Posts Tagged ‘windows 7’

Cisco PIX VPN Setup for Windows 7 & Vista x64

Friday, July 16th, 2010

Alright, sorry it took so long to put the rest of my Vista x64 setup on here.  Here’s part 2 – configuring Cisco PIX VPNs for Windows Vista & Windows 7 64-bit machines.  To start, Cisco is dropping support for PIX devices and ASA is definitely a more robust device anyway.  Cisco has stated they will not be creating a 64-bit VPN client for Vista or 7, you will have to upgrade to the ASA device for your VPN to use the new 64 bit client.

There is a freeware open-source program that will connect to a PIX VPN with minimal configuration, though.  The program is called vpnc-fe.  simply download and install the application, then follow these steps to ensure connectivity.

Make sure you install the OpenTAP driver when installing, this driver is used to create the virtual interface that the VPN will tunnel through.

This program is a little strange at first, in that there is no interface that shows when you run it, it is just an icon in the bottom right.

screenshot

Right-Click it to open the menu, goto options> Import PCF.  Here you can specify the PCF file you would normally use for the Cisco VPN client.

Now, there’s about a 50% chance you are good to go.  I had to make some other changes as well.

If you are able to connect and reach your office network by IP, but DNS is not working, just add these as your pre-and disconnect scripts:

pre-script:

netsh interface ip set dns name = “Local Area Connection” source = static addr = <insert your internal primary DNS server here>
netsh interface ip add dns name = “Local Area Connection” addr = <insert your internal secondary DNS server here>
netsh interface ip add dns name = “Local Area Connection” addr = <insert a public DNS server here(4.2.2.2)>

Disconnect Script:

netsh interface ip set dns name = “Local Area Connection” dhcp

Save those as batch(.bat) files in the C:\Program Files(x86)\VPNC Front End\ directory.  Then right-click the vpnc-fe icon and goto > options > Connection Settings > Scripts ta.  In the appropriate lines, just put the name of the scripts, not the full path, as it only looks in the directory above.  Try connecting and your DNS woes should be over.scripts

If VPNC shows you are connected, but you cannot reach anything by any means, it probably didn’t properly create the routes.

For this, I was lucky enough to have 2 machines, one XP x86 with Cisco client that worked, and one Vista x64 that didn’t work.  I just did route print and compared to find the issue.  If this is an option, it is your best bet.  Here is a rather slim overview on what I did.  Please ask me questions, it has been a couple of months, though, so I don’t remember everything, but if you ask me questions, I can work with you to get yours set up.

OK, so open a command prompt after connected and type “route print”.  Take a look at your interfaces, find the one labeled “TAP-Win32 Adapter V9″.  If it doesn’t show, you may need to enable it and run route print again(it should be enabled if you are connected, though).

First, if you see any routes for 169.254, add these to you pre-connect script:

route DELETE 169.254.0.0
route DELETE 169.254.255.255

Now, look for any references to your network, generally, the routes are created, but without the right mask or interface specified.

Find those, and delete them as well:

route DELETE <Your companies network>
route DELETE <your company’s network(we have 5 subnets that we connect to, so 5 of these)>

Now, you will need to create those routes with the proper info.  At the end off your script put:

route ADD <Your companies network> MASK <the mask in format 255.255.255.0> <the gateway that your VPN is connecting to internally, IE the gateway of the virtual network created during the tunnel creation, not the public IP for VPN)> METRIC 2 IF <the number of the interface “TAP-WIN32..”>

Here is an example as it should look:

route ADD 192.168.64.0 MASK 255.255.252.0 10.0.0.1 METRIC 2 IF 12

Again, let me know if you have any problems or questions, I had some other tweaks for different issues, but it has been a couple months so give me a problem and I can try to work through it with you.

Here is a complete script as an example:

netsh interface ip set dns name = “Local Area Connection” source = static addr = 172.21.1.20
netsh interface ip add dns name = “Local Area Connection” addr = 4.2.2.2
netsh interface ip add dns name = “Local Area Connection” addr = 172.21.1.41
netsh interface ip add dns name = “Local Area Connection” addr = 4.2.2.3

route DELETE 169.254.0.0
route DELETE 169.254.255.255

route DELETE 172.21.1.0
route DELETE 172.21.1.0

route ADD 172.21.1.0 MASK 255.255.248.0 10.0.0.1 METRIC 2 IF 12
route ADD 172.21.1.0 MASK 255.255.252.0 10.0.0.1 METRIC 2 IF 12

route DELETE 192.168.64.0
route ADD 192.168.64.0 MASK 255.255.252.0 10.0.0.1 METRIC 2 IF 12

