Sysadmins have long battled against sneakernet. The very idea that we would need to leave our chairs to go to an end-users workstation is almost unimaginable. PDQ.com has been proud to step in and help you keep firmly seated in your undoubtedly comfy seat. However, times changed faster than we could ever predict; the great evil went from sneakernet to helping your rapidly expanding remote workforce. We admit we got caught a little flat-footed by it. Luckily, PDQ’s developers are something beyond excellent. PDQ.com has developed a remote connection utility called RAS VPN Setup Wizard. This utility is free for all users but is not supported by PDQ.com. RAS VPN Setup Wizard will allow you to maintain your excellent services and expand them to any workstation with an internet connection. If you have not yet downloaded RAS VPN Setup Wizard, now is the time.
Let’s get the first concern out of the way; this will not require you to purchase any new hardware or software. We achieved this by utilizing built-in Windows Server roles Remote Access Server (RAS) and Network Policy Server (NPS). In under 15 minutes, we will get you all set up and provide an installer for your workstations. After installing on the workstation, the machine will initiate a connection to your server if they are authorized to connect to your network. This allows you to use PDQ Deploy and PDQ Inventory without issue. No need for your users to do anything. As a happy side note, your users can access any internal resources as well.
The majority of work for RAS VPN Setup Wizard is done with our installer, but there is one bit that will have to be done by you or your network team. Your external firewall will need to route incoming TCP 443 to your RAS VPN server. 443 is the only port SSTP can utilize. This configuration is mandatory to allow your external clients to connect.
With the networking completed, the next step is installing the product. The machine has three requirements for the server to be able to work with RAS VPN Setup Wizard.
Windows Server 2012 R2 or later
Windows PowerShell 5.1 or later
Joined to AD Domain
Once you double click on the installer, it will check that all prerequisites are met. The next screen is the configuration screen. Here is where we enter the last bits of information you need to have RAS VPN up and running.
If you have a cert already available, you can select that here, if not, enter in a password, and RAS VPN Setup Wizard will create a new one for you. This certificate will be installed in the RAS VPN server’s certificate store. If we generate one for you, you can always export it and re-use it should you need to.
The Active Directory group you put into this section will need to be a user group that contains the names of all remote users that will require a connection. I don’t want to tell you how to do your job, but I might recommend naming it something like “Remote Users,” or maybe even “VPN Users.”
In the example we have below, I have put Domain Users, which would allow any AD account in your name to connect. If this is something you would need to restrict more, you would need to build a new group that contains the correct group of users you need to have.
Client Connection is where you enter information that will let the client installer know where these machines will be connecting. Connection name can be whatever you want to name it. I recommend keeping that as the default. The server hostname is the publicly resolvable DNS name or IP address of your RAS VPN server. This should match the changes made to your external firewall.
If you have a static IP from your ISP, then you are done. If you do not, it may be wise to look into setting up a dynamic DNS solution on your server to ensure the public record is getting up to date. This will help ensure that remote machines will be able to connect through RAS VPN and save you from needing to update the Client installation.
Once you click on next, it will take 5 to 10 minutes to get everything configured. Once it has completed, you will get an installer for your clients. The RAS VPN setup initiates an auto-logon, so it will be required that these remote machines are AD joined. Make sure you keep this safe, as the installer will work for all future computers you would like to have connected. Once installed, the client will automatically connect when the user logs in. You will again be able to scan and deploy to these machines allowing you to maintain your elite services to all users, no matter where they may be connected.
Jordan had spent his life wondering why tasks he didn’t like to do had no options to complete themselves. Eventually he had to make that happen on his own. It turned out that he enjoyed making tasks complete themselves, and PDQ thought that is something he should talk about on the internet while drinking most Thursdays on the PDQ webcast.