Full VPN

Author: [email protected] 41 views

Here are overall steps in the communication when the normal FULL VPN is in use:

  1. As soon as the Windows Client is activated the client will try to determine if at domain controller is -contactable. If no domain controller can be reached, and the settings in the config are set for Full VPN the VPN open script is executed
  2. After having launched the VPN the MyPass server is contacted, the user carries out the reset
  3. When the user exits the client, the client checks if the user completed a password reset, if so, the local password cache is updated.
  4. The VPN closes

Server Preparations

There are no steps needed to prepare the server as the server by default allow the client to update the cached password. This can be checked here: Feature settings->Windows Client

Configuration changes

There are a few things to prepare on the Windows Client. In the PMWindowsClient-config.xml file you need to have enable the VPN feature by setting the usefullvpnconnectionto true like this. This is also the place to add the connection details in an encrypted manner. To generate the value in the vpnconfiguration entity please download the Full VPN configuration Tool from the download site.

Open the configuration tool and put in the credentials and VPN profile if needed for the VPN to establish a connection. Review the other two tabs which is like the settings above for the partial VPNconfiguration. When done, click Generate to get the encrypted string. Add the encrypted string as in the example below.

The basic credential information entered will be available in the VPN scripts as the following environment variables; VpnProfile, VpnUsernameand and VpnPassword.

<config>
<options>
<UpdatePasswordCache value="true" />
<UpdatePasswordCacheForAnyDomain value="false" />
<usepartialvpnconnection value="true" />
<vpnconfiguration value="M34C5wuzRP............................................................... =" />

Creating a script

You can use the examples placed on the PMWindowsClient\vpn folder, if present, or ask support for examples if needed.

The Windows Client will make the credential information available to the Windows Client selected VPN script by creating the following environment variables:

  • VpnProfile
  • VpnUsername
  • VpnPassword

Signing scripts

By default, the scripts opening the VPN are executed as is. It is however possible to demand that the scripts are signed, which will also ensure that no one has tampered with the scripts.

  • To enable signing the following key needs to be created in the registry:
    • HKEY_LOCAL_MACHINE\SOFTWARE\FastPassCorp\Windows Client\Security\
  • Under this key the following REG_SZ entry needs to be created:
    • VerifyFileSigningOfCommandLineScripts

With the value True. This key need only to be readable by the local system account, hence it is advised to not allow others to read the key.

Furthermore, to disable CRL checks of the certificates in the scripts set the appropriate registry setting:

  • VerifyFileSigningOfCommandLineScripts_CertificateRevocationMode
  • NoCheck | Offline | Online
  • Syntax: One ofthe above
  • Default: Online

Please note that signing will only work if the signers public key is installed at the machines “Trusted Publishers” certificate store.