EdgeX domain policy problems

[Ckiller]

Hello

Ive setup a VPN community with VPN edge boxes and a FW NG /ip530 fw as a center.

The problem is that my AD domain policys seems to be unable to pass through the VPN tunnel. Now i dont get any logs sayin that its a problem. I can reach the machines and the machines can reach the internal net.
Adding machines to the AD domain in the VPN community (satelite locations) is workin like a charm

DNS/wins updating doesnt work that good either often instead of pointing to the host im tryin to reach it shows the external interface of the FW

Im in a bit of a haze of what to do and any suggestions is welcome

[itadmin]

We're seeing exactly the same problem here with two Edge Xs connecting to NGX R60.

Joining remote computers to AD, logins etc all work, but group policy download does not.

Group policy updates do require "unusual" ICMP traffic to get through. We had to disable a couple of smartdefense settings on the Edge relating to NULL and oversized ICMP packets otherwise we got drops on rules -13 and -14 in SmartDashboard, but since then all traffic goes through but no domain policy updates work.

[cjmiller2]

Were you able to solve these issues with Group policy over the VPN

[itadmin]

Quote:

Originally Posted by cjmiller2

Were you able to solve these issues with Group policy over the VPN

Yes we were. As per my original post we had to disable the ICMP NULL and ICMP Oversize options on the Edge. That would allow us to bind PCs into Active Directory and do domain logins. To get the domain policies to work we had to fiddle with Window's "slow link detection" code.

I'm not a Windows expert. One of my team figured out the necessary runes, but as I understand it when communicating with AD for group policy the PC will try various types of ping and based on the response time will decide whether it is a "slow" link or not. Now the fact that two of the attempted ping types are NULL and oversized the Edge drops them so Windows thinks it is a slow link. Just disabling the SmartDashboard ping rules wasn't enough. We needed to mod some reg keys to get a group policy download. Once that was in place we had the same reg keys in the login scrips for the users on that site and that has kept things working reliably.

We have 7 VPN-1 Pros and 2 Edges. The Edges are on the small sites (6 & 2 people) so didn't warrant a local AD box so we never saw this issue until we deployed the Edges.

Apply these, reboot and then you should be running

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win dows\System]
"GroupPolicyMinTransferRate"=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Wind ows\System]
"GroupPolicyMinTransferRate"=dword:00000000

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Wind ows\System]
"PingBufferSize"=dword:00000500

There is an easy way to test this. If you run 'gpresult' in a command prompt before applying the key you should get an error about RSOP data if logged in as a domain user. Once you've applied that key & rebooted for the current user you should get a dump of the policy settings for that user.

Since 2 of the keys are for the current user you'll have to put these in the login scripts for the users behind the Edge.

Hope this helps

Neil.