2

I have successfully setup up a VPN connection to an EC2 instance of Windows Server 2008 using SSTP. How do I get GPOs to apply upon VPN login?

John R
  • 383
  • 4
  • 13

2 Answers2

1

I'd use the Connection Manager Administration Kit to create an EXE that creates the SSTP connection. One of the features of the CMAK is the ability to execute commands after the connection has been established. You could execute a gpupdate after connection to apply Group Policy. Beware, though, that some Group Policy settings only work during boot (Software Installation being one example) so you may never see some types of settings apply.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • That would be one of my exact uses for it (software installation and WSUS). I'll check it out though and see if I can combine this with some other script and registry hack. Thanks – John R Mar 06 '13 at 21:41
  • You might consider just exposing the DCs directly to the Internet and requiring IPSEC such that the EC2 clients can access domain resources during boot. – Evan Anderson Mar 06 '13 at 21:45
  • Thought about that and even experimented with Amazon's firewall settings but ultimately AWS has to many restrictions that I cant modify to expose the DC "wide open". Plus even if I did get it to work, there are too many security complications that arise. However if you are familiar with that type of setup, I would be glad to look over the setting. – John R Mar 06 '13 at 22:01
  • @JohnR: I'm not familiar with it in an Amazon context at all. I probably should spend some time on it but I never have... >sigh< Copious free time, etc... – Evan Anderson Mar 06 '13 at 22:08
  • Just tried to use CMAK using the same settings (more or less) as the regular windows connection wizard and I get the following error: The certificate's CN name does not match the passed value. (Error 0x800b010f) For customized troubleshooting information for this connection, click Help. Sigh, trouble shooting certificates... my favorite!! (>_<) – John R Mar 07 '13 at 01:24
1

The documentation for Deploying VPN Connections by Using PowerShell and Group Policy worked nicely for me. Not sure why I couldnt get CMAK to work.

I added a small touch for smoother operation by using GPO to create a hidden folder on the local machine and copy the ps1 and xml files, that way there is a locally stored copy of the VPN connection script. Now that the computer startup script always has a locally stored path to the script... makes the setup much more reliable.

John R
  • 383
  • 4
  • 13