[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Restrict Windows 2008 RRAS VPN Users from Accessing Specific Resources

Published on
19,247 Points
4 Endorsements
Last Modified:
Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing certain servers, but the options given were not the ones I needed, such as adding group policies to folders and the like.

After excessive testing, I was able to find the solution.  Here are the steps you’ll need to take to restrict vpn users from accessing certain servers/resources.

In Active Directory create a group called “VPN Users” or whatever name you seem fit.  Create a VPN test user and add this user to the “VPN Users” group.  In the dial-in tab of the VPN test user, make sure “Control access through NPS Network Policy” is checked.

In the Windows 2008 RRAS server, right click on “Remote Access Logging & Policies” and select “Launch NPS”.  Right click on IP Filters and select “New”.  Select a Template name such as “VPN IP Restrict” and then select “Output Filters”.  Inside of the Output Filters tab, this is where you will add the IP addresses that you want the VPN users to access.  For instance, we wanted our VPN users to access our internal email so we added in the IP address  Add the IP address you want in there, and you also have the option to only allow them to access specific ports on the IP address.  If you only want users to access your FTP server, then you would add in the IP address of the FTP server, under “Protocol” select TCP or TCP Established, make the SOURCE port 21 and the DESTINATION port 0.  This will allow for them to FTP into your server only via FTP and cannot access that IP address any other way.  Make sure to select “Permit only the packets listed below” because by default it picks “Do not permit packets listed below

Now right click on “Network Policies” and select “New”.  Create your Policy name and hit “Next”. Click on “Add” under “Conditions” and select “Windows Groups”.  Find the group you created in Active Directory for VPN users.  Make sure “Access granted” is checked and click “Next”.  Click Next under Configure Authentication Methods, click Next under Configure Constraints.  Under Configure Settings, select “IP Filters” and select the IP Filter template you created and then hit Next and Finish.  Right click on the Policy name and move it up.

And that’s pretty much it.  Once you have the client side setup the way you like, connect using the VPN test user account you created in Active Directory and once you make the connection, ping the IP address you have access to.  If you allowed any port you will successfully ping.  If you only allowed a specific port, you won’t be able to ping but try to connect through the port you allowed.

Featured Post

Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

Join & Write a Comment

After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month