Tags: , , , , , , ,
Posted in Windows | 7 Comments »

Killing Processes on Server 2000 from VBScript

Thursday, October 8th, 2009

Alright, so we have a report server that has a massive SQL database and is running Server 2000 SP4. I honestly don’t know too much about it, because we have a DBA who does pretty much 90% of the maintenance/admin work on this server and the reports have nothing to do with the programs I work with. Anyway, the reports that are run export the SQL data to Excel spreadsheets. Once the report is run, the Excel process is left running. This server is already extremely old and bogged down as is, so having over a hundred instances of Excel running on it wasn’t helping. I wrote a script to check for all processes named “excel” and see how long they have been running, then kill the ones that were running for what seem to be too long of time. I had some issues, because Server 2000 does not have all of the capabilies as 2003, obviously. This script requires that you download pskill, part of the PSTools suite from SysInternals(now Microsoft). Now, while the script requires PSKill, it is able to run on server 2000/2003/2008(and 2000/xp/vista/7), so hopefully it is still useful to someone else out there. The script is below and I tried to make sure it was well-commented to help you out. Feel free to leave any suggestions/questions below. Enjoy.


''''This script requires pskill, part of the PSTools suite from SysInternals(now Microsoft). This script is assuming pskill is in your path for cmd line(generally, c:\windows(winnt on 2000/nt)\system32\)

Option Explicit
Dim strComputer, objWMIService, colProcessList, objProcess, PDate, Days, Hrs, Min, Sec, objSWbemLocator, WshShell
strComputer = "."
Set WshShell = CreateObject("wscript.shell")
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colProcessList = objWMIService.ExecQuery("Select * from Win32_Process Where Name = 'Excel.exe'") ' Replace Excel with whatever the process is you're looking for.
Do
If colProcessList.Count = 0 Then ' This kills the script if the process we are looking for is not running.(also ties with last commented line for looping)
Exit Do
Else
For Each objProcess in colProcessList
If objProcess.CreationDate "" Then
PDate = Left(objProcess.CreationDate,14) ' pulls the date process started in format: yyyymmddhhmmss
Days = DateDiff("d",DateSerial(Left(PDate,4),Mid(PDate,5,2),Mid(PDate,7,2)),Date) ' find how many days process has been running
Hrs = Hour(Now) - Mid(PDate,9,2) ' find how many hours process was running, if started same day
Min = Minute(Now) - Mid(PDate,11,2) ' same but for minutes
Sec = Second(Now) - Mid(Pdate,13,2) ' same but for seconds
If Hrs > 6 Then ' This is where you specify how long the process has to have been running in order for it to be killed, so you don't kill active jobs. Change it from "Hrs" to "Min" or "Sec" for minutes or seconds. Change 6 to whatever number of units.(currently set to kill processes over 6 hours old)
WshShell.Run "pskill -t " & objProcess.ProcessId, 0, False
Else
If Days > 0 Then ' This is a failsafe to the previous "If". Since it only detects how many hours process was running, if started same day. This guarantees that it kills anything over a day old.
WshShell.Run "pskill -t " & objProcess.ProcessId, 0, False
End If
End If
End If
Next
WScript.Sleep 1000 ' wait before trying again
Set colProcessList = objWMIService.ExecQuery("Select * from Win32_Process Where Name = 'Excel.exe'") ' Recheck for processes ' This makes the script keep looking until there aren't any active processes. i.e. a report is being run now, we will wait until it is done to kill the process and the script.
End If
Loop

Tags: , , , , , , , , , , ,
Posted in Windows, Windows - Scripting | No Comments »

Login Script for Everyone

Monday, September 21st, 2009

UPDATED 12/23/09: The script on the bottom is the original.  I have made a few changes to log all errors and to fix a couple glitches that come up in some environments.  Changed the syntax of the addWindowsPrinterConnection command, and made it set default printer.  Here is the new script(the original post is below):


Option Explicit
Const ADS_PROPERTY_APPEND = 3 'sets the variable to Append
Const ADS_UF_NORMAL_ACCOUNT = 512
Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D
CONST HKEY_LOCAL_MACHINE = &H80000002
Const ForReading = 1
Const ForWriting = 2
Const ForAppending = 8

