VPN Setup with Microsoft CMAK

VPN Access to to company's LAN can be easy to set up and configure using Microsoft's Connection Manager Administrator Kit. There is much documentation on basic setup on the web, but I want to talk about advanced setup possibilities. The basic setup uses the default gateway of the VPN server to access the internet while connected. This may not be desired for several reasons. The first is that in most cases additional firewall rules will need to specified on the company's firewall for the VPN clients to access the internet. Additional routing may also need to be configured for the CPN clients to access resources. Another big reason we may not want to do this is that while the VPN client stays connected, all internet traffic for the client consumes the company's bandwidth, not only once, but twice. The company will have to first receive the data from the public server, then send it back to the VPN client. Allowing the VPN client to use their own internet connection for normal internet traffic is much desired. This also allows the client to use programs/TCP ports locally which would be blocked by the company's policy if trying to connect through the VPN.

The configuration of this is not so involved really. First, we need to uncheck the box that specifies the client to use the server's default gateway. The biggest part is writing some scripts to run post-connect and on disconnect of the VPN session. For post-connect, we need a script that will add routing table entries for the remote subnet(s). This may not be as easy as it seems, and one might say that the CMAK wizard allows us to specify a url location of the routing table entries needed. Good luck with this, if you can get to work as we need, I would like to know how. The problem lies in the fact that adding routing entries via this method, applies them to most likely the default interface, not the VPN interface. So now when trying to access the company's LAN, the packet is sent out the client's normal default gateway and will never reach the company's private LAN. The .vbs script show below will detect the interface index and then add the routing table entry based on this interface index. It needs to be modified to reflect the correct subnet for your situation.

Next, which may not need to be done based on your needs, is setting up the company's DNS server to resolve client requests to internal resources. Once again, I have a .vbs script shown which will modify the DNS server search order. Upon post-connect, it will insert the specified DNS server into the top of the client's DNS server list. Again, modify the IP addresses as needed. Now all DNS queries will made against the company's internal DNS server. This may not be the absolute best method, and could possibly be made better, however, this amount of bandwidth going through the company in insignificant compared to routing all client internet traffic through the company.

Now we just need to undo these upon disconnect. The first script below can be saved and run as a .bat file and will remove the routing table entries that were created upon connection. The second script is .vbs script that will remove the company's DNS server from the client's DNS server list, restoring them to normal.

Now on the appropriate screen in the CMAK wizard, add these files to the post-connect and disconnect programs to run.