Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote
-
Hi all, I'm just looking to get some insight and direction with this as I'm a little stuck here...
I currently have several domain joined laptops that I’m looking set up so that users can take then home to work remote when needed, then bring them back to use as their main PC when on site. My company currently uses a Sonicwall NSA UTM which has SSLVPN, which, along with the NetExtender client, allows remote users to connect into to the network as if they were on-prem.
As a POC phase, I have successfully set up the SSLVPN settings with TOTP for MFA on the connection. I have a domain joined laptop with NetExtender installed and I can connect into the corporate network (full tunnel mode) and be on the domain and access everything just as if I was sitting in my office. That all works fine, except one thing.
The main problem I have run into is sort of a catch-22 in that, while remote, the user can't login until the VPN client has started and the user can't start the VPN client until they are logged in (duh). That means, an employee would take the laptop home and try to sign in with their domain user account but not be able to since the domain would be unreachable until the VPN gets connected.
I think there is an option to set it up so the VPN client connects automatically (before Windows login) but the issues with that are:
- During the times the laptop is on-prem, I don’t want it to connect to the VPN
- When the user’s password changes, it would stop being able to automatically connect
- I have TOPT enabled for MFA so I would potentially have to remove that for it to auto-connect
A solution for all those problems would be that I could create local users on the Sonicwall and have NetExtender connect using a super long password that doesn’t expire and without TOPT, but at that point I’m worried I’d be getting a little over-complex and less secure with the solution.
I have also considered VMware Horizon and Citrix Cloud to simply deliver users to their on-prem computers but that would mean an even more complex setup and having two computers for each remote user, their main PC and a laptop acting as a “thin client”.
I think there are other options like Remote Desktop Services / Terminal Services, Always on VPN or per-App VPN but looking on the surface seems like it might be a ton more infrastructure to add. That would be fine if it ended up being necessary, but at the end of the day, I’m just trying to make it so remote users can seamlessly run about only 6 locally installed AD integrated applications along with several Windows file server shares on their computers as if they were on-prem.
-
On every Windows PC I've seen setup with VPN, you login in to the PC first, using the domain credentials (which I assume are cached). Then you "manually" connect with the VPN client using MFA.
So maybe you're overcomplicating things.
-
@pete-s said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
On every Windows PC I've seen setup with VPN, you login in to the PC first, using the domain credentials (which I assume are cached). Then you "manually" connect with the VPN client using MFA.
So maybe you're overcomplicating things.
Yeah I think that's my issue. I was at home when I joined my test system to the domain so it couldn't finish the task and cache my credentials. I will have to play around with stuff a bit more not on the weekend. I think I can get this working the way I want...
-
@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@pete-s said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
On every Windows PC I've seen setup with VPN, you login in to the PC first, using the domain credentials (which I assume are cached). Then you "manually" connect with the VPN client using MFA.
So maybe you're overcomplicating things.
Yeah I think that's my issue. I was at home when I joined my test system to the domain so it couldn't finish the task and cache my credentials. I will have to play around with stuff a bit more not on the weekend. I think I can get this working the way I want...
Sign in with a local user account first, sign into the VPN. Switch user to your domain user, done.
-
@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@pete-s said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
On every Windows PC I've seen setup with VPN, you login in to the PC first, using the domain credentials (which I assume are cached). Then you "manually" connect with the VPN client using MFA.
So maybe you're overcomplicating things.
Yeah I think that's my issue. I was at home when I joined my test system to the domain so it couldn't finish the task and cache my credentials. I will have to play around with stuff a bit more not on the weekend. I think I can get this working the way I want...
For starters have a look at "Interactive logon: Number of previous logons to cache (in case domain controller is not available)".
I think Windows 10 will cache by default but not if there are GPO settings overriding it or the registry has been altered. I haven't played with it much so I'm not sure if there is anything else that needs to be looked at.
-
@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
The main problem I have run into is sort of a catch-22 in that, while remote, the user can't login until the VPN client has started and the user can't start the VPN client until they are logged in (duh). That means, an employee would take the laptop home and try to sign in with their domain user account but not be able to since the domain would be unreachable until the VPN gets connected.
I use this exact same setup for all of our clients. It works perfectly.
Tell me. When you start up the Laptop, and once you press <CTRL>-<ALT>-<DEL> to login, BUT BEFORE you authenticate, do you see the extra icon in the lower right corner?
And do you see this NetExtender logon when you click it?
It will bring you here next. Building the VPN BEFORE authenticating to the domain.
This should all work for you without any issues.
-
@jasgot said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
The main problem I have run into is sort of a catch-22 in that, while remote, the user can't login until the VPN client has started and the user can't start the VPN client until they are logged in (duh). That means, an employee would take the laptop home and try to sign in with their domain user account but not be able to since the domain would be unreachable until the VPN gets connected.
