client login to domain controller behind VPN appliance - possible?

[Guest Todd H.]

Greetings,

 

I'm new to Windows Server 2003, but been around computing for quite a

while. I'm contemplating a centralized profile solution for two mobile

users (we hope to grow eventually to 5-10).

 

For our mobile, dispersed workforce, I'm a dedicated Windows 2003

server externally hosted, and (hopefully) accessible behind a managed

non-microsoft VPN appliance. This vpn appliance uses its own client

software to connect.

 

My question is whether/how an XP Pro client would initially login to

the domain... because they'll need to login to their worksation first

to launch the vpn client to be able to see the win2003 server at all.

 

 

Is this a situation where the initial connection to the domain must be

on the LAN so the profile can be pulled down from the domain

controller?

 

Thanks in advance for any help or pointers to documentation -- my

searching at microsoft.com for info on this setup has not been

fruitful (lots of talk about ISA server and microsoft VPN's). If what

I'm trying to accomplish is irretrievably screwed, I'd also welcome

alternative setup suggestions!

 

Best Regards,

--

Todd H.

http://toddh.net/

[Guest Danny Sanders]

Re: client login to domain controller behind VPN appliance - possible?

 

> Is this a situation where the initial connection to the domain must be

> on the LAN so the profile can be pulled down from the domain

> controller?

 

Yes.

 

After that they can log into the domain with cached credentials.

 

 

hth

DDS

 

"Todd H." <comphelp@toddh.net> wrote in message

news:84wsxdz5ct.fsf@ripco.com...

>

> Greetings,

>

> I'm new to Windows Server 2003, but been around computing for quite a

> while. I'm contemplating a centralized profile solution for two mobile

> users (we hope to grow eventually to 5-10).

>

> For our mobile, dispersed workforce, I'm a dedicated Windows 2003

> server externally hosted, and (hopefully) accessible behind a managed

> non-microsoft VPN appliance. This vpn appliance uses its own client

> software to connect.

>

> My question is whether/how an XP Pro client would initially login to

> the domain... because they'll need to login to their worksation first

> to launch the vpn client to be able to see the win2003 server at all.

>

>

> Is this a situation where the initial connection to the domain must be

> on the LAN so the profile can be pulled down from the domain

> controller?

>

> Thanks in advance for any help or pointers to documentation -- my

> searching at microsoft.com for info on this setup has not been

> fruitful (lots of talk about ISA server and microsoft VPN's). If what

> I'm trying to accomplish is irretrievably screwed, I'd also welcome

> alternative setup suggestions!

>

> Best Regards,

> --

> Todd H.

> http://toddh.net/

[Guest Todd H.]

Re: client login to domain controller behind VPN appliance - possible?

 

"Danny Sanders" <DSanders@NOSPAMciber.com> writes:

> > Is this a situation where the initial connection to the domain must be

> > on the LAN so the profile can be pulled down from the domain

> > controller?

>

> Yes.

>

> After that they can log into the domain with cached credentials.

>

> hth

> DDS

 

Unfortunately that's not what I was hoping to hear. Surely there's

some way around this?

 

The (common?) scenario where this is troublesome is when domain

controller is in, say New York, new remote employee is in LA, and

there's no permanent office network to speak of--just remote vpn

access via the third party vpn client.

 

Creating a site to site VPN would be one possible workaround I

suppose. Or, having initial setup of that employees workstation

done on the LAN in New York....

 

Does the caching of the credentials not occur when an XP Pro box is

joined to a domain (while logged into the local user account?)? Or

does it happen on the first login of that new domain user to the

domain?

 

Best Regards,

--

Todd H.

http://www.toddh.net/

[Guest Lanwench [MVP - Exchange]]

Re: client login to domain controller behind VPN appliance - possible?

 

Todd H. <comphelp@toddh.net> wrote:

> "Danny Sanders" <DSanders@NOSPAMciber.com> writes:

>

>>> Is this a situation where the initial connection to the domain must

>>> be on the LAN so the profile can be pulled down from the domain

>>> controller?

>>

>> Yes.

>>

>> After that they can log into the domain with cached credentials.

>>

>> hth

>> DDS

>

> Unfortunately that's not what I was hoping to hear. Surely there's

> some way around this?

>

> The (common?) scenario where this is troublesome is when domain

> controller is in, say New York, new remote employee is in LA, and

> there's no permanent office network to speak of--just remote vpn

> access via the third party vpn client.

>

> Creating a site to site VPN would be one possible workaround I

> suppose. Or, having initial setup of that employees workstation

> done on the LAN in New York....

>

> Does the caching of the credentials not occur when an XP Pro box is

> joined to a domain (while logged into the local user account?)?

 

No.

> Or

> does it happen on the first login of that new domain user to the

> domain?

 

Yes.

>

> Best Regards,

 

If this is a laptop,configure it in New York and ship it out to LA. The

domain user has to have logged in once (with connectivity to a DC) in order

for them to be able to log in at all with cached credentials.

 

What's the point of joining the computer to the domain if they're never (or

v rarely) going to be on a network with a DC? I wouldn't.