Having trouble Identifying domain and passing RDP or browsing network shares over SSL remote access connection

Question

I have a client site where I am having trouble accessing Domain resources.

Version 
 
 9.352006

The VPN connection connects properly and stays connected without any problems, not seeing any telling errors in the logs at the client or UTM 
 Windows 7 clients are not identifying the connection as a Domain connection (the connection is listed as "Unidentified Network" and falls under the Public Windows firewall profile), and therefore not allowing RDP, and not able to lookup NTFS and share access over the connection. 
 I tried making registry changes to force "Unidentified Networks" to be private connections with no changes in behavior 
 The VPN is using automatic firewall rules, the Active Directory server is listed as the first DNS server for the connection, and we have confirmed that the client is picking up the domain suffix properly. 
 Client can access the ADDC to perform nslookup without issues and receives responses from the domain controller 
 PPTP vpn connections appear to work as expected as do IPsec 
 
 Tried a new VPN, redownloading and reinstalling the client, and no changes 
 
 Any ideas on what might be going on here?

Scott_Klassen · Answer

This isn't a Sophos VPN issue, it's a windows firewall issue. I have a powershell script to make the necessary registry changes for the network to be identified correctly. This was last used with Win7. Should work with 8, 8.1, or 10, but you'll need to research to make certain. Read through the script to understand the flag that it is creating and setting. Hopefully the forum software doesn't mangle it. 
 
 # *NdisDeviceType # # The type of the device. The default value is zero, which indicates a standard # networking device that connects to a network. 
 # # Set *NdisDeviceType to NDIS_DEVICE_TYPE_ENDPOINT (1) if this device is an # endpoint device and is not a true network interface that connects to a network. # For example, you must specify NDIS_DEVICE_TYPE_ENDPOINT for devices such as # smart phones that use a networking infrastructure to communicate to the local # computer system but do not provide connectivity to an external network. # # Usage: run in an elevated shell (Vista/Windows 7/2008 Server) or as adminstrator (xp/2003). # # PS> .\ASGSSLFIX.ps1 # boilerplate elevation check $identity = [Security.Principal.WindowsIdentity]::GetCurrent() $principal = new-object Security.Principal.WindowsPrincipal $identity $elevated = $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) if (-not $elevated) { $error = "Sorry, you need to run this script" if ([System.Environment]::OSVersion.Version.Major -gt 5) { $error += " in an elevated shell." } else { $error += " as Administrator." } throw $error } function confirm { $host.ui.PromptForChoice("Continue", "Process adapter?", [Management.Automation.Host.ChoiceDescription[]]@("&No", "&Yes"), 0) -eq $true} # adapters key pushd 'hklm:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}' # ignore and continue on error dir -ea 0 | % { $node = $_.pspath $desc = gp $node -name driverdesc if ($desc -like "*Sophos SSL*") { write-host ("Found adapter: {0} " -f $desc.driverdesc) if (confirm) { new-itemproperty $node -name '*NdisDeviceType' -propertytype dword -value 1 } } } popd # disable/enable network adapters gwmi win32_networkadapter | ? {$_.name -like "*Sophos SSL*" } | % { # disable write-host -nonew "Disabling $($_.name) ... " $result = $_.Disable() if ($result.ReturnValue -eq -0) { write-host " success." } else { write-host " failed." } # enable write-host -nonew "Enabling $($_.name) ... " $result = $_.Enable() if ($result.ReturnValue -eq -0) { write-host " success." } else { write-host " failed." } }