Using CMAK to automate VPN client connections
On the Internet, there are not so few instructions for automating connections to a VPN through CMAK, however, everyone somehow contained unclear points that had to be spent on resolving them for some time, so I decided to write my own instruction and make it available to others, hoping that it helps save valuable time, or clarifies some incomprehensible point.
So, suppose that we are tired of writing and updating instructions for creating connections to our VPN server for Windows users and would like to automate this process by providing the user with a ready-made program that creates a connection with predefined parameters and is ready to work in our network environment. To implement this, we will be helped by the component “Connection Manager Administration Kit” built into Windows Server 2008 and Windows Server 2008 R2 (in the Russian version of the “Connection Manager Administration Kit”). So, in order to install CMAK, you need to launch the Server Manager and install the new component “Connection Manager Administration Kit”. The entire current example is based on Windows Server 2008 R2 SP1, Russian version.
')
Installing a component in Server Manager:
After installation, the administration package is available from the “start” menu, or the “administration” applet in the control panel. After launching the CMAK, we are greeted by the administration wizard.
Without hesitation, click "next". In the next window, the wizard will offer you to choose the family of operating systems for which we are creating a connection. Under Windows Server 2008 R2, this is “Windows 7, Vista,” or “Windows Server 2003, Windows XP, and Windows 2000.” However, if we select an item with Windows 7 and Vista, the connection is also suitable for Windows 8.
After selecting the operating systems, we must create a new profile, or edit the existing one, if it exists (in our example we create a new one).
Next you need to enter the name of the connection being created (the connection will be displayed in the Windows network connections) and the name of the file that the user will run. The file name must not exceed eight characters and have an extension.
After naming our connection wizard will give the opportunity to add the name of the sphere. If we do not plan to use our provider as an authentication gateway on our VPN server, we skip this point.
At the next stage, we are invited to add data from the phone book of other existing profiles, so as not to enter them on a new one. Since we have no other profiles created - go ahead.
Next we need to specify the IP address of the VPN server to connect.
We can specify a single permanent address, or a text file, containing a set of addresses for connection, which will be provided to the user to choose from. The file has the following format:
[Settings]
default = Name of the VPN server to be used by default (any of the following, for example, “My VPN Server1”).
UpdateURL = Link to a text file with a list of the server (each time it is connected, this file will be updated from the specified URL).
Message = A message for a user, for example, "please select a server to connect to."
[VPN Servers]
My VPN Server1 = my1.example.com
My VPN Server2 = my2.example.com
My VPN Server3 = my3.example.com
In our example, we restrict ourselves to a single server. By the way, on the same page we can mark the item to use the same credentials for authentication both on the VPN server and on the dial-up connection (if we, of course, want to use it before creating the VPN connection). All this is clearly seen in the screenshot above.
The next window allows you to go to the settings of our tunnel.
By clicking “change” we will be able to configure the basic parameters of our VPN connection. On the "General" tab, you can select the types of addresses that we want to use "IPv4", "IPv6", or both, and also disable "file and printer sharing" if we do not need it.
The “IPv4” tab allows you to configure settings for the protocol of the same name. The settings include DNS, WINS, using the connection as a default gateway and compression. In some instructions, in case we had to not use the VPN connection as the default gateway, it was suggested to leave this setting enabled here and then use the REMOVE_GATEWAY directive in the file with static routes. It has been empirically established that this instruction works crookedly and leads to a bug, when the host, after connecting, generally stops using its default gateway. But this setting worked out quite correctly, i.e. if we do not need to use the VPN server as the default gateway, then we simply remove this checkbox here and add later static routes for networks that we need to go through VPN.
Almost the same settings for the IPv6 protocol.
On the “Security” tab, you can choose the tunnel protocol we need (PPTP, L2TP, SSTP), and we can choose only one, and we can choose the order of connection attempts. For example, if we choose to use L2TP first, then PPTP will be used after L2TP, and then SSTP, etc. Various encryption options are also available here. For L2TP, for example, you can specify a shared key. In this case, after setting up the VPN connection, the wizard will offer to encrypt our key with a PIN code, which the user will have to enter when establishing the connection. In the same window, you can configure authentication methods - more secure in the general case of EAP, or MS-CHAP 2, for example. For this article, L2TP priority with a split key was chosen.
On the “Advanced” tab - you can specify the DNS suffix that will be used by the client connection.
A window for entering a shared key and PIN to encrypt it.
Further the master suggests to enter the telephone directory for dialing to the dial-up server. At the present time, I think, this is not relevant, therefore we remove the checkbox from the item “automatically download phone book updates” and click “next”.
If dial-up is not relevant for us, then we skip the next window in the same way.
Next, we are offered the opportunity to make an update for the routing table. If this is relevant, add the route file. I will give an example of the route file. Suppose we want the client to go to the 192.168.0.0/24 network through our VPN connection (the VPN network is perfectly addressable from the 192.168.0.0/24 network), while the default gateway should remain its own. Then we have to add a text file with the route of this content:
"ADD 192.168.0.0 MASK 255.255.255.0 default METRIC default IF default".
