Partial VPN

Author: [email protected] 48 views

Here are the overall steps in the communication when the Partial VPN is in use:

  1. When the Windows Client starts, it will open the web-page and display it to the user.
  2. Once the user activates the Exit button, and the feature is enabled in the PMWindowsClient-config.XML file, the credentials are attempted to be fetched from Password Manager.
  3. The VPN feature also needs to be enabled on the server, from there the client will get details like the script names etc.
  4. If and only if a password reset has been successfully carried out the VPN script specified in the config will be called
  5. If the connection succeeds and Windows Client can connect to a domain controller the Password Cache is updated
  6. The close VPN script is called
  7. Windows Client exits Windows Client will call the script –the script itself needs to be changed to fit the customer’s VPN software. Example scripts are found in the VPN folder under the FastPassWindowsClient folder.

Server Preparations

On the server side the VPN setup can be enabled by opening the administration client and clicking the Feature settings->Windows Client icon (if not present the feature might be missing in your License). When opening, the following screen appears:

By default, the “settings for local Connections” is enabled. This will let Windows Client update the locally cached password on the LAN and not wait for the user to login manually. To enable the VPN feature, we need to adjust the settings for “Settings for Remote Connections”.

Basic Settings

  • Profile Name – this name is relayed to the Windows Client and will be available in the VPNScript as an environment variable
  • Credential mode:
    • User Credentials (The user’s username and password) (cannot be used with the Full VPN feature)
    • Specific Password (The user’s username and the specified password)
    • Specific Credentials (The specified username and password)
  • Username – Is only used when the specific credentials are used
  • Password – Is only used when the “specific credentials” or “specific password” is used

VPN Opening Settings

  • VPN Open Script – The name of the script/executable to be called -must be residing in the FastPassWindowsClient\VPN folder
  • Delay before open – Sets the number of seconds to wait before calling the script
  • Open operation timeout – Specifies how long time to wait the VPN open operation to complete
  • Delays after open –  Specifies how long to wait before moving to the Update operation.

Update Operation Settings

  • Delay before update –  Sets the number of seconds to wait before attempting the operation
  • Number of update retries – How many times to retry the operation if it fails
  • Delay between retires – Specifies how long time to wait before making a retry operation
  • Delays after update – Specifies how long to wait before moving to the close operation.

VPN Closing Settings

  • VPN Close Script – The name of the script/executable to be called -has to be residing in the PMWindowsClient\VPN folder
  • Delay before close – Sets the number of seconds to wait before calling the script
  • Close operation timeout – Specifies how long time to wait for the VPN close operation to complete
  • Delays after Close – Specifies how long to wait before exiting.

Configuration Changes

There are a few things to prepare on the Windows Client. In the PMWindowsClient-config.xml file you need to have enable the VPN feature by setting the UsePartialVpnConnection to true like this:

<config>
<options>
<UpdatePasswordCache value="true" />
<UpdatePasswordCacheForAnyDomain value="false" />
<usepartialvpnconnection value="true" />
<usefullvpnconnection value="false" />

Creating a script

The Windows Client will make the credential information available to the Windows Client selected VPN script by creating the following environment variables:

  • VpnProfile
  • VpnUsername
  • VpnPassword