Dim WshShell : Set WshShell = CreateObject(”wscript.shell”)
Dim strContainer, strUser, i, objRootDSE, strDisplayName, ObjFSO, objInFile, objContainer, strLine, strName, objOU, objGroup, objUser, objFile, objFile2, varDomainNC, objRoot, strText, FirstLine, arrMemberOf, Group, strFirstName, strLastName, strLine2, objOU2, objNetwork, strGroup, objConnection, objCommand, objRecordSet, objErrorLog, strComputer, colItems, objWMIService, colInstalledPrinters, strComputer2
Set objOU2 = GetObject(”LDAP://CN=users,DC=domain,DC=local”)
Set objOU = GetObject(”LDAP://ou=users,ou=indianapolis,DC=domain,DC=local”)
ObjOU.Filter= Array(”user”)
Set objGroup = objOU2.Getobject(”group”, “cn=CSRs”)
Set objFSO = CreateObject(”Scripting.FileSystemObject”)
Set objNetwork = WScript.CreateObject(”Wscript.Network”)
Set objRootDSE = GetObject(”LDAP://rootDSE”)
strComputer2 = “.”
Dim CRLF
CRLF = Chr(13) & Chr(10)

‘*************(Global Scripting) this section applies to all computers no matter what group users are in.

”default lockheed banner script
Function Ask(strAction)

Dim intButton
intButton = MsgBox(strAction, _
vbQuestion + vbYesNo, _
L_Welcome_MsgBox_Title_Text )
Ask = intButton = vbYes

End Function

MsgBox “This system is the property of this Corporation, and is intended for” & CRLF & _
“the use of authorized users only. All activities of individuals using this computer” & CRLF & _
“with or without authority, or in excess of their authority, may be monitored and recorded” & CRLF & _
“by system personnel. If any such monitoring reveals evidence of criminal activity or is in” & CRLF & _
“violation of foreign or U.S. state or federal law, such evidence may be provided to law” & CRLF & _
“enforcement officials and/or used for further legal action by this Corporation and/or the” & CRLF & _
“organization’s Information Protection group. Unauthorized use of this system is prohibited” & CRLF & _
“and may result in revocation of access, disciplinary action and/or legal action. The” & CRLF & _
“company reserves the right to monitor and review user activity, files and electronic messages.” & CRLF & _
“REMINDER: Information transmitted to a foreign person on this network may be subject ” & CRLF & _
“to applicable Export Control laws. Contact your Export Coordinator for assistance.” & CRLF & _
“(This machine is not authorized for classified processing)”, _
vbOKOnly, _
“SYSTEM USE MONITORING NOTICE – IPM-003 Banner Statement”

WshShell.Run “net use s: /delete”, 0, False
WshShell.Run “Net use s: \\server\shared /persistent:yes”, 0, False

‘*************End of global scripting

”pull local computer name for loggin info.
strComputer = objNetwork.ComputerName

”pull logon id
strUser = objNetwork.UserName

”turn logon id into container name for LDAP queries

Set objConnection = CreateObject(”ADODB.Connection”)
objConnection.Open “Provider=ADsDSOObject;”
Set objCommand = CreateObject(”ADODB.Command”)
objCommand.ActiveConnection = objConnection
objCommand.CommandText = “;(&(objectCategory=User)(samAccountName=” & strUser & “));name;subtree”
Set objRecordSet = objCommand.Execute
On Error Resume Next
strUser = objRecordSet.Fields(”name”)
On Error GoTo 0
objConnection.Close
Set objRecordSet = Nothing
Set objCommand = Nothing
Set objConnection = Nothing
strUser = Replace(strUser, “,”, “\,”)

‘’set user to have LDAP queries run
ON ERROR RESUME NEXT
Set objUser = GetObject(”LDAP://cn=” & strUser & “,ou=users,ou=indianapolis,dc=domain,dc=local”)
If Err.Number = 0 Then

”\/\/\/\/\/\/Determine Group memberships. PLEASE NOTE: group names must be in UPPER case and the “Left(strGroup, X)”
‘ X must be the number of characters in the group name.
‘\/\/\/\/\/\/\/

arrMemberOf = objUser.GetEx(”memberOf”)

If Err.Number <> E_ADS_PROPERTY_NOT_FOUND Then
For Each Group in arrMemberOf
strGroup = UCase(Group)
strGroup = Right(strGroup, Len(strGroup) – 3)
If Left(strGroup, 2) = “IT” Then
‘*****IT group scripting

