Group Policy and VPNs
-
I see a lot of people on another forum regularly having issues that they use Group Policies on Windows, they use expensive VPNs and Group Policies (and current AD logins) do not work on off-network laptops. This is a problem that surprises me as having worked with GP, which is admittedly problematic to get to work reliably, these problems have never existed for me even under the same circumstances.
What I've come to learn is that there seems to be three factors that I don't understand that seem to be so common as to be assumed:
- Group Policy is the end all of Windows management and must be used.
- Expensive Cisco VPN technology will be used even when it doesn't meet obvious needs.
- That GP not being reliable is just acceptable and will be kept in a non-working or half-working state.
This seems crazy to me. Using more modern VPNs or just refusing to use specific VPNs or VPN configurations that make end points appear transparently on the network rather than joining after the user has logged into the end point would alone fix this problem. OpenVPN, ZeroTier, Pertino, Netgear, Microsoft's traditional VPN, DirectAccess.... nearly all non-Cisco VPNs address this natively.
Group Policy is seen as a must use, yet no one seems to worry that it doesn't work? Why are people so tied to something they don't feel actually works? GP works, apparently, better for me than for most people and I don't see the religious value to it. Neat technology, great idea, the filters are excellent, fully included and integrated is great, works from Linux too, easier extended to other apps... all great.
But in this day and age, when there are technologies like PDQ Deploy or Salt that can do all the things that Group Policy can do, but in a more efficient, and more reliable way, that are free or cheap, why do so many people cling to GP, especially in scenarios where it doesn't meet the need? Or cling to VPNs that are not working as the network is designed?
If GP works in your environment, great. But when it doesn't, move on. Or fix it.
-
We have the problem with Pertino that while nearly everything works, it is 'borking' DNS is a manner that things like MS Outlook can't find Office365.
And the native MS Windows VPN gets borked and won't connect to an ERL from time to time, forcing the user back to Pertino
-
@gjacobse said in Group Policy and VPNs:
We have the problem with Pertino that while nearly everything works, it is 'borking' DNS is a manner that things like MS Outlook can't find Office365.
Is that because of the AD Connector?
-
SDN and internal DNS seems to be the problem. If one could go completely to an external DNS, that might help, but you're still having two IPs on everything, both a physical NIC/VM and the SDN NIC.
-
What is AD Connector? This is not something I am familiar with. Where would it be located?
-
@gjacobse said in Group Policy and VPNs:
What is AD Connector? This is not something I am familiar with. Where would it be located?
It was an thing you could buy from Pertino that fixed DNS issues with AD.
-
@gjacobse said in Group Policy and VPNs:
What is AD Connector? This is not something I am familiar with. Where would it be located?
It's the piece of Pertino that you have to pay extra for in order to get AD to work correctly with Pertino. You can tell if you have it because it should be listed as one of the add ons in the console. Also, if AD servers are set up in Pertino, that's the functionality that allows that to happen. It allows you to select up to three AD servers that will be defined by and controlled by Pertino.
-
@Dashrender said in Group Policy and VPNs:
SDN and internal DNS seems to be the problem. If one could go completely to an external DNS, that might help, but you're still having two IPs on everything, both a physical NIC/VM and the SDN NIC.
The theory of an overlay SDN is that every device has the SDN IP and should use only that.
-
Well from this - it would appear that it should be available.
-
Available, but is it being used properly?
-
We use Cisco Any Connect that authenticates against AD, but is not tied to any kind of GPS and it works for us just fine. Except for deployment, I see no need in using GPS.
If we use GPS for anything, it's with RADIUS for our wireless network. That works in one location but not the other. And this is only because both locations have different wireless systems and in how each system implements RADIUS and authenticates a laptop against an OU.
