amir321
asked on
Microsoft VPN PPTP server
Hello Freinds
so here i gooooooo I am using the WIndows2000 Routing&Ras services my client connect on my VPN PPTP server and everything works but when he connect to my server he can see all computer which are in my network and may be he can hack it.
So what i want is that he must have only access to one or particular 2 computer in my network not all computer.Bcz my client who will connect to my server has to work with only two computer with terminal service and i don't want that he must have access or he can see other computer in my network.
So please tell me how i can create rules so if he connect to my server he will have only access to particular IP address or particular computer defined by me.
thanx.
so here i gooooooo I am using the WIndows2000 Routing&Ras services my client connect on my VPN PPTP server and everything works but when he connect to my server he can see all computer which are in my network and may be he can hack it.
So what i want is that he must have only access to one or particular 2 computer in my network not all computer.Bcz my client who will connect to my server has to work with only two computer with terminal service and i don't want that he must have access or he can see other computer in my network.
So please tell me how i can create rules so if he connect to my server he will have only access to particular IP address or particular computer defined by me.
thanx.
ASKER
Ok but how my server will know that this Restricted client Policy is for this particular user bcz my all other office is also connecting to my VPN server from different location. and from them one client will also connect but i must give him access only to one or two computer terminal server access through VPN server but my rest client will have access to all network.
I mean how i can decide which policy is for which user.
I mean how i can decide which policy is for which user.
ASKER
ok thanx i did what u said and now i have to find out which kind of service i must add in IP packet filter bcz my client must have access only to terminal server port nothing else. i will try to find out and i will let you knoww. thanx again.
regards
amir
regards
amir
Hi Amir
You control who this access policy applies to by putting the user account in a suitable security group. Please let me know if this is still unclear.
Terminal services (RDP) uses port TCP/3389
You control who this access policy applies to by putting the user account in a suitable security group. Please let me know if this is still unclear.
Terminal services (RDP) uses port TCP/3389
ASKER
When i click on from Client and tem i select tcp and then i got two boy for destination and source wehat i must add in destination and source TCP
You need to put port number "3389" in the Destination Port box.
Also, bear in mind that the VPN user will have to connect to the server by IP address rather than name. This is because they won't be able to contact your DNS servers.
If you need this to work, then you need to also allow the users to connect to your DNS server IPs on destination port UDP/53
Hope that this helps.
Also, bear in mind that the VPN user will have to connect to the server by IP address rather than name. This is because they won't be able to contact your DNS servers.
If you need this to work, then you need to also allow the users to connect to your DNS server IPs on destination port UDP/53
Hope that this helps.
ASKER
and what about source box which TCP no i must put ???
You can leave the source boxes blank, as you're not restricting those.
I've restricted my VPN users by following the steps above, but I have another question. Currently my VPN users can search for a server via IP address, then browse that server's shares. I've removed this test user from the Domain Users group which denies them access to view anything past the server's root shares. How can I further restrict these users so they can not search for servers via IP address or at least restrict them from viewing the shares available on the server?
Currently I have the IP Packet Filters set (within "From Client) to Deny all traffice except to one IP address (Destination) using any protocol. This one IP address is not any of the servers in question.
Currently I have the IP Packet Filters set (within "From Client) to Deny all traffice except to one IP address (Destination) using any protocol. This one IP address is not any of the servers in question.
Hi Clutch - sorry, but this is amir321's question about restricting VPN connections, not stopping people browse shares - although I realise that there is some similarity.
I suggest that you post your query seperately, but make reference to this thread so that others understand what's going on.
Amir321 - any progress on this?
I suggest that you post your query seperately, but make reference to this thread so that others understand what's going on.
Amir321 - any progress on this?
I thought Amir321's question was asking was how to restricting VPN connections? That is what I am asking, but in further detail. How to restrict this VPN policy further. Currently the IP filter for this VPN policy is set to restrict all traffic except to one IP address, yet after testing I am still being allowed to browse to other IP address via a simple search of known LAN IP addresses.
Let me rephrase the question then. Simply setting the IP filters you mention in the above post does not restrict all network traffic. Why can I still successfully search for servers/PCs on the remote network via IP address?
Let me rephrase the question then. Simply setting the IP filters you mention in the above post does not restrict all network traffic. Why can I still successfully search for servers/PCs on the remote network via IP address?
ASKER
My dear Freinds
My VPn server is already running since last 3 years without any problem and my branch office and Head office user can access all files and everything without any problem. but i wanted to give my Terminal server access to my one user i don't wanted that he must be able to browse my network and able to see anything from my network .
