Print Friendly
Show Extras

One of the most common “emergency” requests any IT professional gets is a remote user needing to get on the network. Most of the time people grab their laptop and head to an off-site location. Once they get their they either aren’t able to logon or can’t get network resources once they are. This simple GPO sets the VPN connection for you so that users are empowered to work anywhere.

Of course it goes without saying that you already need a vpn setup on your network. This GPO pushes out the vpn connection to client computers.

When setting up a VPN connection, 9 times out of 10, you only want network traffic that is on the VPN network to travel through the VPN. However, Windows by default is set to route all network traffic over the VPN connection. It does this by using the remote gateway. This means if your user connects to the VPN and then visits this blog www.dannyeckes.com the traffic comes through the VPN instead of the connection where the user physically is. The downside to this is that VPN traffic can be very slow. The upside is that the traffic is encrypted. For this GPO we will be not using the remote gateway for all traffic. We will only have the VPN connection active for network resources that are on the VPN.

Open Group Policy Management Console. Select your OU and create a new GPO titled “Deploy VPN Connection”.

Screen Shot 2014-06-07 at 10.43.30 AM

 

We want this to be a computer configuration because we want the VPN available to all users. Furthermore we want the VPN connection to be available prior to logon. Navigate to: Computer Configuration | Preferences | Control Panel Settings | Network Options. Right click and New > VPN Connection.

Screen Shot 2014-06-07 at 10.49.06 AM

 

Add your VPN information, just as you would setup the VPN connection on a normal computer. Check “Use DNS Name” and put the url of your vpn connection. Note it is always best practice to use a dynamic name rather than an IP address. IP addresses tend to change more often than naming conventions.

Screen Shot 2014-06-07 at 10.49.38 AM

 

Click “OK” and you have the standard VPN connection set to be pushed out.

Disabling “Default Gateway”

Here what we are doing is having the GPO edit the default Remote Access Service Phone Book to set the setting for “Use Remote Default Gateway” to off.

In the same GPO go to  Preferences | Windows Settings | Ini Files.

Create a new object and set the action to Update.

Screen Shot 2014-06-07 at 11.20.14 AM

Input the File path of the rasphone.pbk file: C:\ProgramData\Microsoft\Network\Connections\pbk\rasphone.pbk

Section Name should be the display name of your VPN connection. I used Ecorp VPN.

Property Name = IpPrioritizeRemote

Property Value = 0

Screen Shot 2014-06-07 at 11.25.43 AM

 

Reboot the computer and now you will have the VPN connection available to all users prior to logon. It is also accessible once logged in.

 

Screen Shot 2014-06-07 at 11.40.16 AM

 

Screen Shot 2014-06-07 at 11.44.35 AM

 

And the “Use Default Gateway” is unchecked

Screen Shot 2014-06-07 at 11.46.13 AM

 

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*


2 thoughts on “Push VPN without Default Gateway Checked via Group Policy

  1. Reply Neil A July 22, 2014 at 11:30 am

    Great article, just one question, I’m trying to update the IpDNSaddress, IpDNS2Address and the IpDNSFlags, and instead of updating the current attributes, it’s adding new ones to the bottom of the .pbk file. Our Display Name for the VPN profile has Brackets in it (reflecting our company name), does this affect the Section Name?

    for example:
    [[xyx] VPN Connection]
    IpDnsAddress=192.168.1.21
    [[xyx] VPN Connection]
    IpDns2Address=192.168.1.22
    [[xyx] VPN Connection]
    IpDnsFlags=1

    Then, re-running gpupdate /force, the bottom of the file looks like this:
    [[xyx] VPN Connection]
    IpDnsAddress=192.168.1.21
    [[xyx] VPN Connection]
    IpDns2Address=192.168.1.22
    [[xyx] VPN Connection]
    IpDnsFlags=1[[xyx] VPN Connection]
    IpDnsAddress=192.168.1.21
    [[xyx] VPN Connection]
    IpDns2Address=192.168.1.22
    [[xyx] VPN Connection]
    IpDnsFlags=1

    Any input would be greatly appreciated.

    • Daniel Eckes
      Daniel Eckes August 9, 2014 at 8:46 pm

      Yes, you answered it. The brackets [] are enter/exit codes in a sense. So the name of your VPN cannot have one of those.

      Best.

Copyright © 2013 DannyEckes.com. All rights reserved. | Site design by Daniel J. Eckes | Privacy