{"id":99,"date":"2008-01-18T22:42:09","date_gmt":"2008-01-19T04:42:09","guid":{"rendered":"http:\/\/thepizzy.net\/blog\/?p=99"},"modified":"2011-02-24T09:40:18","modified_gmt":"2011-02-24T15:40:18","slug":"poc-openvpn-internet-ms-exchange-active-directory-windowslinux-mobile-client","status":"publish","type":"post","link":"https:\/\/thepizzy.net\/blog\/2008\/01\/poc-openvpn-internet-ms-exchange-active-directory-windowslinux-mobile-client\/","title":{"rendered":"POC: OpenVPN + Internet + MS Exchange Active Directory + Windows\/Linux Mobile Client"},"content":{"rendered":"<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"1187\" data-permalink=\"https:\/\/thepizzy.net\/blog\/2008\/01\/poc-openvpn-internet-ms-exchange-active-directory-windowslinux-mobile-client\/outlook_2007_logo1\/\" data-orig-file=\"https:\/\/i0.wp.com\/thepizzy.net\/blog\/wp-content\/uploads\/2008\/01\/outlook_2007_logo1.jpg?fit=428%2C419&amp;ssl=1\" data-orig-size=\"428,419\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Outlook 2007 Logo\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/thepizzy.net\/blog\/wp-content\/uploads\/2008\/01\/outlook_2007_logo1.jpg?fit=428%2C419&amp;ssl=1\" class=\"alignright size-thumbnail wp-image-1187\" title=\"Outlook 2007 Logo\" src=\"https:\/\/i0.wp.com\/thepizzy.net\/blog\/wp-content\/uploads\/2008\/01\/outlook_2007_logo1-150x146.jpg?resize=150%2C146\" alt=\"\" width=\"150\" height=\"146\" srcset=\"https:\/\/i0.wp.com\/thepizzy.net\/blog\/wp-content\/uploads\/2008\/01\/outlook_2007_logo1.jpg?resize=150%2C146&amp;ssl=1 150w, https:\/\/i0.wp.com\/thepizzy.net\/blog\/wp-content\/uploads\/2008\/01\/outlook_2007_logo1.jpg?resize=300%2C293&amp;ssl=1 300w, https:\/\/i0.wp.com\/thepizzy.net\/blog\/wp-content\/uploads\/2008\/01\/outlook_2007_logo1.jpg?resize=36%2C36&amp;ssl=1 36w, https:\/\/i0.wp.com\/thepizzy.net\/blog\/wp-content\/uploads\/2008\/01\/outlook_2007_logo1.jpg?w=428&amp;ssl=1 428w\" sizes=\"auto, (max-width: 150px) 100vw, 150px\" \/>I have this idea, ok? What I noticed while migrating some of the users from the Admissions Department at the University for which I work, was that it was tough to explain to them sufficiently that:<\/p>\n<ul>\n<li>Their passwords are going to have to change at some point, due to security policy.<\/li>\n<li>When they change it on their desktop, it&#8217;s not automatically done on their laptop.<\/li>\n<li>After changing the desktop password, they need to connect the laptop to the network and then login with that new password for it to be cached.<\/li>\n<\/ul>\n<p>Now, it&#8217;s easy to write out, and easy for a tech to understand the scenario &#8211; but it&#8217;s not that easy for a 45yr old Hispanic guy who hates his laptop anyway to grasp. But what if they didn&#8217;t have to grasp anything? What if no matter where you were, the login process and the features available were as seamless in Wisconsin as if you were sitting at your desk in Texas?<\/p>\n<p>What I&#8217;m proposing is this:<!--more--><\/p>\n<ul>\n<li>Internet is gained through the use of a mobile AirCard, that is set to automatically connect once plugged in. If no AirCard, some other form of high-speed internet would suffice, and possibly be preferred.<\/li>\n<li>Use OpenVPN as a system service that runs when Windows boots. It makes its connection to the Main Network with a PSK (pre-shared key), authenticates, and then routes all internet and network traffic through that connection.<\/li>\n<li>A Windows or Linux client that has been previously joined to the Active Directory Domain on campus.<\/li>\n<\/ul>\n<p>Upon boot, the computer connects to the internet, and then sets up the VPN connection to the main campus. This is done as a Windows or Linux service. When the login prompt appears, the user enters their most recent credentials for the main campus, and logs in. These credentials are then passed through the secured VPN to the main campus, authenticated against LDAP or AD, and their group policies, logon scripts, and other drive mappings are passed back down to the client. After the personal settings have loaded, their laptop experience is just as it would be if they were on the main campus LAN &#8211; but all their traffic is secured, and over a WAN.<\/p>\n<p>Can it be done? Has it been done? Is there a step I&#8217;m missing &#8211; or some important brick preventing it?<\/p>\n<p style=\"text-align: right; font-size: 8px;\">Blogged with <a title=\"Flock\" href=\"http:\/\/www.flock.com\/blogged-with-flock\" target=\"_new\">Flock<\/a><\/p>\n<p><!