VPN Setup with Microsoft CMAK
VPN Access to to company's LAN can be easy to set up and configure using Microsoft's Connection
Manager Administrator Kit. There is much documentation on basic setup on the web, but I want to talk
about advanced setup possibilities. The basic setup uses the default gateway of the VPN server to
access the internet while connected. This may not be desired for several reasons. The first is that
in most cases additional firewall rules will need to specified on the company's firewall for the VPN clients to
access the internet. Additional routing may also need to be configured for the CPN clients to access
resources. Another big reason we may not want to do this is that while the VPN client stays connected, all
internet traffic for the client consumes the company's bandwidth, not only once, but twice. The company
will have to first receive the data from the public server, then send it back to the VPN client. Allowing the
VPN client to use their own internet connection for normal internet traffic is much desired. This also
allows the client to use programs/TCP ports locally which would be blocked by the company's policy if trying to
connect through the VPN.
The configuration of this is not so involved really. First, we need to uncheck the box that specifies the
client to use the server's default gateway. The biggest part is writing some scripts to run
post-connect and on disconnect of the VPN session. For post-connect, we need a script that will
add routing table entries for the remote subnet(s). This may not be as easy as it seems, and one might say
that the CMAK wizard allows us to specify a url location of the routing table entries needed. Good luck with this,
if you can get to work as we need, I would like to know how. The problem lies in the fact that adding
routing entries via this method, applies them to most likely the default interface, not the VPN interface.
So now when trying to access the company's LAN, the packet is sent out the client's normal default gateway and will never
reach the company's private LAN. The .vbs script show below will detect the interface index and then add
the routing table entry based on this interface index. It needs to be modified to reflect the correct subnet
for your situation.
Next, which may not need to be done based on your needs, is setting up the company's DNS server to
resolve client requests to internal resources. Once again, I have a .vbs script shown which will modify
the DNS server search order. Upon post-connect, it will insert the specified DNS server into the top
of the client's DNS server list. Again, modify the IP addresses as needed.
Now all DNS queries will made against the company's internal DNS server.
This may not be the absolute best method, and could possibly be made better, however, this amount of bandwidth
going through the company in insignificant compared to routing all client internet traffic through the company.
Now we just need to undo these upon disconnect. The first script below can be saved and run as a .bat
file and will remove the routing table entries that were created upon connection. The second script is .vbs
script that will remove the company's DNS server from the client's DNS server list, restoring them to normal.
Now on the appropriate screen in the CMAK wizard, add these files to the post-connect
and disconnect programs to run.