‘’set Z:IT drive
WshShell.Run “net use z: /delete”, 0, False
WshShell.Run “Net use z: \\server\it /persistent:yes”, 0, False

”Prepare to set printers
Set objWMIService = GetObject(”winmgmts:\\” & strComputer & “\root\cimv2″)

”This prevents script from stopping when mapping network printers on the server where they
”are shared from
ON ERROR RESUME NEXT

”Add Printers

objNetwork.AddWindowsPrinterConnection “\\server\Xerox WorkCentre 5675 PS”
objNetwork.SetDefaultPrinter “\\server\Xerox WorkCentre 5675 PS”

‘*****End of IT
Else
If Left(strGroup, 4) = “CSRS” Then
‘*****CSR group scripting

‘*****End of CSR
Else
If Left(strGroup, 10) = “MANAGEMENT” Then
‘*****Management group scripting – NOTE: all managers are members of “Team Leads” group

‘*****End of Management
Else
If Left(strGroup, 7) = “Quality” Then
‘*****Quality scripting – NOTE: all quality are members of “TeamLeads” group

‘*****End of Quality
Else
If Left(strGroup, 10) = “TEAMLEADS” Then
‘*****Team Lead scripting

”Prepare to set printers
Set objWMIService = GetObject(”winmgmts:\\” & strComputer & “\root\cimv2″)

”This prevents script from stopping when mapping network printers on the server
”where they are shared from
ON ERROR RESUME NEXT

”Add Printers
objNetwork.AddWindowsPrinterConnection “\\server\Xerox WorkCentre 5675 PS”

‘*****End of Team Lead
End If
End If
End If
End If
End If
Next
Else
‘*****Create Error Log if groups could not be determined

Set objErrorLog = objFSO.OpenTextFile(”\\server\errors\signonerrors.txt”, ForAppending, True)
objErrorLog.WriteLine strUser & ” on ” & strComputer & ” could not be found in Active Directory on ” & Date
objErrorLog.WriteLine “The error code is ” & Err.Number
Err.Clear
End If
Else
‘*****Create Error Log for all other errors
Set objErrorLog = objFSO.OpenTextFile(”\\server\errors\signonerrors.txt”, ForAppending, True)
objErrorLog.WriteLine strUser & ” on ” & strComputer & ” had the following error: ” & Err.Number & ” on ” & Date
Err.Clear
End If

ORIGINAL POST: We have a new program in with a new domain. On our other networks, there are seperate logon scripts for pretty much every security group and they all call other scripts. With this network, i wanted to keep things simple, so this script connects to AD and checks their group membership before running the apropriate commands for each group. This particular network does not have any shares yet, and isn’t very complex, but here is the base of it. Let me know if you want to know how to add anything more to it.

Option Explicit
Const ADS_PROPERTY_APPEND = 3 'sets the variable to Append
Const ADS_UF_NORMAL_ACCOUNT = 512
Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D
CONST HKEY_LOCAL_MACHINE = &H80000002
Const ForReading = 1
Const ForWriting = 2
Const ForAppending = 8

Dim WshShell : Set WshShell = CreateObject(”wscript.shell”)
Dim strContainer, strUser, i, objRootDSE, strDisplayName, ObjFSO, objInFile, objContainer, strLine, strName, objOU, objGroup, objUser, objFile, objFile2, varDomainNC, objRoot, strText, FirstLine, arrMemberOf, Group, strFirstName, strLastName, strLine2, objOU2, objNetwork, strGroup, objConnection, objCommand, objRecordSet, objErrorLog, strComputer, colItems, objWMIService, colInstalledPrinters, strComputer2
Set objOU2 = GetObject(”LDAP://CN=users,DC=arra,DC=local”)
Set objOU = GetObject(”LDAP://OU=arra-users,DC=arra,DC=local”)
ObjOU.Filter= Array(”user”)
Set objGroup = objOU2.Getobject(”group”, “cn=CSRs”)
Set objFSO = CreateObject(”Scripting.FileSystemObject”)
Set objNetwork = WScript.CreateObject(”Wscript.Network”)
Set objRootDSE = GetObject(”LDAP://rootDSE”)
strComputer2 = “.”
Dim CRLF
CRLF = Chr(13) & Chr(10)

‘*************(Global Scripting) this section applies to all computers no matter what group users are in.