-- technorati tags begin --><\/p>\n<p style=\"font-size: 10px; text-align: right;\">Tags: <a rel=\"tag\" href=\"http:\/\/technorati.com\/tag\/openvpn\">openvpn<\/a>, <a rel=\"tag\" href=\"http:\/\/technorati.com\/tag\/network\">network<\/a>, <a rel=\"tag\" href=\"http:\/\/technorati.com\/tag\/%20windows\"> windows<\/a>, <a rel=\"tag\" href=\"http:\/\/technorati.com\/tag\/%20linux\"> linux<\/a>, <a rel=\"tag\" href=\"http:\/\/technorati.com\/tag\/%20authentication\"> authentication<\/a>, <a rel=\"tag\" href=\"http:\/\/technorati.com\/tag\/%20active%20directory\"> active directory<\/a>, <a rel=\"tag\" href=\"http:\/\/technorati.com\/tag\/%20PSK\"> PSK<\/a>, <a rel=\"tag\" href=\"http:\/\/technorati.com\/tag\/%20WAN\"> WAN<\/a>, <a rel=\"tag\" href=\"http:\/\/technorati.com\/tag\/%20LAN\"> LAN<\/a>, <a rel=\"tag\" href=\"http:\/\/technorati.com\/tag\/%20mobile\"> mobile<\/a>, <a rel=\"tag\" href=\"http:\/\/technorati.com\/tag\/%20laptop\"> laptop<\/a>, <a rel=\"tag\" href=\"http:\/\/technorati.com\/tag\/%20connection\"> connection<\/a>, <a rel=\"tag\" href=\"http:\/\/technorati.com\/tag\/%20internet\"> internet<\/a>, <a rel=\"tag\" href=\"http:\/\/technorati.com\/tag\/%20security\"> security<\/a>, <a rel=\"tag\" href=\"http:\/\/technorati.com\/tag\/%20group%20policy\"> group policy<\/a><\/p>\n<p><!-- technorati tags end --><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I have this idea, ok? What I noticed while migrating some of the users from the Admissions Department at the University for which I work, was that it was tough to explain to them sufficiently that: Their passwords are going to have to change at some point, due to security policy. When they change it [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1187,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[3,15],"tags":[193,185,206,170,184,192,203,183,199,189,186,197,194,202,163,191,187,196,188,201,198,200,195,169,205,137,190,204,139],"class_list":["post-99","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tech","category-thought_experiments","tag-active-directory","tag-aircard","tag-client","tag-computer","tag-desktop-password","tag-directory-domain","tag-domain","tag-drive-mappings","tag-group","tag-group-policies","tag-high-speed-internet","tag-laptop","tag-ldap","tag-linux","tag-network","tag-network-traffic","tag-openvpn","tag-passwords","tag-personal-settings","tag-psk","tag-scripts","tag-security","tag-security-policy","tag-technology","tag-university","tag-user","tag-vpn-connection","tag-wan","tag-windows"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/thepizzy.net\/blog\/wp-content\/uploads\/2008\/01\/outlook_2007_logo1.jpg?fit=428%2C419&ssl=1","jetpack_likes_enabled":false,"jetpack_shortlink":"https:\/\/wp.me\/prOO4-1B","jetpack-related-posts":[{"id":562,"url":"https:\/\/thepizzy.net\/blog\/2010\/03\/user-cannot-connect-to-exchange-or-owa\/","url_meta":{"origin":99,"position":0},"title":"User cannot connect to Exchange or OWA","author":"[[Neo]]","date":"March 8, 2010","format":false,"excerpt":"Today I had a user tell me that when he rebooted his computer (Vista Business SP2 x32), he could no longer connect to our Exchange 2003 server with Outlook 2007. It prompted him with the \"Retry | Work Offline | Cancel\" dialog. Clicking \"Retry\" did nothing, clicking \"Work Offline\" threw\u2026","rel":"","context":"In &quot;How To&quot;","block_context":{"text":"How To","link":"https:\/\/thepizzy.net\/blog\/category\/how-to\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/thepizzy.net\/blog\/wp-content\/uploads\/2010\/03\/hosted-exchange-logo1.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":795,"url":"https:\/\/thepizzy.net\/blog\/2010\/11\/astaro-sg-joining-domain-failed\/","url_meta":{"origin":99,"position":1},"title":"Astaro SG &#8220;Joining domain failed&#8221;","author":"[[Neo]]","date":"November 9, 2010","format":false,"excerpt":"I just spent the last 2 business days working on trying to get my Astaro SG 120 v7.507 to re-join the domain, after I deleted the \"computer\" entry from our Windows 2003 SBS AD. After deleting the computer entry, I rebooted the Astaro box and attempted to join it to\u2026","rel":"","context":"In &quot;How To&quot;","block_context":{"text":"How To","link":"https:\/\/thepizzy.net\/blog\/category\/how-to\/"},"img":{"alt_text":"Astaro Logo","src":"https:\/\/i0.wp.com\/thepizzy.net\/blog\/wp-content\/uploads\/2010\/11\/astaro_logo.jpg?fit=765%2C283&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/thepizzy.net\/blog\/wp-content\/uploads\/2010\/11\/astaro_logo.jpg?fit=765%2C283&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/thepizzy.net\/blog\/wp-content\/uploads\/2010\/11\/astaro_logo.jpg?fit=765%2C283&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/thepizzy.net\/blog\/wp-content\/uploads\/2010\/11\/astaro_logo.jpg?fit=765%2C283&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":227,"url":"https:\/\/thepizzy.net\/blog\/2009\/03\/how-to-use-live-mesh-to-sync-your-programs\/","url_meta":{"origin":99,"position":2},"title":"How to sync your program\u00e2\u20ac\u2122s plugins using Live Mesh","author":"[[Neo]]","date":"March 14, 2009","format":false,"excerpt":"I'm sure you've been at work, thinking \"Crap, I don't want to go home and do this, because I don't have the software there.