Bug / design change request - Modern Connect Tunnel Client and expiring password
let me start by saying I REALLY like the functionality in the SMA 1000 series with the (modern) Connect Tunnel Client. But I have an issue and have not been able to get anyone to take it seriously. It is a SERIOUS design oversight that could be remedied easily but nobody seems to understand it.
Scenario - Modern Connect Tunnel client - using always on operation with Device VPN and User VPN Functions. When the remote PC/laptop powers on, the Device VPN connects with limited network access. It can get windows patches, antivirus updates, other machine management. Then when the user enters their credentials, the modern connect tunnel client switches to User VPN mode, and there is more access to things like file shares, accounting or other restricted systems, etc.
The problem: (some background) My users are required to change their passwords every 90 days and this may be getting lowered to 70 days) 14 days BEFORE the users password expires, the modern connect tunnel client shows a message that states "Your password will expire in 14 days" and it does this every day until the password is changed or expires.
BUG: Even though the modern connect tunnel client has a valid, working, user password, it does not log in. Rather it displays the warning in a modal dialog that the user cannot respond to until the desktop appears. So, the user login and any login scripts, etc. happen using the Device VPN which (in my case) does not have access to "user" resources like shares, etc. So the user lands at a desktop missing mapped drives, any pre-login scripts ran as the device rather than the user and likely failed. BUG: the client had the users password. It was valid. But it does not PROPERLY use that valid password to switch from Device Mode to User mode when the user enters their VALID password. BECAUSE OF THE WAY THE PASSWORD EXPIRATION NOTICE IS IMPLEMENTED THE USER HAS AS MANY AS 14 DAYS OF "FAILED" LOGINS/SESSIONS OUT OF THEIR 90 DAY PASSWORD CYCLE.
EASY FIX: Re-Engineer the password expiration notice to first USE the valid password to connect User mode and THEN display the dialog with the password expiration warning.
I suppose I could dig around and probably disable the password expiration notice, but PLEASE, PLEASE, PLEASE, get this relatively easy fix on your list of enhancements. I can only assume that if the engineers think this through they will understand why you would not want to provide a non-working environment up to 14 days out of every password cycle. In fairness, I have never raised this as a separate ticket, but have mentioned it on pretty much every support call ever. Other SMA 1000 / modern Connect Tunnel client users PLEASE comment if you would like to see this fix implemented.
Here is the dialog users see when their session is broken due to the behavior of the connect tunnel client:
Best Answers
-
vkrtandra SonicWall Employee
@Doug_Daniel This has been fixed in the upcoming 12.4.1 September hotfix.
PS: If you would like to test it before, you can contact support and ask for test client (MCTSetup64-12.4.1.1000.exe) which is attached to our internal ticket (SMA1000-4358).
0 -
vkrtandra SonicWall Employee
Thanks for bringing it up, this will be fixed in the September hotfix as well.
0
Answers
This needs to be addressed. Thank you for bringing it others attention.
@Doug_Daniel I agree that messages like this, which doesn't need user response, should not block the tunnel establishment.
If you do not wish to disable this expiry notification, you could reduce the number of days for prompting (maybe 7?) - that should reduce the impact for now. Unfortunately, I do not see other ways to address this without any patches. Can you please get in touch with tech support to raise a ticket about this issue? This is a genuine issue and should be addressable with hotfixes. Please cite this community thread discussion if needed.
Wish support had brought this up with Engineering the first time you reported it. I will let them know of this incident hoping it will improve the customer experience.
Thank you - I have submitted a case with support on this specific issue and will wait to be contacted.
Thank you. I have tested the 12.4.1 September hotfix and it does fix the issue!
You should let development know that they may want to update the dialog a little since it may confuse some users. They correctly connect the user VPN now at the time of login, but when the password warning comes up with the desktop the title says "Please log in." even though it did successfully log in. I am incredibly happy that they fixed the issue, just pointing out that this might confuse some users.