Active Directory: Deploying the Access Server Connect Client via GPOs

–this document has not yet been updated for AS 2.5–


In order to facilitate deployment of a compatible OpenVPN client to your users, the OpenVPN Access Server supports deployment of its Connect client (MSI) via GPOs using a generic server locked profile. Clients deployed in this manner will require a username and password to log on to the server, notwithstanding the fact that the autologin option might be selected in the User Permissions section of the Admin Web UI. In order for autologin to function properly, users with autologin profiles must have their clients deployed separately, as credentials required for the proper functioning of autologin are only included in the personalized clients unique to those individual users.

Obtaining the MSI file for Deployment

To deploy the client via Group Policy Objects, you must first obtain the generic MSI installer file for deployment. To do this, run this command once you are logged in to the SSH console or terminal of your Access Server instance.
/usr/local/openvpn_as/scripts/sacli GetGenericInstaller
The following message similar to the following should then be displayed:
Writing to: /usr/local/openvpn_as/etc/tmp/openvpn-connect-
Once finished, use a SFTP or SCP client (e.g. Filezilla or Cyberduck) to fetch the above MSI file from your Access Server instance. Put this file in an accessible network share where your domain users can properly access.

Obtaining the Vendor Certificate

Another requirement that is needed for successful deployment of the Access Server Connect client is that the vendor certificate be placed in the trusted certificate store in the target computers. In the case of a manual installation, this is usually done with a dialog that requires user interaction:

However, since GPOs are deployed without user interaction and before the user logs on, the deployment will fail if the vendor certificate is not already trusted.
To resolve this issue, we will obtain a copy of the vendor certificate, and push this certificate to our client computers via the same GPO we use to deploy our Access Server Connect client.
A copy of the vendor certificate can be found here: OpenVPN.cer

Creating the GPO (Group Policy Object) for Deployment

To begin, create a blank GPO in the Group Policy Management Editor, and then navigate to:
Computer Configuration –> Windows Settings –> Public Key Policies –> Trusted Publishers.
Right click on the right panel, and then click Import.

When the Certificate Import Wizard appears, click the Next > button to continue.

Browse to the location where OpenVPN.cer is located (previously downloaded), and then click Next > to continue with the certificate import process.

Ensure that the certificate is placed inside the Trusted Publishers store (should already be set), and then click the Next > button.

Click Finish to finish with the certificate import process.

After the certificate has been successfully imported, the OpenVPN Technologies, Inc. certificate should appear on the right hand panel. This certificate will then be pushed out to your clients the next time group policies are applied.

Next, navigate to the Computer Configuration –> Software Settings –> Software installation section in the Group Policy Management Editor.
Right click the right hand side panel, select New –> Package….

Browse to the .msi have downloaded previously, select the Assigned option, and then click OK. (Note: The .msi file must be stored inside an accessible network share for successful deployment. E.g. Browsing to \\dc1\NETLOGON\openvpn-connect-, otherwise you will receive an error notifying you that the deployment will most likely not be successful due to non-accessible network paths. You will also need to make sure that any users you deploy this client to have Read Permissions to the network share in question, otherwise deployment will fail due to insufficient privileges)

Verify that the OpenVPN Connect package has been appropriately assigned.

Group Policy Object Deployment

To start the deployment process, simply restart the computers affected by the GPO. The OpenVPN Connect client should be installed the next time the computer reboots, and prior to the user logging on to the computer.