Microsoft VPN PPTP server

Hello Freinds

so here i gooooooo  I am using the WIndows2000 Routing&Ras services my client connect on my VPN PPTP server and everything works but when he connect to my server he can see all computer which are in my network and may be he can hack it.

So what i want is that he must have only access to one or particular 2 computer in my network not all computer.Bcz my client who will connect to my server has to work with only two computer with terminal service and i don't want that he must have access or he can see other computer in my network.

So please tell me how i can create rules so if he connect to my server he will have only access to particular IP address or particular computer defined by me.

Who is Participating?
scampgbConnect With a Mentor Commented:
> can you plz tell me how to make tunnel in remote and rass acces i mean
> can it help me in my problem or not.

Sorry, I don't really understand what you mean here.  I assume that the remote user is able to create a VPN to your ISA server using PPTP?

It sounds from what you've said that they're able to do this, but the client set restriction isn't working properly.

Changing the order of your policies won't make any difference as the don't overlap at all.

A quick talk through of a policy that I have in place that does exactly what you mean:
Policy name                 = Restricted policy
Conditions to match         = Windows-Group matches "MYDOMAIN\Restricted PPTP group"
If matches... grant permission...

Edit Profile, IP tab
IP address assignment policy    = server settings define policy
IP Packet filters, From client.....
Deny all traffic except those listed below:

Source Address  Source Mask     Destination Address     Destination Mask    Protocol    Source Port or Type     Destination port or Code
User's address  User's mask        UDP         Any                     53  
User's address  User's mask        TCP         Any                     3389

The first line allows the client to do DNS lookups ( is the DNS server).
The second line allows the client to connect to the Terminal Server using the RDP protocol on port 3389

This works for me.  Can you please check that yours is set up the same way?
Hi amir321,

I'm assuming that your VPN user is logging in to a domain account.
Create a security group in ADUC that contains the VPN user(s).  Call this "Client VPN" or something appropriate.

Go into the RRAS admin tool
Go into "Remote Access Policies"
Create a new remote access policy
Give it an appropriate name "Restricted client"
Choose the matching conditions - in this case it would be "Windows Groups"
Choose the domain account or security group for this VPN user
Choose "Grant Remote access permission"
Choose "Edit Profile"
"IP" tab

You'll see that there's some IP Packet Filters buttons.

Choose "From Client"

You can then specify any IP address or protocol restrictions that you need.

I hope that this helps - let me know if you need any further help.
amir321Author Commented:
Ok but how my server will know that this Restricted client Policy is for this particular user bcz my all other office is also connecting to my VPN server from different location. and from them one client will also connect but i must give him access only to one or two computer terminal server access through VPN server but my rest client will have access to all network.

I mean how i can decide which policy is for which user.
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

amir321Author Commented:
ok thanx i did what u said and now i have to find out which kind of service i must add in IP packet filter bcz my client must have access only to terminal server port nothing else. i will try to find out and i will let you knoww. thanx again.

Hi Amir

You control who this access policy applies to by putting the user account in a suitable security group.  Please let me know if this is still unclear.

Terminal services (RDP) uses port TCP/3389
amir321Author Commented:
When i click on from Client and tem i select tcp and then i got two boy for destination and source wehat i must add in destination and source TCP
You need to put port number "3389" in the Destination Port box.

Also, bear in mind that the VPN user will have to connect to the server by IP address rather than name.  This is because they won't be able to contact your DNS servers.
If you need this to work, then you need to also allow the users to connect to your DNS server IPs on destination port UDP/53

Hope that this helps.
amir321Author Commented:
and what about source box which TCP no i must put ???
You can leave the source boxes blank, as you're not restricting those.
I've restricted my VPN users by following the steps above, but I have another question.  Currently my VPN users can search for a server via IP address, then browse that server's shares.  I've removed this test user from the Domain Users group which denies them access to view anything past the server's root shares.  How can I further restrict these users so they can not search for servers via IP address or at least restrict them from viewing the shares available on the server?

Currently I have the IP Packet Filters set (within "From Client) to Deny all traffice except to one IP address (Destination) using any protocol.  This one IP address is not any of the servers in question.
Hi Clutch - sorry, but this is amir321's question about restricting VPN connections, not stopping people browse shares - although I realise that there is some similarity.

I suggest that you post your query seperately, but make reference to this thread so that others understand what's going on.

Amir321 - any progress on this?
I thought Amir321's question was asking was how to restricting VPN connections?  That is what I am asking, but in further detail.  How to restrict this VPN policy further.  Currently the IP filter for this VPN policy is set to restrict all traffic except to one IP address, yet after testing I am still being allowed to browse to other IP address via a simple search of known LAN IP addresses.

Let me rephrase the question then.  Simply setting the IP filters you mention in the above post does not restrict all network traffic.  Why can I still successfully search for servers/PCs on the remote network via IP address?
amir321Author Commented:
My dear Freinds

My VPn server is already running since last 3 years without any problem and my branch office and Head office user can access all files and everything without any problem. but i wanted to give my Terminal server access to my one user i don't wanted that he must be able to browse my network and able to see anything from my network .

I just wanted that he must connetc to my server with VPn and then he must be have access to only Terminal server my IP address nothing else. And mr scampgb has Give my some Idea but due to bussy schedule i haven't Tryied yet but next week i am gonna try and let you know guys.

Anyhow thank you freinds.
amir321Author Commented:
Dear Freinds

AS Mr scampgb has tole me to do i did but my clients can access all my computer in network and data if he type \\ or any Ip address of my computer in network he can see all my shared folder and evrything. Please tell me what do do how i can restrict . i just want that he must have Remote Desktop COnnection nothing else.
Here's a thought.

Look in Remote Access Policies in RRAS administration

You'll see the restricted policy in there - are there any others?
Does the user who is a member of this restricted policy also get covered by any other ones?

In other words, if you have a policy that allows everyone in the "Remote Access" group permission to connect, and this account is a member of this group, then this will apply.

You then need to look at the order these policies are applied.  You can move them up and down the priority list by right-clicking on them.

Does that help?
amir321Author Commented:
I have two policy 1) called Full access and only administrator is member in that policy and second policy called restrict client and my client is member of that policy.
1) Full Access
2) Restrict client

can you plz tell me what will happen if i will put restrict client on no one policy and full access on no 2.
amir321Author Commented:
can you plz tell me how to make tunnel in remote and rass acces i mean can it help me in my problem or not.
amir321Author Commented:
Hi scampgb

I have done all settings as you sai din your last mail and now it's working. Actually problem was that were i am working everything was installed in german Language so instead of chossing "Deny all traffic except those listed below" i have chose other option and i got problem.

Thank you very much for your support. If i can do anything for you then let me know...
<email address protected>

Thanks for the "A".  Glad I could help :-)

Your German is much better than mine then!  I've been known to make that mistake in English.

Good feedback always gratefully received :-)

Also - email addresses shouldn't be included in E-E posts.  I'll ask in Community Support for yours to be removed.
amir321Author Commented:
Sorry sir i didn't knew hat email posting is not allowed.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.