I use this exact same setup for all of our clients. It works perfectly.
Tell me. When you start up the Laptop, and once you press <CTRL>-<ALT>-<DEL> to login, BUT BEFORE you authenticate, do you see the extra icon in the lower right corner?
And do you see this NetExtender logon when you click it?
It will bring you here next. Building the VPN BEFORE authenticating to the domain.
This should all work for you without any issues.
Woah! I'm glad I posted here.. no I didn't see that icon and I was actually looking for it, but I will check asap... What settings do you have for NetExtender?
-
@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@jasgot said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
The main problem I have run into is sort of a catch-22 in that, while remote, the user can't login until the VPN client has started and the user can't start the VPN client until they are logged in (duh). That means, an employee would take the laptop home and try to sign in with their domain user account but not be able to since the domain would be unreachable until the VPN gets connected.
I use this exact same setup for all of our clients. It works perfectly.
Tell me. When you start up the Laptop, and once you press <CTRL>-<ALT>-<DEL> to login, BUT BEFORE you authenticate, do you see the extra icon in the lower right corner?
And do you see this NetExtender logon when you click it?
It will bring you here next. Building the VPN BEFORE authenticating to the domain.
This should all work for you without any issues.
Woah! I'm glad I posted here.. I completely missed that for some reason!!!! Its working now as intended... DUDE THANK YOU. You just saved me so much trouble. I owe ya
-
@dave247 That won't work on the latest Sonicwall NetExtender client. It doesn't allow for that.
-
@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dave247 That won't work on the latest Sonicwall NetExtender client. It doesn't allow for that.
Can you elaborate on what won't work? I literally downloaded the most recent NetExtender client and its working fine.
-
@dave247 What is the version that you have?
-
@dbeato The version I have is 10.2.319 and it doesn't have that option.
-
@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dbeato The version I have is 10.2.319 and it doesn't have that option.
Looks like I'm on 10.2.300. First time connecting it said NetExtender was required to update versions (I had a slightly earlier version on the file share) and it auto-updated with this. I can try updating it and see if the option goes away but I don't understand why they would remove it...
-
@dave247 If you uninstall the present one and install the latest one then you will not see the option. If you update the in-place application, there is no issue. So if that is the case then it shouldn't be an issue.
-
@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dbeato The version I have is 10.2.319 and it doesn't have that option.
There isn't even a 10.2.319 version... you be trollin me! (see https://www.mysonicwall.com/muir/freedownloads)
For the record, the latest version is 10.2.315 and the functionality is there regardless of if you install or upgrade.
-
@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
you be trollin me!
@dbeato is no troll I can assure you
-
@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dbeato The version I have is 10.2.319 and it doesn't have that option.
There isn't even a 10.2.319 version... you be trollin me! (see https://www.mysonicwall.com/muir/freedownloads)
For the record, the latest version is 10.2.315 and the functionality is there regardless of if you install or upgrade.
If I wanted to troll you, I would have failed very badly. You must know me for a while now that I don't troll. Here it is
This is also provided on the SMA Appliances which also has been posted here
https://www.reddit.com/r/sonicwall/comments/rbrlsv/netextender_102319/http://www.wehrenberg.ch/remote.html (Downloads are there)
If you try that version it does go away. However in your case using a different version works for you and that's all that matter.
-
@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dbeato The version I have is 10.2.319 and it doesn't have that option.
There isn't even a 10.2.319 version... you be trollin me! (see https://www.mysonicwall.com/muir/freedownloads)
For the record, the latest version is 10.2.315 and the functionality is there regardless of if you install or upgrade.
If I wanted to troll you, I would have failed very badly. You must know me for a while now that I don't troll. Here it is
This is also provided on the SMA Appliances which also has been posted here
https://www.reddit.com/r/sonicwall/comments/rbrlsv/netextender_102319/http://www.wehrenberg.ch/remote.html (Downloads are there)
If you try that version it does go away. However in your case using a different version works for you and that's all that matter.
ah, well they must have removed it due to the bug since it's not available for download from Sonicwall's official download sources. I wouldn't get it anywhere else.
-
@dave247 Yeah correct. Removed by a bug.
-
@dave247 Can you use 2FA on the VPN connection when doing it like that? Otherwise that would be a major concern.
Another issue with forced VPN is that if your VPN is down then the users can't login at all and can't work. That's a lot of eggs in the same basket. Does your company have HA firewalls, redundant internet, redundant power etc?
Otherwise using the cached domain password the users could login locally. Then they would be able to use their computers with local files and software and also have access to online resources such as M365 and whatever else you use.
