Enable Remote Laptops to run GPO's, and access files

Hello,

I am trying to figure out how I can enable our company issued laptops to run
GPO's, and scripts over the Internet without any need to use a VPN client. I
don’t think there is any way of doing this with a VPN client because the GPO
processing happens before the VPN client is called up for users to enter
credentials.

Are there any resources for on this topic? The only solution I have been
able to conjure up is to place a domain controller in a public DMZ, and open
up IPSec to it from the Internet. Then create an IPSec policy that forces
all communications to that domain controller to use IPSec. I don’t know
about security on this so wanted to check here first.

This would only work with a valid domain name, and if public DNS servers
contain info so the laptops could find the domain controller.

Any comments or alternative solutions would be great. If I want to grant
our user’s access to their "My Documents" I could put a file server in the
DMZ, and use IPSec to it also.

I don’t want to do something funky, but that was the only thing I could come
up with. I’m open to other ideas.



Justin

I can think of at least two ways that you could do this using a VPN
connection.

The first is to use the "logon using a dialup connection" option on the
client. This forces the client to do a domain login at connection time, and
this should force the GPO to be applied.

The second would be to force the client to do a domain login after
connection. The VPN connection process and domain login are two separate
operations.

"Justin" <(E-Mail Removed)> wrote in message
news:A5FA1D46-28CC-4021-9E9B-(E-Mail Removed)...
> Hello,
>
> I am trying to figure out how I can enable our company issued laptops to
> run
> GPO's, and scripts over the Internet without any need to use a VPN client.
> I
> don’t think there is any way of doing this with a VPN client because the
> GPO
> processing happens before the VPN client is called up for users to enter
> credentials.
>
> Are there any resources for on this topic? The only solution I have been
> able to conjure up is to place a domain controller in a public DMZ, and
> open
> up IPSec to it from the Internet. Then create an IPSec policy that forces
> all communications to that domain controller to use IPSec. I don’t know
> about security on this so wanted to check here first.
>
> This would only work with a valid domain name, and if public DNS servers
> contain info so the laptops could find the domain controller.
>
> Any comments or alternative solutions would be great. If I want to grant
> our user’s access to their "My Documents" I could put a file server in the
> DMZ, and use IPSec to it also.
>
> I don’t want to do something funky, but that was the only thing I could
> come
> up with. I’m open to other ideas.
>

You could probably also control this by using CMAK on the VPN server to
download the client's config from the server.

"Bill Grant" <not.available@online> wrote in message
news:(E-Mail Removed)...
> I can think of at least two ways that you could do this using a VPN
> connection.
>
> The first is to use the "logon using a dialup connection" option on the
> client. This forces the client to do a domain login at connection time,
> and this should force the GPO to be applied.
>
> The second would be to force the client to do a domain login after
> connection. The VPN connection process and domain login are two separate
> operations.
>
> "Justin" <(E-Mail Removed)> wrote in message
> news:A5FA1D46-28CC-4021-9E9B-(E-Mail Removed)...
>> Hello,
>>
>> I am trying to figure out how I can enable our company issued laptops to
>> run
>> GPO's, and scripts over the Internet without any need to use a VPN
>> client. I
>> don’t think there is any way of doing this with a VPN client because the
>> GPO
>> processing happens before the VPN client is called up for users to enter
>> credentials.
>>
>> Are there any resources for on this topic? The only solution I have been
>> able to conjure up is to place a domain controller in a public DMZ, and
>> open
>> up IPSec to it from the Internet. Then create an IPSec policy that
>> forces
>> all communications to that domain controller to use IPSec. I don’t know
>> about security on this so wanted to check here first.
>>
>> This would only work with a valid domain name, and if public DNS servers
>> contain info so the laptops could find the domain controller.
>>
>> Any comments or alternative solutions would be great. If I want to grant
>> our user’s access to their "My Documents" I could put a file server in
>> the
>> DMZ, and use IPSec to it also.
>>
>> I don’t want to do something funky, but that was the only thing I could
>> come
>> up with. I’m open to other ideas.
>>
>

That works great if you only need to run user GPOs, but I said Laptop aka
Machine/Computer assigned GPOs.