”default lockheed banner script
Function Ask(strAction)

Dim intButton
intButton = MsgBox(strAction, _
vbQuestion + vbYesNo, _
L_Welcome_MsgBox_Title_Text )
Ask = intButton = vbYes

End Function

MsgBox “This system is the property of this Corporation, and is intended for” & CRLF & _
“the use of authorized users only. All activities of individuals using this computer” & CRLF & _
“with or without authority, or in excess of their authority, may be monitored and recorded” & CRLF & _
“by system personnel. If any such monitoring reveals evidence of criminal activity or is in” & CRLF & _
“violation of foreign or U.S. state or federal law, such evidence may be provided to law” & CRLF & _
“enforcement officials and/or used for further legal action by this Corporation and/or the” & CRLF & _
“organization’s Information Protection group. Unauthorized use of this system is prohibited” & CRLF & _
“and may result in revocation of access, disciplinary action and/or legal action. The” & CRLF & _
“company reserves the right to monitor and review user activity, files and electronic messages.” & CRLF & _
“REMINDER: Information transmitted to a foreign person on this network may be subject ” & CRLF & _
“to applicable Export Control laws. Contact your Export Coordinator for assistance.” & CRLF & _
“(This machine is not authorized for classified processing)”, _
vbOKOnly, _
“SYSTEM USE MONITORING NOTICE – IPM-003 Banner Statement”

‘*************End of global scripting

”pull local computer name for loggin info.
strComputer = objNetwork.ComputerName

”pull logon id
strUser = objNetwork.UserName

”turn logon id into container name for LDAP queries

Set objConnection = CreateObject(”ADODB.Connection”)
objConnection.Open “Provider=ADsDSOObject;”
Set objCommand = CreateObject(”ADODB.Command”)
objCommand.ActiveConnection = objConnection
objCommand.CommandText = “;(&(objectCategory=User)(samAccountName=” & strUser & “));name;subtree”
Set objRecordSet = objCommand.Execute
On Error Resume Next
strUser = objRecordSet.Fields(”name”)
On Error GoTo 0
objConnection.Close
Set objRecordSet = Nothing
Set objCommand = Nothing
Set objConnection = Nothing

‘’set user to have LDAP queries run
Set objUser = GetObject(”LDAP://cn=” & strUser & “,ou=arra-users,dc=arra,dc=local”)

”\/\/\/\/\/\/Determine Group memberships. PLEASE NOTE: group names must be in UPPER case and the “Left(strGroup, X)”
‘ X must be the number of characters in the group name.
‘\/\/\/\/\/\/\/

arrMemberOf = objUser.GetEx(”memberOf”)

If Err.Number E_ADS_PROPERTY_NOT_FOUND Then
For Each Group in arrMemberOf
strGroup = UCase(Group)
strGroup = Right(strGroup, Len(strGroup) – 3)
If Left(strGroup, 2) = “IT” Then
‘*****IT group scripting

‘’set Z:IT drive
WshShell.Run “net use z: /delete”, 0, False
WshShell.Run “Net use z: \\indarradc04\it”, 0, False

”Prepare to set printers
Set objWMIService = GetObject(”winmgmts:\\” & strComputer & “\root\cimv2″)

”This prevents script from stopping when mapping network printers on the server where they
”are shared from
ON ERROR RESUME NEXT

”Add Printers
objNetwork.AddWindowsPrinterConnection(”\\indarradc03\Xerox WorkCentre 5675 PS”)

‘*****End of IT
Else
If Left(strGroup, 4) = “CSRS” Then
‘*****CSR group scripting

‘*****End of CSR
Else
If Left(strGroup, 10) = “MANAGEMENT” Then
‘*****Management group scripting – NOTE: all managers are members of “Team Leads” group

‘*****End of Management
Else
If Left(strGroup, 10) = “TEAM LEADS” Then
‘*****Team Lead scripting

”Prepare to set printers
Set objWMIService = GetObject(”winmgmts:\\” & strComputer & “\root\cimv2″)

”This prevents script from stopping when mapping network printers on the server
”where they are shared from
ON ERROR RESUME NEXT

”Add Printers
objNetwork.AddWindowsPrinterConnection(”\\indarradc03\Xerox WorkCentre 5675 PS”)

‘*****End of Team Lead
End If
End If
End If
End If
Next
Else
‘*****Create Error Log if groups could not be determined

Set objErrorLog = objFSO.OpenTextFile(”\\indarradc04\errors\signonerrors.txt”, ForAppending, True)
objErrorLog.WriteLine strUser & ” on ” & strComputer & ” could not be found in Active Directory on ” & Date
Err.Clear
End If

Again, let me know if you need help modifying/adding anything for your own use.

