Maybe a policy issue?

0 pts.
Tags:
Active Directory
Forgive any ignorance this question may indicate and any lack of necessary details that it may have. I'm coming into a situation late, and I don't have a way to get more detailed info (it's a political thing). Here's the situation: we've got a recently acquired subsidiary that we're trying to integrate into our environment. They are in a Windows 2000 Active Directory environment. One of the early steps is to do away with the sub's need for their own ISP. We're connected via a dual T-1, so the connectivity is there. The next step is to have their remote users gain network access via VPN through our environment, and that's part of the problem. When their laptop users are connected to the sub's LAN, Internet browsing is fine. However, when they test over an isolated DSL line, the laptops cannot use SSL at all. Here's the rub--the lone tech on-site CAN use SSL, but only with his own laptop. If he logs on as a local admin on another laptop, SSL doesn't work. He insists that he's configured the 2nd laptop to be identical to his own, but that doesn't seem to be the case. I'm not very experienced with AD (we're an eDirectory shop), but this sounds like some form of Group Policy issue, maybe for machines, but I don't know. Again, I apologize for my ignorance, but does any of this sound familiar to anyone?
ASKED: July 7, 2005  11:53 AM
UPDATED: July 12, 2005  2:05 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Trying to get some info on your situation first. AD/GPO c*a*n do q u i t e a lot.

So you are trying to get the remote site to VPN to the home office, then from your site to go surfing. You have T-1s for tie lines. You reference SSL – I assume you are speaking of SSL enabled websites (not SSL VPN).

they can still go direct to internet presently and can access secure websites while local.
If they use a DSL line (home? remote office? home office?) SSL is disabled (?) – do they still have internet?
Remote site tech can SSL from his own, but not from another (as local admin) – is he successful if he logs in as standard user (on either laptop)?

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Pedwards17
    Over the DSL line (testing from additional line at office), users can surf, but can't get to SSL. We have remote connectivity via Citrix (https://remote.company.com), but users can't get there over DSL. That answers another of your questions--it's just SSL, not VPN over SSL. The local tech is the only user on his laptop, but neither he nor an average user can hit SSL on other laptops over the DSL.
    0 pointsBadges:
    report
  • Cptrelentless
    Are you sure this isn't a firewalling issue somewhere? Sounds like port 443 is closed somewhere. The way to test if this is an AD policy based issue is to move your machine and user account to a policy-free OU. When this refreshes you can test a standard laptop build to narrow down the possibilities. You can determine if it's user or machine based by using an account in your locked down user's area on an unrestricted machine. This may explain your tech's connectivity. Also be aware that you can have deny GPO based on group membership. Use the GPMC's Group policy results section to see the combined affect of your policies on a per user:per machine basis. also don't forget the gpresult.exe that can be run from the command line.
    0 pointsBadges:
    report
  • Obsidian
    If one laptop can get out and the rest can't... Check: 1) firewall or router ACLs that block by IP range 2) GPO's that activate IP blocks on the local workstations 3) Target server host-based ACLs that may be prohibiting access 4) a dynamic or static vlan that maps *that* laptop MAC address or port to a special vlan with special rights/privs/access. Try something as simple as service ping. try telnet 10.x.y.z 22 and see if you get an SSH prompt from the commandline of your client. Good luck! -april
    0 pointsBadges:
    report
  • Pedwards17
    As I suspected, it was a rogue Group Policy. The on-site tech opened a case with MS, and they were able to find the policy and change it. I still have to get the details, but I wanted to keep everyone up-to-date. Thanks to all who took the time to share some insight. I appreciate it.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following