One of the most common “emergency” requests any IT professional gets is a remote user needing to get on the network. Most of the time people grab their laptop and head to an off-site location. Once they get their they either aren’t able to logon or can’t get network resources once they are. This simple GPO sets the VPN connection for you so that users are empowered to work anywhere.
Of course it goes without saying that you already need a vpn setup on your network. This GPO pushes out the vpn connection to client computers.
When setting up a VPN connection, 9 times out of 10, you only want network traffic that is on the VPN network to travel through the VPN. However, Windows by default is set to route all network traffic over the VPN connection. It does this by using the remote gateway. This means if your user connects to the VPN and then visits this blog www.dannyeckes.com the traffic comes through the VPN instead of the connection where the user physically is. The downside to this is that VPN traffic can be very slow. The upside is that the traffic is encrypted. For this GPO we will be not using the remote gateway for all traffic. We will only have the VPN connection active for network resources that are on the VPN.
Open Group Policy Management Console. Select your OU and create a new GPO titled “Deploy VPN Connection”.
We want this to be a computer configuration because we want the VPN available to all users. Furthermore we want the VPN connection to be available prior to logon. Navigate to: Computer Configuration | Preferences | Control Panel Settings | Network Options. Right click and New > VPN Connection.
Add your VPN information, just as you would setup the VPN connection on a normal computer. Check “Use DNS Name” and put the url of your vpn connection. Note it is always best practice to use a dynamic name rather than an IP address. IP addresses tend to change more often than naming conventions.
Click “OK” and you have the standard VPN connection set to be pushed out.
Disabling “Default Gateway”
Here what we are doing is having the GPO edit the default Remote Access Service Phone Book to set the setting for “Use Remote Default Gateway” to off.
In the same GPO go to Preferences | Windows Settings | Ini Files.
Create a new object and set the action to Update.
Input the File path of the rasphone.pbk file: C:\ProgramData\Microsoft\Network\Connections\pbk\rasphone.pbk
Section Name should be the display name of your VPN connection. I used Ecorp VPN.
Property Name = IpPrioritizeRemote
Property Value = 0
Reboot the computer and now you will have the VPN connection available to all users prior to logon. It is also accessible once logged in.
And the “Use Default Gateway” is unchecked