Tuesday, 10 June 2008

Using CMAK to Configure ISA Server VPN Clients - Part 2: Customising the CMAK Profile

Following on from Using CMAK to Configure ISA Server VPN Clients - Part 1: Creating the CMAK Profle this blog entry is part two of the series and will look at customising the profile to add some useful features, cater for a better user experience and improve security. This blog entry assumes that Part 1 has already been followed and the CMAK profile has been created.

In this entry I am going to discsuss the following CMAK profile customisations:


  • Modify the intial connection screen to hide unwanted and insecure elements.
  • Modify the support information to add a CMAK build number to aid versioning and troubleshooting.

  • Modify the Windows client to add support for NAT traversal (NAT-T) and facilitate ISA Server VPN gateways behind NAT devices.

  • Include custom login and logout scripts to provide VPN users with mapped drives whilst the VPN connection is active.
Although it is possible to use the CMAK wizard to make many different customisations, like adding graphics etc., these are pretty standard options and avaibale as part of the normal wizard driven process. The customisations defined in this blog entry are slightly more advanced, and in my opinion greatly improve the experience for frequent VPN users.

Modify the intial connection screen to hide unwanted and insecure elements

The connection screen can be modified by editing the [ShortSvcName].cms file located by default in the C:\Program Files\cmak\Profiles\[ShortSvcName] folder, where [ShortSVCName] is the File name parameter defined in part one of this blog series (ISAVPN in the screenshot examples).

Using our CMAK profile from Part one as an example, we need to edit the ISAVPN.cms file, as shown below:




For the scenario where we are using a simple Windows user name and passord, we will need to leave the default username, password and domain fields. However, it seems sensible to remove the Save password option to ensure that the user cannot select this feature. This is achieved by adding a HideRememberPassword=1 entry to the [Connection Manager] section of the ISAVPN.cms file as shown below:




Once these changes have been made, it is necessary to re-run the CMAK wizard without making any changes. This will re-read the manually modified ISAVPN.cms file and add the modifications to the self-extracting executable ISAVPN.exe. Once the updated connectoid has been installed, the connections screen result is shown below without the Save password option.



For the scenario where we are using certificates, we will no longer need to display the default username and domain fields as this information is stored within the Univeral Principal Name (UPN) of the certificate. In addition, the Save password option is not relevant in this particular scenario. These modifications are achieved by adding/editing the following entries in the [Connection Manager] section of the ISAVPN.cms file, as shown below:

HideDomain=1
HidePassword=1
HideInternetPassword=1
HideUserName=1
HideInternetUsername=1



Once these changes have been made, it is necessary to re-run the CMAK wizard without making any changes. This will re-read the manually modified ISAVPN.cms file and add the modifications to the self-extracting executable ISAVPN.exe. Once the updated connectoid has been installed, the connections screen result is shown below without the unnecessary fields.



Althouth not strictly necessary, in addition to the changes above, I also recommend modifying the default value for the ConnectionType entry in the [Connection Manager] section of the ISAVPN.cms file from 0 to 1 as shown below. This modification ensures that the connectoid will default to I am already connected to the Internet as oppsoed to Dial a phone number to connect option; which for a majority of cases is the correct option.



Modify the support information to add a CMAK build number to aid versioning and troubleshooting

This is a simple, yet effective, modification that allows you to determine the exact version of connectoid installed on a client machine. Over time, it is possible that the CMAK profile will be mofidied, or extended, to include new features, reflect infrastructure changes or simply fix problems. However, it is not always possible to ensure that all users are using the latest version of the CMAK profile, which can lead to inconsistent results between users. Consequently, by adding a CMAK build number to the Support Information field, this will allow users to provide this information, or assess whether they are running the latest profile themselves. I tend to use a build number that is a representation of the creation date e.g. 100508 would indicate a profile created on the 10th May 2008. An example of this modification is shown below using the Support Information page as part of the CMAK wizard.



Modify the Windows client to add support for NAT-T and facilitate ISA Server VPN gateways behind NAT devices

If your ISA VPN Server is located behind a NAT device, you may experience problems connecting the VPN as discussed in the following Microsoft KB articles:

L2TP/IPsec NAT-T update for Windows XP and Windows 2000 (KB926179)

How to configure an L2TP/IPsec server behind a NAT-T device in Windows Vista and in Windows Server 2008 (KB818043)

The common solution to both of these problems is to add a specific registry entry to the VPN client machine. These registry keys are:

For Vista:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\AssumeUDPEncapsulationContextOnSendRule

For Windows XP:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec\AssumeUDPEncapsulationContextOnSendRule

Normally a value of 2 would be used for this entry to ensure the higest level of compatability for both NAT hidden client and servers.

Rather than having to add these registry entries manually, it makes much more sence to add these entries as part of the CMAK profile installation. This can be achieved by adding the following lines to the [Xnstall.AddReg.AllUsers] and [Xnstall.AddReg.Private] sections of the [ShortSvcName].inf file included as part of the profile.

"HKLM", "SYSTEM\CurrentControlSet\Services\IPSec", "AssumeUDPEncapsulationContextOnSendRule", 0x00010001,2

"HKLM", "SYSTEM\CurrentControlSet\Services\PolicyAgent", "AssumeUDPEncapsulationContextOnSendRule", 0x00010001,2

In our example, this will be ISAVPN.inf as shown below:

[Xnstall.AddReg.AllUsers] section of ISAVPN.inf


[Xnstall.AddReg.Private] section of ISAVPN.inf


Please Note: In order to add these registry keys, the user will require local administration rights or will need to utilise the Run As option when you install the CMAK profile.

