Greetings, I am administering a Server 2003 AD environment with a mix of XP and Windows 7 Clients. I am having an issue in which Group Policy (computer policy) is not applied to Windows 7 Computers when they connect to the network via the Cisco VPN client (version 5.0.07). As far as I can tell: The problem seems to be that Windows 7 network location awareness (NLA overview: http://technet.microsoft.com/en-us/library/cc753545%28WS.10%29.aspx) does not detect the presence of a domain controller because NLA is not triggered when the Cisco VPN client connects. I have compared the behavior of a Windows 7 PC using a PPTP connection vs the behavior of a Windows 7 PC using the Cisco VPN client. When using the PPTP VPN: the connection triggers NLA, and the network is identified with a domain profile, and GPO is processed. When using the Cisco VPN client: the network identification process is never initiated when the client connects and the network is not identified with a domain profile - which means that GPO is not processed. I have read more about how NLA works here: http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx and I have verified that the connection-specific dns name of the Cisco VPN Client network adapter matches: HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkName and the DC's are reachable. Note: The Cisco VPN Client for Windows 7 and Vista does not support Start Before Logon (http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client5007/release/notes/vpnclient5007.html) so I am unable to use this function to connect to the VPN prior to logon. Does anyone have any experience with this or know if there is a way to enable Windows 7 machines to process GPO when connecting to network via Cisco VPN Client? -DanG549

The cause of the issue is that the Cisco . Cisco already has an Enhancement for this, CSCtf56523 Windows Network Location Awareness (NLA).This information is available on in the Cisco Support forums, https://supportforums.cisco.com/message/3300613 Cause: This is due to a design decision by Cisco. The Cisco VPN client adaptor was intentionally designed to follow the physical adaptor's Location Awareness setting. As a result, in the scenario above the Domain Profile WILL NOT is applied. Cisco has a bug file for this. The Bug No. is CSCsi98118. There is comment from a Cisco employee which states that “There is an enhancement request for this: CSCtf56523 Windows Network Location Awareness (NLA)” Windows 7 allows the assignment of a unique network profile to each adaptor, including virtual adaptors that register properly. Consider the following: 1) A user connects to a public hotspot or home office network resulting in the Public (or Private) Profile being applied to the physical adaptor 2) The user establishes a VPN connection to the corporate domain. 3) The NLA determination process executes and the Domain Profile is applied to the VPN virtual adaptor Using the native Windows VPN connectoid, the profile determination process behaves as described above. However, if you use a Cisco VPN client the Domain Profile is not applied to the virtual adaptor as expected, despite the fact there may be full LDAP connectivity to domain resources.

Thanks very much for pointing me to this Cisco support forums post! I actually called Cisco TAC recently and was told that I should call Microsoft as the issue was not with the Cisco VPN Client. Thanks for steering me in the right direction!-DanG549

Update: I contacted Cisco TAC again and referenced the bug ID posted by _P_K_. This bug ID is for the Cisco AnyConnect Client, and not for the Cisco IPSec client. The following was confirmed to me by Cisco Technical Support: 1. The Cisco AnyConnect client does not yet support registering with NLA in Windows 7. Bug ID CSCsi98118 is a feature request for this functionality in the Cisco AnyConnect client. I was told to contact my Cisco representative regarding this feature request to find out if it will be included in later versions or not. 2. The Cisco IPSEC client does not and will not support this functionality. -Dan-DanG549