\" Or maybe you do have the software, but you don't have some certain set of plugins (i.e. Photoshop Brushes for a graphic designer), and you need\u2026","rel":"","context":"In &quot;Cloud Computing&quot;","block_context":{"text":"Cloud Computing","link":"https:\/\/thepizzy.net\/blog\/category\/cloud-computing-concepts\/"},"img":{"alt_text":"Welcome to Mesh.com","src":"https:\/\/i0.wp.com\/thepizzy.net\/blog\/wp-content\/uploads\/2009\/03\/2009-03-14_1329-150x150.png?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":71,"url":"https:\/\/thepizzy.net\/blog\/2006\/09\/oracle-reborn-tsnlocal-goes-up-beta\/","url_meta":{"origin":99,"position":3},"title":"[[Oracle]] Reborn, tsnlocal goes up beta","author":"[[Neo]]","date":"September 11, 2006","format":false,"excerpt":"This weekend, I hung out with [wizard] and we worked on our servers. He created his [m3rlin] server, and I created my [[Oracle]] server. Originally, as you might recall from previous posts, [[Oracle]] is an IRC bot that we use for auto responding and chanserv purposes. Our bots are still\u2026","rel":"","context":"In &quot;Technology&quot;","block_context":{"text":"Technology","link":"https:\/\/thepizzy.net\/blog\/category\/tech\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/thepizzy.net\/blog\/wp-content\/uploads\/2007\/10\/oracle.png?fit=500%2C500&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]},{"id":635,"url":"https:\/\/thepizzy.net\/blog\/2010\/10\/migrating-from-live-mesh-beta-to-live-mesh-2011\/","url_meta":{"origin":99,"position":4},"title":"Migrating from Live Mesh beta to Live Mesh 2011","author":"[[Neo]]","date":"October 4, 2010","format":false,"excerpt":"Recently, all my Windows Vista & Windows 7 machines started displaying errors saying that Live Mesh had crashed and needed to be shut down. Unfortunately, the errors wouldn't stop occurring even when the program was exited and the error cleared. It was thought that IE9 beta and Live Mesh beta\u2026","rel":"","context":"In &quot;Cloud Computing&quot;","block_context":{"text":"Cloud Computing","link":"https:\/\/thepizzy.net\/blog\/category\/cloud-computing-concepts\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/thepizzy.net\/blog\/wp-content\/uploads\/2010\/10\/3201.Sync256_5F00_1E0A24D91-150x150.png?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":852,"url":"https:\/\/thepizzy.net\/blog\/2010\/12\/living-in-the-cloud-first-things-first\/","url_meta":{"origin":99,"position":5},"title":"In the Cloud, First Things First","author":"[[Neo]]","date":"December 23, 2010","format":false,"excerpt":"The hardest part about cutting the cord is making sure everything you need is available online, and how you're going to access it.","rel":"","context":"In &quot;Cloud Computing&quot;","block_context":{"text":"Cloud Computing","link":"https:\/\/thepizzy.net\/blog\/category\/cloud-computing-concepts\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/thepizzy.net\/blog\/wp-content\/uploads\/2010\/12\/2418509850_6b7ac5196b1-300x225.jpg?resize=350%2C200","width":350,"height":200},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/thepizzy.net\/blog\/wp-json\/wp\/v2\/posts\/99","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thepizzy.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thepizzy.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thepizzy.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thepizzy.net\/blog\/wp-json\/wp\/v2\/comments?post=99"}],"version-history":[{"count":4,"href":"https:\/\/thepizzy.net\/blog\/wp-json\/wp\/v2\/posts\/99\/revisions"}],"predecessor-version":[{"id":1188,"href":"https:\/\/thepizzy.net\/blog\/wp-json\/wp\/v2\/posts\/99\/revisions\/1188"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thepizzy.net\/blog\/wp-json\/wp\/v2\/media\/1187"}],"wp:attachment":[{"href":"https:\/\/thepizzy.net\/blog\/wp-json\/wp\/v2\/media?parent=99"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thepizzy.net\/blog\/wp-json\/wp\/v2\/categories?post=99"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thepizzy.net\/blog\/wp-json\/wp\/v2\/tags?post=99"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}