I just wanted that he must connetc to my server with VPn and then he must be have access to only Terminal server my IP address nothing else. And mr scampgb has Give my some Idea but due to bussy schedule i haven't Tryied yet but next week i am gonna try and let you know guys.
Anyhow thank you freinds.
My VPn server is already running since last 3 years without any problem and my branch office and Head office user can access all files and everything without any problem. but i wanted to give my Terminal server access to my one user i don't wanted that he must be able to browse my network and able to see anything from my network .
I just wanted that he must connetc to my server with VPn and then he must be have access to only Terminal server my IP address nothing else. And mr scampgb has Give my some Idea but due to bussy schedule i haven't Tryied yet but next week i am gonna try and let you know guys.
Anyhow thank you freinds.
ASKER
Dear Freinds
AS Mr scampgb has tole me to do i did but my clients can access all my computer in network and data if he type \\192.168.2.1 or any Ip address of my computer in network he can see all my shared folder and evrything. Please tell me what do do how i can restrict . i just want that he must have Remote Desktop COnnection nothing else.
AS Mr scampgb has tole me to do i did but my clients can access all my computer in network and data if he type \\192.168.2.1 or any Ip address of my computer in network he can see all my shared folder and evrything. Please tell me what do do how i can restrict . i just want that he must have Remote Desktop COnnection nothing else.
Here's a thought.
Look in Remote Access Policies in RRAS administration
You'll see the restricted policy in there - are there any others?
Does the user who is a member of this restricted policy also get covered by any other ones?
In other words, if you have a policy that allows everyone in the "Remote Access" group permission to connect, and this account is a member of this group, then this will apply.
You then need to look at the order these policies are applied. You can move them up and down the priority list by right-clicking on them.
Does that help?
Look in Remote Access Policies in RRAS administration
You'll see the restricted policy in there - are there any others?
Does the user who is a member of this restricted policy also get covered by any other ones?
In other words, if you have a policy that allows everyone in the "Remote Access" group permission to connect, and this account is a member of this group, then this will apply.
You then need to look at the order these policies are applied. You can move them up and down the priority list by right-clicking on them.
Does that help?
ASKER
I have two policy 1) called Full access and only administrator is member in that policy and second policy called restrict client and my client is member of that policy.
1) Full Access
2) Restrict client
can you plz tell me what will happen if i will put restrict client on no one policy and full access on no 2.
thanx
1) Full Access
2) Restrict client
can you plz tell me what will happen if i will put restrict client on no one policy and full access on no 2.
thanx
ASKER
Hi
can you plz tell me how to make tunnel in remote and rass acces i mean can it help me in my problem or not.
Thanx
can you plz tell me how to make tunnel in remote and rass acces i mean can it help me in my problem or not.
Thanx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi scampgb
I have done all settings as you sai din your last mail and now it's working. Actually problem was that were i am working everything was installed in german Language so instead of chossing "Deny all traffic except those listed below" i have chose other option and i got problem.
Thank you very much for your support. If i can do anything for you then let me know...
<email address protected>
thanx
I have done all settings as you sai din your last mail and now it's working. Actually problem was that were i am working everything was installed in german Language so instead of chossing "Deny all traffic except those listed below" i have chose other option and i got problem.
Thank you very much for your support. If i can do anything for you then let me know...
<email address protected>
thanx
amir321,
Thanks for the "A". Glad I could help :-)
Your German is much better than mine then! I've been known to make that mistake in English.
Good feedback always gratefully received :-)
Also - email addresses shouldn't be included in E-E posts. I'll ask in Community Support for yours to be removed.
Thanks for the "A". Glad I could help :-)
Your German is much better than mine then! I've been known to make that mistake in English.
Good feedback always gratefully received :-)
Also - email addresses shouldn't be included in E-E posts. I'll ask in Community Support for yours to be removed.
ASKER
Sorry sir i didn't knew hat email posting is not allowed.
I'm assuming that your VPN user is logging in to a domain account.
Create a security group in ADUC that contains the VPN user(s). Call this "Client VPN" or something appropriate.
Go into the RRAS admin tool
Go into "Remote Access Policies"
Create a new remote access policy
Give it an appropriate name "Restricted client"
Choose the matching conditions - in this case it would be "Windows Groups"
Choose the domain account or security group for this VPN user
Choose "Grant Remote access permission"
Choose "Edit Profile"
"IP" tab
You'll see that there's some IP Packet Filters buttons.
Choose "From Client"
You can then specify any IP address or protocol restrictions that you need.
I hope that this helps - let me know if you need any further help.