Issues with Native Windows VPN
-
We have a working FOG server.
We have a batch of Dell Latitude 5330 laptops we are deploying and everything works including the Windows 10 Native VPN…however
When connecting to VPN, it connects to the company infrastructure with success and able to ping all internal IP addresses, and DNS names, but email access and shared drive access is not connecting whatsoever. Also bizarrely we cannot access internet.
Once we disconnect the VPN, internet works fine.
We have done the exact same configuration on the same laptop without FOG deployment.
Has anyone had any similar issues?
-
@cwufog First let me say, I seriously doubt this is a fog issue. FOG only move bits from here to there and windows boots correctly.
I do wonder if this is an artifact of cloning (unrelated to FOG). Are you sysprepping the golden image before capture? I could see an issue with the system guid being the same with multiple clones if your vpn software needs to identify the target system by its GUID.
From vpn standpoint I can also understand how this happens in that once the vpn tunnel is setup all network traffic would be sent across the tunnel and not split so internal traffic would go across VPN and internet bound traffic would go direct to the internet. But again this would be a setting related to your vpn solution.
-
@george1421 Thanks for the response.
We do not use a sysprep image, just a normal up-to-date OS of the laptop with software and other config.
I would wonder if it would be related to the GUID, but we dont have a setting to to block already used GUID (if that can even be done), unless this is a default setting.
It works OK when it is deployed using a normal Win10 USB booty.
One thing I didn’t mention is, it (FOG deployment) actually does work initially with email, drive and internet access, but after awhile including disconnecting, and rebooting, the VPN connects as normal but no email, drive or internet access.
I would only ask whether sysprep might be the best option to completely have it’s own ID etc?
-
@cwufog said in Issues with Native Windows VPN:
I would only ask whether sysprep might be the best option to completely have it’s own ID etc?
I would not know if sysprep will fix your issue. Creating an image with the win10 usb boot uses probably a version of MDT where everything is built in place with all unique guids. I know some enterprise AV software creates a unique guid to identify the AV install to the console. So if you are going to clone a machine, you would install the AV solution after cloning and not into the mother/golden image.
As for sysprep that is the recommended by microsoft route for cloning computers. It does have its own drawbacks though in that WinSetup/OOBE resets some stuff you have configured in the golden image especially around user account profiles.
So I can’t really say if the system GUID is an issue or not I only know that imaging windows 10 with FOG and network access isn’t an issue on my campus.
One thing you could do to debug this is see if on a network level where the packets for the internet are going. Before you connect to VPN do a traceroute (tracert on windows) to something like www.dell.com then startup the vpn and try the same thing. See if the packets keep the same path or not when the vpn tunnel is up.
-
@george1421 Yes we also do not have our AVs in any of the golden images.
I did have issues with sysprep and prefer the setups we now use.
I actually ran the tracert to www.dell.com:
-
VPN Disconnected:
– Established connection to 104.120.212.17
– Successfully connects going through hops -
VPN Connected:
– Established connection to 23.72.62.221
– Skips the initial internal IP addresses
– Goes through the first public IP on 3rd hop which is our ISP’s network range
– Then successfully connects going through hops
– Also tracert to 104.120.212.17 and does same thing and eventually establishes connection
So with VPN connected, domain names are recognized through CMD but not using any browsers at all.
Possibly the internal firewall is blocking connection of web pages coming back onto the browser?
-
-
@cwufog OK so what I understand from a IP routing standpoint everything works vpn or not.
So only the browsers are not working when vpn is enabled.
Do you have a product (software) that might manage the proxy server settings based on if the vpn tunnel is up or not? I know there are some products (software) out there that will actually dynmaically redirect proxy traffic when a network interface is connected. Possibly your antivirus software, or third party software for web browsing protection (understand I’m making some educated guesses here).
-
@george1421 Yes that’s right, DNS names of internal devices works okay, and also external sites within IP routing/CMD.
Browsing internet gives “Unable to connect” error.
No we have no proxy settings set on any of our browsers and simply uses our ISP’ connection. I have also removed our AV and is still the same issue which is strange.
After removing AV however, I am able to connect to shared drives which I find very odd. This does not happen on a normal user setup for Windows with AV installed.
Nevertheless still not able to connect to internet via browers. I am thinking, would installing pre-updates and driver updates in golden images may cause some kind of duplication of a deployed image?
I may try next is create another image with no latest OS and driver updates and see if that works okay with VPN and internet.
-
@cwufog Have you tried taking the golden image and instead of sysprepping it, remove it from the domain making sure you have a local admin user and upload the image that way. Assuming the golden image works with the VPN and AV. Then register the next machine in fog with a different computer name and then deploy the golden image to the new machine. Just thinking it might be sysprep is resetting something that maybe the browser uses.
-
@hammerc807 I actually never use sysprep and just deploy golden images. We do that exactly, the images are not domain joined and completely local workgroups and no AV installed.
Once imaged to a new laptop, we rename hostname, join domain and add AV and for some reason have issues with VPN
