Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote
-
@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@pete-s said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
On every Windows PC I've seen setup with VPN, you login in to the PC first, using the domain credentials (which I assume are cached). Then you "manually" connect with the VPN client using MFA.
So maybe you're overcomplicating things.
Yeah I think that's my issue. I was at home when I joined my test system to the domain so it couldn't finish the task and cache my credentials. I will have to play around with stuff a bit more not on the weekend. I think I can get this working the way I want...
For starters have a look at "Interactive logon: Number of previous logons to cache (in case domain controller is not available)".
I think Windows 10 will cache by default but not if there are GPO settings overriding it or the registry has been altered. I haven't played with it much so I'm not sure if there is anything else that needs to be looked at.
-
@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
The main problem I have run into is sort of a catch-22 in that, while remote, the user can't login until the VPN client has started and the user can't start the VPN client until they are logged in (duh). That means, an employee would take the laptop home and try to sign in with their domain user account but not be able to since the domain would be unreachable until the VPN gets connected.
I use this exact same setup for all of our clients. It works perfectly.
Tell me. When you start up the Laptop, and once you press <CTRL>-<ALT>-<DEL> to login, BUT BEFORE you authenticate, do you see the extra icon in the lower right corner?
And do you see this NetExtender logon when you click it?
It will bring you here next. Building the VPN BEFORE authenticating to the domain.
This should all work for you without any issues.
-
@jasgot said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
The main problem I have run into is sort of a catch-22 in that, while remote, the user can't login until the VPN client has started and the user can't start the VPN client until they are logged in (duh). That means, an employee would take the laptop home and try to sign in with their domain user account but not be able to since the domain would be unreachable until the VPN gets connected.
I use this exact same setup for all of our clients. It works perfectly.
Tell me. When you start up the Laptop, and once you press <CTRL>-<ALT>-<DEL> to login, BUT BEFORE you authenticate, do you see the extra icon in the lower right corner?
And do you see this NetExtender logon when you click it?
It will bring you here next. Building the VPN BEFORE authenticating to the domain.
This should all work for you without any issues.
Woah! I'm glad I posted here.. no I didn't see that icon and I was actually looking for it, but I will check asap... What settings do you have for NetExtender?
-
@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@jasgot said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
The main problem I have run into is sort of a catch-22 in that, while remote, the user can't login until the VPN client has started and the user can't start the VPN client until they are logged in (duh). That means, an employee would take the laptop home and try to sign in with their domain user account but not be able to since the domain would be unreachable until the VPN gets connected.
I use this exact same setup for all of our clients. It works perfectly.
Tell me. When you start up the Laptop, and once you press <CTRL>-<ALT>-<DEL> to login, BUT BEFORE you authenticate, do you see the extra icon in the lower right corner?
And do you see this NetExtender logon when you click it?
It will bring you here next. Building the VPN BEFORE authenticating to the domain.
This should all work for you without any issues.
Woah! I'm glad I posted here.. I completely missed that for some reason!!!! Its working now as intended... DUDE THANK YOU. You just saved me so much trouble. I owe ya
-
@dave247 That won't work on the latest Sonicwall NetExtender client. It doesn't allow for that.
-
@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dave247 That won't work on the latest Sonicwall NetExtender client. It doesn't allow for that.
Can you elaborate on what won't work? I literally downloaded the most recent NetExtender client and its working fine.
-
@dave247 What is the version that you have?
-
@dbeato The version I have is 10.2.319 and it doesn't have that option.
-
@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dbeato The version I have is 10.2.319 and it doesn't have that option.
Looks like I'm on 10.2.300. First time connecting it said NetExtender was required to update versions (I had a slightly earlier version on the file share) and it auto-updated with this. I can try updating it and see if the option goes away but I don't understand why they would remove it...
-
@dave247 If you uninstall the present one and install the latest one then you will not see the option. If you update the in-place application, there is no issue. So if that is the case then it shouldn't be an issue.
-
@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dbeato The version I have is 10.2.319 and it doesn't have that option.
There isn't even a 10.2.319 version... you be trollin me! (see https://www.mysonicwall.com/muir/freedownloads)
For the record, the latest version is 10.2.315 and the functionality is there regardless of if you install or upgrade.
-
@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
you be trollin me!
@dbeato is no troll I can assure you
-
@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dbeato The version I have is 10.2.319 and it doesn't have that option.
There isn't even a 10.2.319 version... you be trollin me! (see https://www.mysonicwall.com/muir/freedownloads)
For the record, the latest version is 10.2.315 and the functionality is there regardless of if you install or upgrade.
