Solved

Microsoft  VPN PPTP server

Posted on 2004-08-18
21
1,008 Views
Last Modified: 2010-04-12
Hello Freinds

so here i gooooooo  I am using the WIndows2000 Routing&Ras services my client connect on my VPN PPTP server and everything works but when he connect to my server he can see all computer which are in my network and may be he can hack it.

So what i want is that he must have only access to one or particular 2 computer in my network not all computer.Bcz my client who will connect to my server has to work with only two computer with terminal service and i don't want that he must have access or he can see other computer in my network.

So please tell me how i can create rules so if he connect to my server he will have only access to particular IP address or particular computer defined by me.

thanx.
0
Comment
Question by:amir321
  • 10
  • 8
  • 2
21 Comments
 
LVL 15

Expert Comment

by:scampgb
ID: 11833985
Hi amir321,

I'm assuming that your VPN user is logging in to a domain account.
Create a security group in ADUC that contains the VPN user(s).  Call this "Client VPN" or something appropriate.


Go into the RRAS admin tool
Go into "Remote Access Policies"
Create a new remote access policy
Give it an appropriate name "Restricted client"
Choose the matching conditions - in this case it would be "Windows Groups"
Choose the domain account or security group for this VPN user
Choose "Grant Remote access permission"
Choose "Edit Profile"
"IP" tab

You'll see that there's some IP Packet Filters buttons.

Choose "From Client"

You can then specify any IP address or protocol restrictions that you need.

I hope that this helps - let me know if you need any further help.
0
 

Author Comment

by:amir321
ID: 11839427
Ok but how my server will know that this Restricted client Policy is for this particular user bcz my all other office is also connecting to my VPN server from different location. and from them one client will also connect but i must give him access only to one or two computer terminal server access through VPN server but my rest client will have access to all network.

I mean how i can decide which policy is for which user.
0
 

Author Comment

by:amir321
ID: 11839472
ok thanx i did what u said and now i have to find out which kind of service i must add in IP packet filter bcz my client must have access only to terminal server port nothing else. i will try to find out and i will let you knoww. thanx again.

regards
amir
0
 
LVL 15

Expert Comment

by:scampgb
ID: 11839497
Hi Amir

You control who this access policy applies to by putting the user account in a suitable security group.  Please let me know if this is still unclear.

Terminal services (RDP) uses port TCP/3389
0
 

Author Comment

by:amir321
ID: 11840201
When i click on from Client and tem i select tcp and then i got two boy for destination and source wehat i must add in destination and source TCP
0
 
LVL 15

Expert Comment

by:scampgb
ID: 11840294
You need to put port number "3389" in the Destination Port box.

Also, bear in mind that the VPN user will have to connect to the server by IP address rather than name.  This is because they won't be able to contact your DNS servers.
If you need this to work, then you need to also allow the users to connect to your DNS server IPs on destination port UDP/53

Hope that this helps.
0
 

Author Comment

by:amir321
ID: 11840333
and what about source box which TCP no i must put ???
0
 
LVL 15

Expert Comment

by:scampgb
ID: 11840359
You can leave the source boxes blank, as you're not restricting those.
0
 
LVL 1

Expert Comment

by:Clutch
ID: 12055947
I've restricted my VPN users by following the steps above, but I have another question.  Currently my VPN users can search for a server via IP address, then browse that server's shares.  I've removed this test user from the Domain Users group which denies them access to view anything past the server's root shares.  How can I further restrict these users so they can not search for servers via IP address or at least restrict them from viewing the shares available on the server?

Currently I have the IP Packet Filters set (within "From Client) to Deny all traffice except to one IP address (Destination) using any protocol.  This one IP address is not any of the servers in question.
0
 
LVL 15

Expert Comment

by:scampgb
ID: 12056092
Hi Clutch - sorry, but this is amir321's question about restricting VPN connections, not stopping people browse shares - although I realise that there is some similarity.

I suggest that you post your query seperately, but make reference to this thread so that others understand what's going on.


Amir321 - any progress on this?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Expert Comment

by:Clutch
ID: 12056292
I thought Amir321's question was asking was how to restricting VPN connections?  That is what I am asking, but in further detail.  How to restrict this VPN policy further.  Currently the IP filter for this VPN policy is set to restrict all traffic except to one IP address, yet after testing I am still being allowed to browse to other IP address via a simple search of known LAN IP addresses.

