• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Windows Authentication w/ Cisco VPN client vs. Windows VPN client

K

KingGheedora

Diamond Member
We used to connect using windows' built-in VPN client. Our IT team built a new VPN solution, and now we have to use a Cisco client.

I have Windows 7, x64, so the Cisco client wouldn't work and the IT team won't provide a solution (e.g. Cisco AnyConnect). I got Shrew VPN working though.

My question is, when I used to connect from my home PC (which is not joined to our company's AD domain), once I connected using the Windows VPN client I was able to access things like network shares and SQL server databases using windows authentication. Somehow windows was passing the credentials I used in the VPN connection as the authentication whenever ran queries on SQL DB's or accessed network shares that required AD authentication. The credentials i used in the Windows VPN were of course my AD credentials for my company's domain.

Well I got the Shrew VPN connection and I can ping everything on the network but that authentication doesn't work the way it used to. I can use "runas /user /netonly ..." but that's a bit of a pain in the ass. Is there a way to replicate the way Windows' VPN was handling the AD authentication?
 
KingGheedora said:
We used to connect using windows' built-in VPN client. Our IT team built a new VPN solution, and now we have to use a Cisco client.

I have Windows 7, x64, so the Cisco client wouldn't work and the IT team won't provide a solution (e.g. Cisco AnyConnect). I got Shrew VPN working though.

My question is, when I used to connect from my home PC (which is not joined to our company's AD domain), once I connected using the Windows VPN client I was able to access things like network shares and SQL server databases using windows authentication. Somehow windows was passing the credentials I used in the VPN connection as the authentication whenever ran queries on SQL DB's or accessed network shares that required AD authentication. The credentials i used in the Windows VPN were of course my AD credentials for my company's domain.

Well I got the Shrew VPN connection and I can ping everything on the network but that authentication doesn't work the way it used to. I can use "runas /user /netonly ..." but that's a bit of a pain in the ass. Is there a way to replicate the way Windows' VPN was handling the AD authentication?
Click to expand...

Best option is to use a work machine for work and home machine for home. You would need to find a VPN client that will pass the authentication, otherwise you are running what amounts to a foreign computer running a foreign account on the network which will automatically get lowest level access.
 
imagoon said:
Best option is to use a work machine for work and home machine for home. You would need to find a VPN client that will pass the authentication, otherwise you are running what amounts to a foreign computer running a foreign account on the network which will automatically get lowest level access.
Click to expand...

I agree with the home for home part. Just enable workstation remote desktop, add a custom high port for it to listen to also, then have your IT team forward it over, they can put in your MAC for a DHCP reservation and just be done with it, writing the ACLs should take all of 5 minutes, and the custom RDP port is instance after you add the reg file. They shouldn't have a problem from a security standpoint. They can still monitor you and how many times you connect if that is the issue. Then when you work there, all the work is done from your computer's perspective at the workstation, and nothing ever leaves the network other than the RDP connection.
 
Tsaico said:
I agree with the home for home part. Just enable workstation remote desktop, add a custom high port for it to listen to also, then have your IT team forward it over, they can put in your MAC for a DHCP reservation and just be done with it, writing the ACLs should take all of 5 minutes, and the custom RDP port is instance after you add the reg file. They shouldn't have a problem from a security standpoint. They can still monitor you and how many times you connect if that is the issue. Then when you work there, all the work is done from your computer's perspective at the workstation, and nothing ever leaves the network other than the RDP connection.
Click to expand...

I'm a little confused by this but are you suggesting that He RDP from his home computer over the Internet? I'm pretty sure most IT departments will not permit this type of thing. It is extremely unsecure.

You could VPN in and then RDP the machine. That actually will give you security and should solve the Credential pass through as you would be controlling a "work" machine. That machine will have to be able to accept RDP connections as stated above.
 
Nuwave said:
I'm a little confused by this but are you suggesting that He RDP from his home computer over the Internet? I'm pretty sure most IT departments will not permit this type of thing. It is extremely unsecure.

You could VPN in and then RDP the machine. That actually will give you security and should solve the Credential pass through as you would be controlling a "work" machine. That machine will have to be able to accept RDP connections as stated above.
Click to expand...

As IT... I prefer that people let me issue them a logmein account. Mostly because the cesspool of a computer wasteland they call their home machine should never be on my network. I just love when I start getting alerts from the AV / Security systems that a PC is busily attacking every machine on the network and it is a VPN user using a home machine. I respond by kicking the account and removing VPN rights until they call in.
 
imagoon said:
As IT... I prefer that people let me issue them a logmein account. Mostly because the cesspool of a computer wasteland they call their home machine should never be on my network. I just love when I start getting alerts from the AV / Security systems that a PC is busily attacking every machine on the network and it is a VPN user using a home machine. I respond by kicking the account and removing VPN rights until they call in.
Click to expand...

Really? You would rather use a third party for access to your infrastructure?

If you define a home machine as a computer that a user has admin rights over, then I agree with your statement about not letting any home machine on my network. We send some computers home with our users, and we retain admin rights to the computer .... thus, it's not a cesspool of a computer.

If you're separating roles of home and work computing, I'd have to agree with Nuwave on this one for enterprise access.
 
VertigoRay said:
Really? You would rather use a third party for access to your infrastructure?

If you define a home machine as a computer that a user has admin rights over, then I agree with your statement about not letting any home machine on my network. We send some computers home with our users, and we retain admin rights to the computer .... thus, it's not a cesspool of a computer.

If you're separating roles of home and work computing, I'd have to agree with Nuwave on this one for enterprise access.
Click to expand...

16 month necro bump.

Also you seem confused. OP was trying to connect his home PC to the work network and was having issues connecting to shares, not his work computer.

A home computer is a user owned piece of gear. A work computer at home is exactly that. A work computer, company owned... at home.

And yes I would rather use a third party in this case. I can create a logmein account in the existing system in a few minutes and give someone remote control. This would be very rare however since, if they need home access, they are issued a company laptop...
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top