Restrict Windows 2008 RRAS VPN Users from Accessing Specific Resources

Coolie SheppardSystems Engineer
Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing certain servers, but the options given were not the ones I needed, such as adding group policies to folders and the like.

After excessive testing, I was able to find the solution.  Here are the steps you’ll need to take to restrict vpn users from accessing certain servers/resources.

In Active Directory create a group called “ VPN Users” or whatever name you seem fit.  Create a VPN test user and add this user to the “ VPN Users” group.  In the dial-in tab of the VPN test user, make sure “ Control access through NPS Network Policy” is checked.

In the Windows 2008 RRAS server, right click on “ Remote Access Logging & Policies” and select “ Launch NPS”.  Right click on IP Filters and select “ New”.  Select a Template name such as “ VPN IP Restrict” and then select “Output Filters”.  Inside of the Output Filters tab, this is where you will add the IP addresses that you want the VPN users to access.  For instance, we wanted our VPN users to access our internal email so we added in the IP address  Add the IP address you want in there, and you also have the option to only allow them to access specific ports on the IP address.  If you only want users to access your FTP server, then you would add in the IP address of the FTP server, under “ Protocol” select TCP or TCP Established, make the SOURCE port 21 and the DESTINATION port 0.  This will allow for them to FTP into your server only via FTP and cannot access that IP address any other way.  Make sure to select “ Permit only the packets listed below” because by default it picks “ Do not permit packets listed below

Now right click on “ Network Policies” and select “ New”.  Create your Policy name and hit “ Next”. Click on “ Add” under “ Conditions” and select “ Windows Groups”.  Find the group you created in Active Directory for VPN users.  Make sure “ Access granted” is checked and click “ Next”.  Click Next under Configure Authentication Methods, click Next under Configure Constraints.  Under Configure Settings, select “IP Filters” and select the IP Filter template you created and then hit Next and Finish.  Right click on the Policy name and move it up.

And that’s pretty much it.  Once you have the client side setup the way you like, connect using the VPN test user account you created in Active Directory and once you make the connection, ping the IP address you have access to.  If you allowed any port you will successfully ping.  If you only allowed a specific port, you won’t be able to ping but try to connect through the port you allowed.
Coolie SheppardSystems Engineer

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.