Can I enable "Use default gateway on remote network" on VPN connection using Group Policy? (Network Steve Forum)

Can I enable "Use default gateway on remote network" on VPN connection using Group Policy?

Hi,

First timer here so please bear with me!

Environment: Domain Windows 2003, Clients: Windows 7 and Windows XP (with Client Side Extensions pushed out)

When creating a VPN connection on a client machine manually with default settings the "Use default gateway on remote network" found in [Connection Properties - Networking - IPv4 - Advanced] is enabled, which is good as we don't allow split-tunneling.

I have a test GPO that creates a new VPN Connection [Computer Config - Preferences - Control Panel - Network Options], but the above setting is unticked.

Am I missing something on the options for the GP preference to set this automtically?

I can write a script to directly change the C:\Users\All Users\Microsoft\Network\Connections\Pbk\rasphone.pbk file but would prefer if I could sort it all out using Group Policy.

Any help would be greatly appreciated!

Thanks a lot!

David

May 11th, 2011 3:59pm

Hi David,

You could disabled split-tunneling by remote access policy IP filters.

Open RRAS console--Remote Access Policy--Connections to Microsoft Routing and Remote Access server--edit profile--ip--ip filter, inbound filter only permit source ip from VPN clients, outbound filter only permit destination ip to VPN clients.

Split-tunneling Security Issues

http://technet.microsoft.com/en-us/library/bb878117.aspx

Free Windows Admin Tool Kit Click here and download it now

May 12th, 2011 9:05am

David,

its quite obvious Rick Tan has not understood your question and issue here.

If i can clarify, the default behavior when creating a manual VPN connection results in the setting: Networking > IPv4 > Properties > Advanced > IP Settings > "Use default gateway on remote network" to be selected. This is a desired setting i believe in most cases.

When automating this as most organisations would want to achieve via Group Policy, using Computer Configuration > Preferences > Control panel Settings > Network options > VPN Connection.

- there isn't an option to set this in the GP Preference item.

As you mention David, you may be able to script up an edit of this .pbk file. A better solution is to create the .pbk file from your manual VPN setup, make sure you have all the correct settings, no username/password.

Copy the file to your Netlogon share, then use GP Preferences to do a simple file deployment with an Update or Replace method.

Ill be trialing this now and post an update ASAP.

EDIT: Works perfectly! Just make sure you make the file preference item with a Replace method. Dear Microsoft, this is a terrible default behaviour. Please look at this for the next versions of Group Policy.

Hope this post helps others in the future.

Proposed as answer by Shane Borczuch Wednesday, July 13, 2011 7:12 AM
Edited by Shane Borczuch Wednesday, July 13, 2011 7:15 AM solution works, editing results. proposed as answer.
Marked as answer by Rick TanModerator Friday, July 15, 2011 9:24 AM

July 13th, 2011 4:21am

Shane,

There is actually a way to set the "Use default gateway on remote network" through Group Policy Preferences. And this may even be a better way to do it, because you may change this flag without touching any other settings, or other VPN connections. (All VPN connections are stored in the same .pbk file.)

Here's the trick: Opening the .pbk file in notepad, I realized that this is actually an oldstyle ini-structured file. And Group Policy Preferences can update ini files! In the .pbk file the section names are the VPN connections names, like [My VPN], and the property IpPrioritizeRemote is the flag "Use default gateway on remote network".

So, in Group Policy Management Editor, go to Preferences / Windows Settings / Ini Files.
Create a new object with Action = Update, and File Path =
C:\ProgramData\Microsoft\Network\Connections\pbk\rasphone.pbk
(If this is where your file is located, I guess it is in c:\users if the VPN connection is made for a single user.)
Section Name should be the display name of your VPN connection, without the brackets.
Property Name = IpPrioritizeRemote
Property Value = 1

Peter, www.skov.com, Denmark

Free Windows Admin Tool Kit Click here and download it now

September 12th, 2011 8:35pm

Shane,

There is actually a way to set the "Use default gateway on remote network" through Group Policy Preferences. And this may even be a better way to do it, because you may change this flag without touching any other settings, or other VPN connections. (All VPN connections are stored in the same .pbk file.)

Here's the trick: Opening the .pbk file in notepad, I realized that this is actually an oldstyle ini-structured file. And Group Policy Preferences can update ini files! In the .pbk file the section names are the VPN connections names, like [My VPN], and the property IpPrioritizeRemote is the flag "Use default gateway on remote network".

So, in Group Policy Management Editor, go to Preferences / Windows Settings / Ini Files.
Create a new object with Action = Update, and File Path =
C:\ProgramData\Microsoft\Network\Connections\pbk\rasphone.pbk
(If this is where your file is located, I guess it is in c:\users if the VPN connection is made for a single user.)
Section Name should be the display name of your VPN connection, without the brackets.
Property Name = IpPrioritizeRemote
Property Value = 1

Peter, www.skov.com, Denmark

November 4th, 2011 9:44am

I can confirm that this solution is working. Before this I deployed VPN connections with .CMP profile. Actually path for single user is %appdata%\microsoft\network\connections\pbk\rasphone.pbk

Thanks for the tip with .INI.

Regards

Jiri

Edited by Jiri Pihik Tuesday, November 20, 2012 2:16 PM

Free Windows Admin Tool Kit Click here and download it now

November 20th, 2012 2:14pm

Shane,

There is actually a way to set the "Use default gateway on remote network" through Group Policy Preferences. And this may even be a better way to do it, because you may change this flag without touching any other settings, or other VPN connections. (All VPN connections are stored in the same .pbk file.)

Here's the trick: Opening the .pbk file in notepad, I realized that this is actually an oldstyle ini-structured file. And Group Policy Preferences can update ini files! In the .pbk file the section names are the VPN connections names, like [My VPN], and the property IpPrioritizeRemote is the flag "Use default gateway on remote network".

So, in Group Policy Management Editor, go to Preferences / Windows Settings / Ini Files.
Create a new object with Action = Update, and File Path =
C:\ProgramData\Microsoft\Network\Connections\pbk\rasphone.pbk
(If this is where your file is located, I guess it is in c:\users if the VPN connection is made for a single user.)
Section Name should be the display name of your VPN connection, without the brackets.
Property Name = IpPrioritizeRemote
Property Value = 1

Peter, www.skov.com, Denmark

April 6th, 2015 8:27pm

To answer this, I thnk this is something that is carried across all network connections?

Free Windows Admin Tool Kit Click here and download it now

April 6th, 2015 10:45pm

This topic is archived. No further replies will be accepted.