As can be seen from the images above, I have added both Vista and Windows XP registry changes to the single ISAVPN.inf file, as I don't think it is possible to interpret the client OS and apply the appropriate entry automatically. This ensures that both operating system versions will have the correct registry entry, plus an unnecessary entry, which seems like an acceptable compromise to me.

Once these changes have been made, it is necessary to re-run the CMAK wizard without making any changes. This will re-read the manually modified ISAVPN.inf file and add the modifications to the self-extracting executable ISAVPN.exe. Once the updated connectoid has been installed, it is necessary to reboot the client machine for the registry changes to take affect.

Include custom login and logout scripts to provide VPN users with mapped drives whilst the VPN connection is active

The final customisation, and potentially the most visible to the VPN user, is to provide a login script which dynamically map drives once the VPN connection is active and removes them upon disconnetion.

The theory provided here can be used to run any script process and could easily be adapted to include more advanced features than mapping drives, as the concept will be the same.

This concept is based around the Custom Actions element of the CMAK wizard and is probably one of the most powerful elements of CMAK as it can be used to perform tasks (or actions) based upon VPN conditions like Pre-connect, Post-connect, Disconnect etc.

In my example we use the Post-connect condition to trigger a Run VPN Login Script task and the Disconnect condition to trigger a Run VPN Logout Script task, as shown below:

If we look a little closer at these tasks we can see that the each action includes Program to run and an Action type elements. As the files will be deployed by CMAK, the program path will need to be presented as a vairable-based service profile path as shown below:

It cannot be easily seen in the above, but the program path needs to be of the following format:

%APPDATA%\Microsoft\Network\Connections\Cm\[ShortSvcName]\[Program Filename]

In our ISAVPN example, this would threfore become:

%APPDATA%\Microsoft\Network\Connections\Cm\ISAVPN\VPNLogin.vbs

So with the configuration shown above, the VPNLogin.vbs file will be run once the VPN has been connected.

In a simar way for our second custom action:


In our ISAVPN example, this would therefore become:

%APPDATA%\Microsoft\Network\Connections\Cm\ISAVPN\VPNLogout.vbs

So with the configuration shown above, the VPNLogout.vbs file will be run once the VPN has been disconnected.


Please Note: It is worth noting that server names should ideally be included as Fully Qualified Domain Names (FQDNs) within the .vbs files to force DNS name resolution and avoid the use of WINS.

The only remaining element is to ensure that the actual VPNLogin.vbs and VPNLogout.vbs files are included within the Additional Files element of the CMAK wizard as shown below. However, this can also be achieved if you use the Include the custom action program with this service profile option in the custom actions images shown above.

I hope you have enjoyed these two blog entries and have discovered the power of CMAK! I will probably add more CMAK customisations in the future, as I develop new ones for customers.

9 comments:

  1. HI Jason,

    Thanks for the great write-up on the use of CMAK. In particular, I'm interested in knowing what your recommendations are for handling pre-connect and post-connect scripts for all system users. (e.g. setting DNS Binding order for RAS, per KB311218, documented out on ISAserver.org). I thought it would be nice to set this so that this script is pulled from a central location, so that I can update it as needed, and not have to redistribute a CMAK bundle. What are your thoughts as to how I should handle this? Set a variable name to a share on the isa server, or an internal server perhaps? Let me know what you think.

    ReplyDelete
  2. This works great, however, I have 1 problem. It works sporadically. Sometimes it won't find the domain in my script or sometimes it won't map a drive from the vb script. I can log in 3 times and get successfully logged in twice, or not at all due to it not resolving the domain name, or it not mapping a drive. I can manually hook everything up after I connect though.
    it seems I am missing something small in cmak, any help would be greatly appreciated.
    Thanks

    ReplyDelete
  3. >> Tracey

    Are you using NetBIOS name or FQDN's in your scripts? FQDN may be more reliable...

    Have you look at the potential RAS adapter binding order issues discussed here?
    http://www.isaserver.org/tutorials/work-around-VPN-clients-split-DNS.html

    Cheers

    JJ

    ReplyDelete
  4. Jason,
    Thank you for the response. My vsb script uses strings up until it tries to connected drives. I am a dos bat person, I inherited the vbs and maintain it. Since I am not that familiar with vsb scripting, i believe the strings point to the netbios name. I know dos has the persistent:yes and that is how it worked previously, but I cannot find code for this in vbs. I read thru the link you provided, however, I had to change everyone back yesterday, so I have not had a chance to check the nslookup yet.
    i will give this a try: http://support.microsoft.com/default.aspx?scid=kb;en-us;311218
    thanks

    ReplyDelete
  5. Jason,
    I had a chance to update the registry. The connection worked 75% of the time, which is better, but I still had failures. i ran the ipconfig and nslookup. In my wireless network connection for connection-specific dns suffix, when it failed it would say: domain_not_set.invalid. which makes since as to why my login.vbs is failing, since it can't find my domain. Are you aware of anything else I need to do in order to get a VPN connection with the login.vbs running 100% of the time.
    thanks,
    tracey

    ReplyDelete
  6. >> Tracey

    How about we move this to a more suitable location? Can you post a question on forums.isaserver.org?

    I (and others) can then maybe help out a little more. Adrian Dimcev is great with the VPN aspects of ISA, check out his site/blog here: http://www.carbonwind.net/ and he should also see your post on the forums

    Cheers

    JJ

    ReplyDelete
  7. You can check this out vpn ,i think it's related to the topic

    ReplyDelete
  8. This is a great and very comprehensive article Thank You. Is ther any way to have the configuration so that users are not promnpted with the "Make this connection available for:" with a choice of Allusers or My use only. I have tried the /q:a with no success.

    ReplyDelete
  9. >> Anonymous

    Not that I know of, sorry!

    ReplyDelete