The "logon using a dialup connection" option does work for user GPOs. The
GPOs I'm trying to run will not run except durring computer startup. That
point is already gone done and over by the time users are promted for logon.


"Bill Grant" wrote:

> I can think of at least two ways that you could do this using a VPN
> connection.
>
> The first is to use the "logon using a dialup connection" option on the
> client. This forces the client to do a domain login at connection time, and
> this should force the GPO to be applied.
>
> The second would be to force the client to do a domain login after
> connection. The VPN connection process and domain login are two separate
> operations.
>
> "Justin" <(E-Mail Removed)> wrote in message
> news:A5FA1D46-28CC-4021-9E9B-(E-Mail Removed)...
> > Hello,
> >
> > I am trying to figure out how I can enable our company issued laptops to
> > run
> > GPO's, and scripts over the Internet without any need to use a VPN client.
> > I
> > don’t think there is any way of doing this with a VPN client because the
> > GPO
> > processing happens before the VPN client is called up for users to enter
> > credentials.
> >
> > Are there any resources for on this topic? The only solution I have been
> > able to conjure up is to place a domain controller in a public DMZ, and
> > open
> > up IPSec to it from the Internet. Then create an IPSec policy that forces
> > all communications to that domain controller to use IPSec. I don’t know
> > about security on this so wanted to check here first.
> >
> > This would only work with a valid domain name, and if public DNS servers
> > contain info so the laptops could find the domain controller.
> >
> > Any comments or alternative solutions would be great. If I want to grant
> > our user’s access to their "My Documents" I could put a file server in the
> > DMZ, and use IPSec to it also.
> >
> > I don’t want to do something funky, but that was the only thing I could
> > come
> > up with. I’m open to other ideas.
> >
>
>

I doubt that you will ever come up with a satisfactory solution for that.
Putting a DC in a DMZ is not really an option. The exceptions you need to
set up in the firewall between the LAN and the DMZ to allow communication
with other DCs make the whole thing pretty pointless.

"Justin" <(E-Mail Removed)> wrote in message
news:7697E590-6635-4487-82E4-(E-Mail Removed)...
> That works great if you only need to run user GPOs, but I said Laptop aka
> Machine/Computer assigned GPOs.
>
> The "logon using a dialup connection" option does work for user GPOs. The
> GPOs I'm trying to run will not run except durring computer startup. That
> point is already gone done and over by the time users are promted for
> logon.
>
>
> "Bill Grant" wrote:
>
>> I can think of at least two ways that you could do this using a VPN
>> connection.
>>
>> The first is to use the "logon using a dialup connection" option on
>> the
>> client. This forces the client to do a domain login at connection time,
>> and
>> this should force the GPO to be applied.
>>
>> The second would be to force the client to do a domain login after
>> connection. The VPN connection process and domain login are two separate
>> operations.
>>
>> "Justin" <(E-Mail Removed)> wrote in message
>> news:A5FA1D46-28CC-4021-9E9B-(E-Mail Removed)...
>> > Hello,
>> >
>> > I am trying to figure out how I can enable our company issued laptops
>> > to
>> > run
>> > GPO's, and scripts over the Internet without any need to use a VPN
>> > client.
>> > I
>> > don’t think there is any way of doing this with a VPN client because
>> > the
>> > GPO
>> > processing happens before the VPN client is called up for users to
>> > enter
>> > credentials.
>> >
>> > Are there any resources for on this topic? The only solution I have
>> > been
>> > able to conjure up is to place a domain controller in a public DMZ, and
>> > open
>> > up IPSec to it from the Internet. Then create an IPSec policy that
>> > forces
>> > all communications to that domain controller to use IPSec. I don’t
>> > know
>> > about security on this so wanted to check here first.
>> >
>> > This would only work with a valid domain name, and if public DNS
>> > servers
>> > contain info so the laptops could find the domain controller.
>> >
>> > Any comments or alternative solutions would be great. If I want to
>> > grant
>> > our user’s access to their "My Documents" I could put a file server in
>> > the
>> > DMZ, and use IPSec to it also.
>> >
>> > I don’t want to do something funky, but that was the only thing I could
>> > come
>> > up with. I’m open to other ideas.
>> >
>>
>>