Freedom2Roam - Setting Up AnyConnect VPN Access

The advanced networking sections allows users to have a full VPN access across the entire or part of the school's network. To enable this first click on the VPN tab.

Click on the tick box to Enable advanced networking for this group to grant full access. Once this box has been ticked, the remaining settings options on the page will become available.

Configuring advanced networking settings

If you have enabled advanced networking for a group, you will need to configure a range of IP addresses that can be accessed by the relevant user group.

Enter the IP range and click Add IP range. The IP range will then be listed and you can add other sets of IP addresses if needed. Click Add after each one. If you attempt to enter what you believe to be a valid IP range and receive an error message preventing you from entering it please contact the support team.

Users whose group has had advanced networking enabled will be able to access anything that falls within the defined IP address range. When the users use the Cisco AnyConnect client it will be automatically configured with the IP ranges specified here. The users in this group would then use built-in Windows RDP (Remote Desktop) client to access one of the specified IP addresses for example.

DNS settings

For users who have advanced networking access, local school-based DNS settings can also be configured. This is not a requirement but is useful in accessing school-specific URLs. If DNS settings are not specified, users will need to enter an IP address instead to access school-specific locations.

Configuring your internal DNS settings in the Freedom2Roam interface will also allow any staff member to use RDP to access school-based machines whose IP addresses are not fixed. To be able to access school machines in this way:

The Nominated Contact would need to enable Advanced networking for the group using this functionality
The Nominated Contact would need to specify the IP range which includes the destination machines for the group.
The user would need to download and install the Cisco AnyConnect client.
The user would then need to launch the Cisco AnyConnect client and establish the connection to the school's network by clicking Connect.
The user would then need to launch the RDP client installed on their computer and in the field where they are required to enter the computer details, instead of an IP address they would enter their school computer's name, followed by the internal DNS suffix. The address would then look something like this: myschoolcomputer.myschool.internal.
The user should then be able to access the login screen for their computer and can log in using the credentials they would normally use to log into the school machine.

Enabling pre-login functionality

In schools where Windows-based machines are given to staff for working at home, it is possible to pre-configure the machines to connect directly to the school's network via a VPN even before the user has logged into Windows. After the secure connection is established, each user will be able to log in directly to the school's domain rather than the local machine. This will enable any login scripts to run, mapped drives to be connected etc. Each device will need to be locally configured by the school's Nominated Contact.

Enabling

To enable this feature, the Nominated Contact must go to Service Desk >> Freedom2Roam in the LGfL support site.
To ensure that the end user of the machine will be able to log in successfully, they must be a member of a Freedom2Roam group where Advanced Networking is enabled.
The IP addresses which the user will need to access must be defined as described under the heading Configuring Advanced Networking settings.
It is also essential that the Pre-login functionality is enabled via the Freedom2Roam configuration settings. This is found under the VPN tab of each Freedom2Roam group.
To switch on this setting, select or create a Freedom2Roam group for the users needing this functionality.
Select the VPN tab.
Tick Enable advanced networking for this group.
Define the relevant IP addresses.
Under the Pre-login configuration heading, tick the box to Allow all users to connect directly to school domain.

Configuration

To configure each device, the administrator will firstly need to log into the device and install the Cisco AnyConnect SSL client.
Once installed, launch the Cisco AnyConnect Secure Mobility Client from the Start menu and click Connect and enter your USO username and password (with OTP code if you use one).
Once the connection is established successfully, the Cisco client will disappear from view.
Reopen it and click on the cog icon in the lower left corner of the Cisco AnyConnect window and choose preferences
Tick the first tick box called Start VPN before user logon to computer. (Please leave the other boxes as they are unless you are confident you fully understand the effect changing the settings will have.)
Close the pop-up and you can now log off the machine.

Logging In

The next time a user wishes to log onto the machine, the pre-login screen should show an additional networkingsymbol in the lower right corner of the screen, next to the Off button. If there is only one account registered on the machine the networking symbol does not always appear automatically. To get the symbol to show simply click on the switch user button to be taken to the relevant page with the symbol. If the machine has several accounts registered on it, the networking symbol will appear automatically in the lower right corner. Click on the Networking symbol first before logging on to Windows.
Once clicked, you will now be asked to connect to the school network with your USO username and password (and possibly OTP code). Enter your details and click OK.
Once a connection to the school's network has been established, this is indicated again in the lower right section of the screen (a Disconnect button will appear - indicating that the VPN is currently connected).
You can now log into your domain with your usual credentials (these may or may not be the same as your USO account if USOSync is used).
Once you've logged into Windows a small pop-up will appear in the lower right corner of the screen confirming you're connected to the school's network via VPN.