If I wanted to troll you, I would have failed very badly. You must know me for a while now that I don't troll. Here it is
This is also provided on the SMA Appliances which also has been posted here
https://www.reddit.com/r/sonicwall/comments/rbrlsv/netextender_102319/http://www.wehrenberg.ch/remote.html (Downloads are there)
If you try that version it does go away. However in your case using a different version works for you and that's all that matter.
-
@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dbeato The version I have is 10.2.319 and it doesn't have that option.
There isn't even a 10.2.319 version... you be trollin me! (see https://www.mysonicwall.com/muir/freedownloads)
For the record, the latest version is 10.2.315 and the functionality is there regardless of if you install or upgrade.
If I wanted to troll you, I would have failed very badly. You must know me for a while now that I don't troll. Here it is
This is also provided on the SMA Appliances which also has been posted here
https://www.reddit.com/r/sonicwall/comments/rbrlsv/netextender_102319/http://www.wehrenberg.ch/remote.html (Downloads are there)
If you try that version it does go away. However in your case using a different version works for you and that's all that matter.
ah, well they must have removed it due to the bug since it's not available for download from Sonicwall's official download sources. I wouldn't get it anywhere else.
-
@dave247 Yeah correct. Removed by a bug.
-
@dave247 Can you use 2FA on the VPN connection when doing it like that? Otherwise that would be a major concern.
Another issue with forced VPN is that if your VPN is down then the users can't login at all and can't work. That's a lot of eggs in the same basket. Does your company have HA firewalls, redundant internet, redundant power etc?
Otherwise using the cached domain password the users could login locally. Then they would be able to use their computers with local files and software and also have access to online resources such as M365 and whatever else you use.
-
@pete-s said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dave247 Can you use 2FA on the VPN connection when doing it like that? Otherwise that would be a major concern.
Another issue with forced VPN is that if your VPN is down then the users can't login at all and can't work. That's a lot of eggs in the same basket. Does your company have HA firewalls, redundant internet, redundant power etc?
Otherwise using the cached domain password the users could login locally. Then they would be able to use their computers with local files and software and also have access to online resources such as M365 and whatever else you use.
No, you cannot use 2FA from within Windows Login screen with Sonicwall NetExtender.
-
@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@pete-s said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dave247 Can you use 2FA on the VPN connection when doing it like that? Otherwise that would be a major concern.
Another issue with forced VPN is that if your VPN is down then the users can't login at all and can't work. That's a lot of eggs in the same basket. Does your company have HA firewalls, redundant internet, redundant power etc?
Otherwise using the cached domain password the users could login locally. Then they would be able to use their computers with local files and software and also have access to online resources such as M365 and whatever else you use.
No, you cannot use 2FA from within Windows Login screen with Sonicwall NetExtender.
Actually you can. You just click the icon to pull up NetExtender and punch your creds in, then it asks you for the TOTP.
-
@pete-s said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dave247 Can you use 2FA on the VPN connection when doing it like that? Otherwise that would be a major concern.
Another issue with forced VPN is that if your VPN is down then the users can't login at all and can't work. That's a lot of eggs in the same basket. Does your company have HA firewalls, redundant internet, redundant power etc?
Otherwise using the cached domain password the users could login locally. Then they would be able to use their computers with local files and software and also have access to online resources such as M365 and whatever else you use.
Yes, the Sonicwall supports TOPT codes on the connection, thankfully. The VPN connection wouldn't be forced, though users would obviously need a continuous VPN connection to use apps on the local network. We do also have O365 so they aren't dead in the water if the VPN went down for some reason. Yes, I have redundant firewalls, Internet and power, etc. I have as much redundancy and failover as possible/makes sense to. Internet goes down maybe twice a year since I've been there (5+ years) so it's not really a concern at all. Honestly, this is probably the best setup currently for us in our current state.
@JasGot pretty much helped me the most here to solve my problem, which was just something simple I had overlooked.
/thread
-
@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@pete-s said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dave247 Can you use 2FA on the VPN connection when doing it like that? Otherwise that would be a major concern.
Another issue with forced VPN is that if your VPN is down then the users can't login at all and can't work. That's a lot of eggs in the same basket. Does your company have HA firewalls, redundant internet, redundant power etc?
Otherwise using the cached domain password the users could login locally. Then they would be able to use their computers with local files and software and also have access to online resources such as M365 and whatever else you use.
No, you cannot use 2FA from within Windows Login screen with Sonicwall NetExtender.
Actually you can. You just click the icon to pull up NetExtender and punch your creds in, then it asks you for the TOTP.
yea, you are right. I was more thinking the SSO MFA SSL VPN but the TOTP either via email (not as secure) or the Authenticator app works well.