Attention! The file must be in ANSI encoding, not UTF-8, for example. If we have removed the checkmark from the item “Make this connection the main client gateway”, no REMOVE_GATEWAY directives are needed here.
You can also specify the URL to the file containing the routing table, in which case it will be updated each time you connect.
In the next wizard window, you can specify proxy settings for Internet Explorer during a VPN connection. The following options are possible - do not configure the proxy settings at all (the first item), use the settings already configured by the user (the second item), or use a pre-configured file containing the proxy settings (the third option).
In the next window, we can configure additional actions. For example, we may need to run some program or script every time we start a connection. In this case, click "create" and go to the settings.
Here, in addition to our program or script, you can select various events upon the occurrence of which the action will be performed. For example, after connecting, or when an error occurs. If you tick the item “include the specified user action program in this service profile”, the program will be copied to the connection profile (useful in case we start something non-standard, which is not available on other computers). If the program is supposed to interact with the user, then at this stage it is necessary to check the corresponding checkbox.
You can then define a picture that is different from the picture displayed in the default connection.
And also for the phone book:
You can change the connection icon:
On the next screen, you can install your hlp-help file, or leave the help information offered by default.
Further, you can specify information about technical support (for example, telephone service around the clock, etc.).
And where without a license agreement? In general, if confirmation of the user's consent to something is required, it can also be specified by selecting a text file.
If we need to include additional files in our created profile (for example, they can be used by our program, or a script that we could choose above), then we should select them on the next screen.
This completes the setup and it remains to click “next” in the next window and “ready” in the final one. We will see the path that created the profile for the connection.
Before copying this profile to the client, it’s worth, in my opinion, to mention one more thing: if you leave everything as it is, then in the case of PPTP connection, you will persistently suggest to indicate the regional settings of the phone, which we do not need. The matter is corrected by editing the file with the cms extension, which lies in the profile of our created connection. So, it is necessary in this file, in the section "[Connection Manager]" add the parameter "connectiontype = 1" and save the file. This should be done after the connection is created, because after the creation is completed, or the profile is edited, the files are overwritten and the parameter is likely to be lost.
That's all. You can copy the folder with our profile to the client and establish a connection in two clicks. Run the exe file with the name of our connection:
After an affirmative answer, a window will appear where you can choose - a connection is established only for the given user, or for all, and also indicate to create a shortcut connection on the desktop.
The user will only have to enter the connection data and, perhaps, confirm to the UAC mechanism that they want to grant system privileges to our connection (in case you need to enter a route, or start a program that requires system privileges).
That's all. I hope that this instruction will be useful to someone.
So, suppose that we are tired of writing and updating instructions for creating connections to our VPN server for Windows users and would like to automate this process by providing the user with a ready-made program that creates a connection with predefined parameters and is ready to work in our network environment. To implement this, we will be helped by the component “Connection Manager Administration Kit” built into Windows Server 2008 and Windows Server 2008 R2 (in the Russian version of the “Connection Manager Administration Kit”). So, in order to install CMAK, you need to launch the Server Manager and install the new component “Connection Manager Administration Kit”. The entire current example is based on Windows Server 2008 R2 SP1, Russian version.
')
Installing a component in Server Manager:
After installation, the administration package is available from the “start” menu, or the “administration” applet in the control panel. After launching the CMAK, we are greeted by the administration wizard.
Without hesitation, click "next". In the next window, the wizard will offer you to choose the family of operating systems for which we are creating a connection. Under Windows Server 2008 R2, this is “Windows 7, Vista,” or “Windows Server 2003, Windows XP, and Windows 2000.” However, if we select an item with Windows 7 and Vista, the connection is also suitable for Windows 8.
After selecting the operating systems, we must create a new profile, or edit the existing one, if it exists (in our example we create a new one).
Next you need to enter the name of the connection being created (the connection will be displayed in the Windows network connections) and the name of the file that the user will run. The file name must not exceed eight characters and have an extension.
After naming our connection wizard will give the opportunity to add the name of the sphere. If we do not plan to use our provider as an authentication gateway on our VPN server, we skip this point.
At the next stage, we are invited to add data from the phone book of other existing profiles, so as not to enter them on a new one. Since we have no other profiles created - go ahead.
Next we need to specify the IP address of the VPN server to connect.
We can specify a single permanent address, or a text file, containing a set of addresses for connection, which will be provided to the user to choose from. The file has the following format:
[Settings]
default = Name of the VPN server to be used by default (any of the following, for example, “My VPN Server1”).
UpdateURL = Link to a text file with a list of the server (each time it is connected, this file will be updated from the specified URL).
Message = A message for a user, for example, "please select a server to connect to."
[VPN Servers]
My VPN Server1 = my1.example.com
My VPN Server2 = my2.example.com
My VPN Server3 = my3.example.com
In our example, we restrict ourselves to a single server. By the way, on the same page we can mark the item to use the same credentials for authentication both on the VPN server and on the dial-up connection (if we, of course, want to use it before creating the VPN connection). All this is clearly seen in the screenshot above.
