vortex350
asked on
Restrict login to terminal services by user by IP address range
Hello,
all my users at the office use terminal services to do their work on one of our servers. As the system is installed, some of my users need to access the system from remote locations outside the firewall. I have setup everything so that they can have access.
My problem is the following, i want to restrict a few users from login in to their terminal service session if they are outside the firewall without using a VPN. Because, right know, if somebody knows the server address (and they all know it), they can login to their session.
Is there a type of a user policy I can use that would allow a user to login the terminal services if the machine he uses to connect is within a private IP address range?
all my users at the office use terminal services to do their work on one of our servers. As the system is installed, some of my users need to access the system from remote locations outside the firewall. I have setup everything so that they can have access.
My problem is the following, i want to restrict a few users from login in to their terminal service session if they are outside the firewall without using a VPN. Because, right know, if somebody knows the server address (and they all know it), they can login to their session.
Is there a type of a user policy I can use that would allow a user to login the terminal services if the machine he uses to connect is within a private IP address range?
ASKER
Could you give me an example?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
a simple way to do this is to go to properties of your computer and go to remote tab and on the remote desktop portion go to select users and you can choose a computer name by this way you will restrict the access but the computer name which will resolve to an ip
>>" i want to restrict a few users from login in to their terminal service session if they are outside the firewall without using a VPN"
Not sure I understand the question. Users can only connect to your terminal server with out using the VPN, if you have port 3389 forwarded to the terminal server. Remove the forwarding and only VPN users can connect. They will be using the LAN IP not the public IP. It's much more secure to use a VPN for all users.
Perhaps I have misunderstood.
If you also want to restrict VPN users, you can do so with polices in your VPN configuration, assuming they are connecting from a site with a static IP, however, that is probably not the case.
Should you want a logon script that monitors your user connections, and the IP's from which they connect, please advise. That might help with your problem, at least to be able to "slap some hands".
Not sure I understand the question. Users can only connect to your terminal server with out using the VPN, if you have port 3389 forwarded to the terminal server. Remove the forwarding and only VPN users can connect. They will be using the LAN IP not the public IP. It's much more secure to use a VPN for all users.
Perhaps I have misunderstood.
If you also want to restrict VPN users, you can do so with polices in your VPN configuration, assuming they are connecting from a site with a static IP, however, that is probably not the case.
Should you want a logon script that monitors your user connections, and the IP's from which they connect, please advise. That might help with your problem, at least to be able to "slap some hands".
Hope this help!