**UPDATE(9/25)**

Changed the
WshShell.Exec(”net use…”)
lines to
WshShell.Run “net use…”, 0, False

This allows us(and does it already) to set any outside commands or scripts(in this case mapping drives, but can call bat files or whatever) to run invisibly(the 0), and “False” says to continue with the rest of the script immediately, True would mean to wait for the outside command to complete before continuing. This site has the details.

Run Method(Windows Script Host)

Tags: , , , , , , , , , ,
Posted in Windows, Windows - Scripting | No Comments »

Watchguard SSL VPN – updated 5/14(see bottom)

Wednesday, April 15th, 2009

So, we tend to use Firebox (http://www.watchguard.com) firewall appliances quite a bit at the company I work for.  When I first started this job, I was very skeptical of their abilities, but I focused more on the server side of things and not routing or advanced firewalling.  Lately, though, I have been forced to become more familiar with them and I must say, I like them more and more all the time.  One of the most used features of the Watchguards is their Mobile User VPN.  Well, I never before messed with AD authentication in the Firebox, I always just set up users in the FireboxDB.  I also foudn out that licensing for SSL VPN users is 20:1 to MUVPN users… way more bang for your buck.  SSL VPN only works(to my knowledge) with 750 or higher models.  Basically anything using WSM.  Here’s a quick little tutorial:

Once connected to your Firebox, open the Policy Manager.

First, we need to setup AD authentication.  Go to Setup>Authentication>Authentication Servers.  Go to Active Directory tab and check Enable Active Directory server.  Put in the IP of a domain controller in your environment.  This DC MUST be a global catalog server.  Set the port to 3286(GC port).  Search Base must be in format: dc=business,dc=local (for AD domain business.local).  You should be done here, there are other optional settings and you can configure a secondary DC to use, but this will work for now, just copy these settings over for the secondary.  Click OK and go back to the Policy Manager.

ad

At the top, go to the VPN menu > Mobile > SSL

Select the box to Activate SSL VPN, then choose authentication type.  For this snippet, I am only doing Active Directory authentication because I find it the most useful for my clients.

Next, put in your public IP/domain name in the box that says “Please type or select IP or domain name for SSL VPN  users to connect to”.  If you have multiple external IPs assigned to this device, you can do a backup, but that’s personal preference and I don’t see too much of an advantage since they are most likely the same WAN block from the same ISP.

Then, just select the resources they will have access to and the IPs they will be using.  The VPN users’ IPs should not be on the same subnet as your internal networks(trusted, optional, or any others).

vpn

In the Advanced tab, choose your encryption (I use SHA1-3DES since it is the most secure, but a litlle lower speed).

Here is one thing to note.  I always change the Port to 444.  No matter where I go, port 443(default SSL) is already in use.  Changing this helps prevent conflicts.  I can’t think of anything that uses 444 by default off the top of my head and I haven’t seen any conflicts, yet.

For DNS and WINS servers, be sure you use your AD domain name(i.e. business.local) and at least one DC for the DNS(preferably the same as the one from authentication).

ssl2

Click OK.  Go ahead and save the configuration changes to the Firebox and you’re done as far as configuration goes.  For users to connect, they will need to download a small client(don’t worry it’s tiny and it’s easier for an idiot to get than google toolbar) from https://yourpublicipordomain.com:4100/sslvpn.html.  They will need to use their AD information to log into this site.  They will be prompted to download a windows client or mac client.  Yes, this works with Windows 2000, XP, Vista, 7 beta, OS X 10.x.  At least, it has for me; I’m not sure what Watchguard is claiming.  Anyway, once it’s downloaded, the client sits in the task bar and, when clicked, will pop up a username/password screen.  AD information will log them in and you don’t have to worry.  If it ever starts having issues or Watchguard updates the firmware for your Firebox(which they’re always doing) and it causes an issue, the client is designed to be able to simply go back and re-download/install.  No unistalls or tweaks.

Hope this helps someone out there.

updated 4/16:  FYI, the SSL VPN client is not compatible with any 64-bit OS’s

updated 5/14 CRITICAL NOTE:

I forgot to put an absolutely critical key step into this and I apologize to all.  Watchguard, by default looks for a security group in AD to approve users.  in AD, go to security groups and add a group “SSLVPN-Users”.  Then add whoever will be using the VPN to the group, if it is everyone, then just add domain users.

secgroupadd

Tags: , , , , , ,
Posted in Firewalls, Watchguard | 2 Comments »