Let me rephrase the question then.  Simply setting the IP filters you mention in the above post does not restrict all network traffic.  Why can I still successfully search for servers/PCs on the remote network via IP address?
0
 

Author Comment

by:amir321
ID: 12073794
My dear Freinds

My VPn server is already running since last 3 years without any problem and my branch office and Head office user can access all files and everything without any problem. but i wanted to give my Terminal server access to my one user i don't wanted that he must be able to browse my network and able to see anything from my network .

I just wanted that he must connetc to my server with VPn and then he must be have access to only Terminal server my IP address nothing else. And mr scampgb has Give my some Idea but due to bussy schedule i haven't Tryied yet but next week i am gonna try and let you know guys.

Anyhow thank you freinds.
0
 

Author Comment

by:amir321
ID: 12112793
Dear Freinds

AS Mr scampgb has tole me to do i did but my clients can access all my computer in network and data if he type \\192.168.2.1 or any Ip address of my computer in network he can see all my shared folder and evrything. Please tell me what do do how i can restrict . i just want that he must have Remote Desktop COnnection nothing else.
0
 
LVL 15

Expert Comment

by:scampgb
ID: 12125741
Here's a thought.

Look in Remote Access Policies in RRAS administration

You'll see the restricted policy in there - are there any others?
Does the user who is a member of this restricted policy also get covered by any other ones?


In other words, if you have a policy that allows everyone in the "Remote Access" group permission to connect, and this account is a member of this group, then this will apply.

You then need to look at the order these policies are applied.  You can move them up and down the priority list by right-clicking on them.

Does that help?
0
 

Author Comment

by:amir321
ID: 12131741
I have two policy 1) called Full access and only administrator is member in that policy and second policy called restrict client and my client is member of that policy.
1) Full Access
2) Restrict client

can you plz tell me what will happen if i will put restrict client on no one policy and full access on no 2.
thanx
0
 

Author Comment

by:amir321
ID: 12132098
Hi
can you plz tell me how to make tunnel in remote and rass acces i mean can it help me in my problem or not.
Thanx
0
 
LVL 15

Accepted Solution

by:
scampgb earned 305 total points
ID: 12136219
amir321,
> can you plz tell me how to make tunnel in remote and rass acces i mean
> can it help me in my problem or not.

Sorry, I don't really understand what you mean here.  I assume that the remote user is able to create a VPN to your ISA server using PPTP?

It sounds from what you've said that they're able to do this, but the client set restriction isn't working properly.

Changing the order of your policies won't make any difference as the don't overlap at all.

A quick talk through of a policy that I have in place that does exactly what you mean:
Policy name                 = Restricted policy
Conditions to match         = Windows-Group matches "MYDOMAIN\Restricted PPTP group"
If matches... grant permission...

Edit Profile, IP tab
IP address assignment policy    = server settings define policy
IP Packet filters, From client.....
Deny all traffic except those listed below:

Source Address  Source Mask     Destination Address     Destination Mask    Protocol    Source Port or Type     Destination port or Code
User's address  User's mask     192.168.1.3             255.255.255.255     UDP         Any                     53  
User's address  User's mask     192.168.1.5             255.255.255.255     TCP         Any                     3389


The first line allows the client to do DNS lookups (192.168.1.3 is the DNS server).
The second line allows the client to connect to the Terminal Server 192.168.1.5 using the RDP protocol on port 3389

This works for me.  Can you please check that yours is set up the same way?
             
0
 

Author Comment

by:amir321
ID: 12142997
Hi scampgb

I have done all settings as you sai din your last mail and now it's working. Actually problem was that were i am working everything was installed in german Language so instead of chossing "Deny all traffic except those listed below" i have chose other option and i got problem.

Thank you very much for your support. If i can do anything for you then let me know...
<email address protected>


thanx
0
 
LVL 15

Expert Comment

by:scampgb
ID: 12143143
amir321,
Thanks for the "A".  Glad I could help :-)

Your German is much better than mine then!  I've been known to make that mistake in English.

Good feedback always gratefully received :-)

Also - email addresses shouldn't be included in E-E posts.  I'll ask in Community Support for yours to be removed.
0
 

Author Comment

by:amir321
ID: 12157961
Sorry sir i didn't knew hat email posting is not allowed.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Do you have an old router lying around the house that you don’t know what to do with? Check the make and model, then refer to either of these links to see if its compatible. http://www.dd-wrt.com/site/support/router-database http://www.dd-wrt.c…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now