If you found this page, then you probably are pretty frustrated that you have installed Windows 7 on a new laptop with an embedded cellular/wireless data modem and when you make a connection with your cellular data card you cannot establish a VPN connection using that connection. You might even know other people with the same setup, but they have a different cellular device and they are not having any problems. They might even be using the same connection manager software and they don't have any problems. You might even have the same device as someone else (e.g., Gobi 2000) and you are using the AT&T network because you have HSPA in your area and it is faster than EV-DO, and you coworker has to use Verizon and they don't have any problem with their VPN connection and you can't use yours at all. If you connect to a 802.11 hotspot you can get into you company network, but as soon as you switch to cellular your Mobile Broadband (WWAN) connection you can't establish a VPN anymore.
 Custom search for you specific problem across websites that I have found to have the best information on this topic. To figure out if you are using a native Windows 7 Mobile Broadband driver with your wireless wan modem and how it is configured check out this page for example of how to do this. Other VPN problems: SafeNet Introduction Even more baffling you and your coworker/friend might have the exact same hardware and cellular service, but they are running Vista or XP and you are running Windows 7 or Server 2008 R2 and their connection works and yours does NOT! I have even seen a case where everything was exactly the same and it worked on Win7 x86 (32-bit) but not on x64 (64-bit). If this sounds like your problem, then read on because I will explain why and maybe be able to offer enough information so you or your IT staff can correct this problem in minutes.
You don't have to uninstall Windows 7, you don't need to cancel your AT&T service, you don't need to disable your embedded cellular device and buy a USB data device. You don't even have to change your VPN software (but, you might want to after I explain why). When I was researching this problem and looking through hundreds of forums for the answer to this question, the most common VPN software people were using on Windows 7: AT&T, Checkpoint, CISCO, Citrix, F5, Juniper, NCP, NetGear, Nortel, SafeNet, Sonic Wall. I also, did not find anyone that had the solution to this problem. I really hope that the folks out that are at their wits end find this article helpful.
To understand why VPN software doesn't work with certain cellular data devices, you first must know a little about one of the biggest enhancements to Windows 7. This was the introduction of the Mobile Broadband (MB) driver model (see this link for info how determine if you have a MB device from the command line).This is simply defines a new interface for mobile broadband
devices integrate with Windows 7 and later. These devices are referred to as wireless modems or wireless wide area network (WWAN) devices and often come embedded in new notebook computers or as external cards or USB devices. They provide a "high-speed" networking over cellular connections (to either GSM or CDMA networks). These enhancements in Windows 7 for cellular data devices parallel the enhancements to Windows XP for 802.11 devices. In fact, these devices are now integrated into the familiar View Available Networks (VAN) UI. You can connect a mobile broadband device just like any other wireless device. Typically, to get access to the cellular networking service the user will need and account with their cellular provider. Once this is setup, the MB device can be configured to automatically connect when the network is available, or automatically connect when no other networking option is available. They are not yet as fast as a good 802.11 connection, but they are fast enough to stream movies over the internet and there are plans in the near future for support of data rates that can compete with 802.11.
The benefits of the MB platform for the end-users is that it provides a consistent user experience across all cellular devices and the underlying cellular technology. To provide this the Windows NDIS (Network Driver Interface Specification) had to be updated to support a new type of networking device. The is commonly referred to as the mobile broadband stack and it is only available in Windows 7 and Windows Server 2008 R2.
Earlier versions of Windows required that the users of cellular data devices to install third-party software and various types of drivers to support the device. These drivers varied by device and manufactures and required administrative access to install it. The connection managers for the devices all had a wide variance depending on which device or cellular network provider that was being used. Some devices used NDIS drivers and some used RAS drivers for controlling the device and many used both.
Starting with Windows 7, cellular device OEMs are strongly encouraged to provide drivers that use the new Mobile Broadband driver model so that they can benefit from the standard mechanism to integrate with Windows, which in fact a new type of networking medium was defined with NDIS 6.2 specification. In Vista and earlier version of Windows, cellular devices exposed their medium as Ethernet and/or as a standard modem (most commonly). Because MB devices use a new media type, this will affect applications that depend on NDIS lightweight filter (LWF) drivers, NDIS intermediate (IM) drivers, or the Windows Filtering Platform (WFP) to filter, analyze, or
inject network packets in the Windows kernel. This a common technique that is used by 3rd party firewall, antivirus, and VPN solutions.
ProblemSince Windows 7 Mobile Broadband devices are starting to use the new MB driver model, existing solutions that depend on drivers that must see all the networking traffic that is sent and received by all the networking devices that are being used on a system, will not work with your MB device. The reason is that to accomplish this they must be bound to all the networking devices in the machine so they have the ability to shape network traffic at the kernel level using standard NDIS drivers. With VPN solutions, these drivers are responsible for setting up and encrypting all network traffic that is destined to the VPN server. However, many VPN providers have not updated their networking drivers so that they can bind to Mobile Broadband devices. This is the reason that many VPN solutions do not work with Mobile Broadband devices. Solution
Unfortunately, several VPN providers have not made the investment of rewriting their VPN drivers so that they can bind with Mobile Broadband drivers so their is no way that you can make a VPN connection directly a Mobile Broadband device. There are two workarounds that are less than ideal for most Mobile Broadband devices. The first is to install the "NDIS" drivers for your device, which will allow the VPN driver to bind to the driver for you cellular device. The advantage is that you can use your existing connection manager for make a connection, but you will not be able to use Windows to make a "native" Mobile Broadband connection. Also, you have to find the NDIS drivers that will work for your card on Windows 7. For example, this KB article explains how you can do this for most Sierra AirCards.
The second leverages that fact that there still is a diagnostic modem device that can be used to interface with Mobile Broadband device using AT commands and most VPN solutions do bind to the networking stack that is used for making DUN connections. To make a VPN connection using a Mobile Broadband device you will have to have the create a DUN object that uses the Mobile Broadband device's modem interface and then make your VPN connection over that connection. The hard part of this solution is figuring out how to create and configure your DUN object so it will connect your cellular device to your cellular network. There are several issues to consider and ways to do this depending on your network provider and the configuration of your device and the whether it is a GSM or CDMA connection. There are resources available on the Internet that can help your figure this out. The advantage is that you can still use the Windows VAN UI interface to connect your device as a Mobile Broadband device (when you are not VPN connected using RAS) and this method should work with most cellular card, but you will not be able to use your provider's connection manager to establish a VPN connection.
Below is a support article from Sierra Wireless's web site that details how to do this for GSM device's (this should work for most GSM devices since it uses AT commands that are in the GSM specification:
|