The next window allows you to go to the settings of our tunnel.
By clicking “change” we will be able to configure the basic parameters of our VPN connection. On the "General" tab, you can select the types of addresses that we want to use "IPv4", "IPv6", or both, and also disable "file and printer sharing" if we do not need it.
The “IPv4” tab allows you to configure settings for the protocol of the same name. The settings include DNS, WINS, using the connection as a default gateway and compression. In some instructions, in case we had to not use the VPN connection as the default gateway, it was suggested to leave this setting enabled here and then use the REMOVE_GATEWAY directive in the file with static routes. It has been empirically established that this instruction works crookedly and leads to a bug, when the host, after connecting, generally stops using its default gateway. But this setting worked out quite correctly, i.e. if we do not need to use the VPN server as the default gateway, then we simply remove this checkbox here and add later static routes for networks that we need to go through VPN.
Almost the same settings for the IPv6 protocol.
On the “Security” tab, you can choose the tunnel protocol we need (PPTP, L2TP, SSTP), and we can choose only one, and we can choose the order of connection attempts. For example, if we choose to use L2TP first, then PPTP will be used after L2TP, and then SSTP, etc. Various encryption options are also available here. For L2TP, for example, you can specify a shared key. In this case, after setting up the VPN connection, the wizard will offer to encrypt our key with a PIN code, which the user will have to enter when establishing the connection. In the same window, you can configure authentication methods - more secure in the general case of EAP, or MS-CHAP 2, for example. For this article, L2TP priority with a split key was chosen.
On the “Advanced” tab - you can specify the DNS suffix that will be used by the client connection.
A window for entering a shared key and PIN to encrypt it.
Further the master suggests to enter the telephone directory for dialing to the dial-up server. At the present time, I think, this is not relevant, therefore we remove the checkbox from the item “automatically download phone book updates” and click “next”.
If dial-up is not relevant for us, then we skip the next window in the same way.
Next, we are offered the opportunity to make an update for the routing table. If this is relevant, add the route file. I will give an example of the route file. Suppose we want the client to go to the 192.168.0.0/24 network through our VPN connection (the VPN network is perfectly addressable from the 192.168.0.0/24 network), while the default gateway should remain its own. Then we have to add a text file with the route of this content:
"ADD 192.168.0.0 MASK 255.255.255.0 default METRIC default IF default".
Attention! The file must be in ANSI encoding, not UTF-8, for example. If we have removed the checkmark from the item “Make this connection the main client gateway”, no REMOVE_GATEWAY directives are needed here.
You can also specify the URL to the file containing the routing table, in which case it will be updated each time you connect.
In the next wizard window, you can specify proxy settings for Internet Explorer during a VPN connection. The following options are possible - do not configure the proxy settings at all (the first item), use the settings already configured by the user (the second item), or use a pre-configured file containing the proxy settings (the third option).
In the next window, we can configure additional actions. For example, we may need to run some program or script every time we start a connection. In this case, click "create" and go to the settings.
Here, in addition to our program or script, you can select various events upon the occurrence of which the action will be performed. For example, after connecting, or when an error occurs. If you tick the item “include the specified user action program in this service profile”, the program will be copied to the connection profile (useful in case we start something non-standard, which is not available on other computers). If the program is supposed to interact with the user, then at this stage it is necessary to check the corresponding checkbox.
You can then define a picture that is different from the picture displayed in the default connection.
And also for the phone book:
You can change the connection icon:
On the next screen, you can install your hlp-help file, or leave the help information offered by default.
Further, you can specify information about technical support (for example, telephone service around the clock, etc.).
And where without a license agreement? In general, if confirmation of the user's consent to something is required, it can also be specified by selecting a text file.
If we need to include additional files in our created profile (for example, they can be used by our program, or a script that we could choose above), then we should select them on the next screen.
This completes the setup and it remains to click “next” in the next window and “ready” in the final one. We will see the path that created the profile for the connection.
Before copying this profile to the client, it’s worth, in my opinion, to mention one more thing: if you leave everything as it is, then in the case of PPTP connection, you will persistently suggest to indicate the regional settings of the phone, which we do not need. The matter is corrected by editing the file with the cms extension, which lies in the profile of our created connection. So, it is necessary in this file, in the section "[Connection Manager]" add the parameter "connectiontype = 1" and save the file. This should be done after the connection is created, because after the creation is completed, or the profile is edited, the files are overwritten and the parameter is likely to be lost.
That's all. You can copy the folder with our profile to the client and establish a connection in two clicks. Run the exe file with the name of our connection:
After an affirmative answer, a window will appear where you can choose - a connection is established only for the given user, or for all, and also indicate to create a shortcut connection on the desktop.
The user will only have to enter the connection data and, perhaps, confirm to the UAC mechanism that they want to grant system privileges to our connection (in case you need to enter a route, or start a program that requires system privileges).
That's all. I hope that this instruction will be useful to someone.
Source: https://habr.com/ru/post/186674/
All Articles