a SIM as well.

Any suggestions?

 

[cyclone3d]

Shouldn't your domain credentials be cached on your laptop so you can log in even when not connected to the domain?

You need to be able to login when not connected to the domain and then use whatever VPN software will work with your setup to connect you to your office.

 

[Grentz]

Shouldn't your domain credentials be cached on your laptop so you can log in even when not connected to the domain?

You need to be able to login when not connected to the domain and then use whatever VPN software will work with your setup to connect you to your office.

Exactly.

Windows handles all this automatically.

 

[dbwillis]

Yep, you should be able to plug in the laptop to the work network/domain, then log on with your domain account, then when your sitting at the table at Disney, you can log on with that account, even though your not connected to the network.

Just make sure your account has the needed local permissions so you can do things that you need to (power user, admin, etc)

After that, you should be able to connect to a wifi, 4G, etc and then VPN into work

 

[Chandler]

This only works when the profile is already created on the computer. And at some point the credentials will go stale/ expire or the trust relationship will be lost.

That aside - does anyone have any advice on VPN clients? I want to maximize throughput for file transfers mainly.

 

[bmh.01]

Although not necessarily the end of the world depending on other things but you do know PPTP has been cracked for years yes?

Once you've connected to whatever vpn you have after logging in with cached credentials you should get a new Kerberos ticket at some point so they shouldn't expire.

Look into RRAS.

 

[boss6021]

Direct Access user here. Requires some back end work, but nothing monumental. It's as seamless as I have seen as far as remote access to the office is concerned.

 

[Deleted member 12106]

This only works when the profile is already created on the computer. And at some point the credentials will go stale/ expire or the trust relationship will be lost.

That aside - does anyone have any advice on VPN clients? I want to maximize throughput for file transfers mainly.

Credentials go stale? Your laptop will tell you it is time to change your password, even when its not connected to the domain(other networks). You need VPN to access work resources when not in the office?

Your first post says you are running untangle? There are a few different VPN options cooked in, some you need to pay for. Pick one and go with it. Huck the client on the VPN, validate you can resolve your DC over the VPN and move on. Seems you're taking longer to cross the street IMO.

 

[D-EJ915]

This only works when the profile is already created on the computer. And at some point the credentials will go stale/ expire or the trust relationship will be lost.

That aside - does anyone have any advice on VPN clients? I want to maximize throughput for file transfers mainly.

These days it doesn't make much of a difference. You'll burn all your actual provider availability before your VPN slows you down.

I'd advise to setup something like an SSTP RRAS box (port 443) and ditch PPTP. If you setup a connection with the built-in VPN client you can authenticate to it and it will log you into the laptop even if you have never logged in before (it connects then logs you in). This has made setting up/shipping remote laptops for people a breeze. If they change their password they just use network login and get in with their new credentials.

 

[nowwhatnapster]

Credentials go stale? Your laptop will tell you it is time to change your password, even when its not connected to the domain(other networks).

When the PC has not seen the domain controller for an extend period of time (e.g. no vpn, never bringing it into the office, for 30 days) the trust relationship will break and he will get locked out, no prompt to change password. That is usually how it goes. At that point he will need access to the local user account of the pc and someone with domain admin credentials to disjoin/rejoin the PC to domain to get things working again.

Chandler, in my personal opinion, as you own the PC, i would just use a local user account for yourself and let the domain account be used for work. Not good to mix personal and business on the domain user profile.

 

[cyclone3d]

When the PC has not seen the domain controller for an extend period of time (e.g. no vpn, never bringing it into the office, for 30 days) the trust relationship will break and he will get locked out, no prompt to change password. That is usually how it goes. At that point he will need access to the local user account of the pc and someone with domain admin credentials to disjoin/rejoin the PC to domain to get things working again.

Chandler, in my personal opinion, as you own the PC, i would just use a local user account for yourself and let the domain account be used for work. Not good to mix personal and business on the domain user profile.

Not how it works on our setup. We have had test setups that have not been connected for a year. The only "problem" we run in to with extended disconnects is that Windows says it is not genuine since it hasn't been able to connect to the licensing server for too long.

No problems with trust relationships or the accounts "expiring" when not on the network.

 

[MrGuvernment]

You have untangle, use openvpn, set up openvpn to start before windows login and tadda your done.

http://www.surfbouncer.com/auto_login.htm

You also do not need to rejoin a computer if credentials go stale, you just need to get connect to a DC and log in and your done.

 

[exchange keys]

+1 for DirectAccess (Although you need Enterprise version of Windows...)

If you're worried about the Trust Relationship/Secure Channel breaking, maybe you'd like to disable the computer password from expiring (https://technet.microsoft.com/en-us/library/jj852191(v=ws.10).aspx)?