Limit access to VPN by IP address

SBS2003 + ISA2004 + ISA Novice

I have a user who wants to link into the server via a VPN. He is using a static ip address. So it would make sense to limit VPN Access to just that ip address.

In the VPN configuration in ISA2004, I clicked on 'Select Access Networks'. This gives me a window which lists the Networks. Is there a way that I can add the remote static ip address to this list?

The other thought I had was that because external traffic can be limited to just that one ip address, do I need to use a VPN at all? Can I not just publish the server to that IP address?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
Not an ISA solution, but if you want to set up RRAS as the Windows VPN service, you can create policies, one of which is specifying the IP/IPs from which the VPN users can connect. However to use this particular policy you will also have to enable Radius/Internet Authentication Service.
Keith AlabasterEnterprise ArchitectCommented:
You will have noted that the ISA VPN Client network (in the list of networks) does not let you add addresses as it is simply an object.
Double click the Virtual Private Networks (VPN) option on the left of the GUI under Firewall policy
Select the remote access configuration from  'verify vpn and remote access'.
here you can select from which network VPN users are allowed to come from and the IP addresses that are allowed.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Keith AlabasterEnterprise ArchitectCommented:
In respect to the second part of the question, what services do you want the user to have access to? A common option is to create a network object for the user (by IP address is cool).
Create a server publishing rule for rdp (terminal services)
Use your new object as the sole access point.

make sure any external router you may have forwards port 3389 tcp to the SBS/ISA box.
make sure the SBS box has the allow remote control option set.
Amazon Web Services

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

ipendleburyAuthor Commented:
Hello again Keith,

Thanks for the reply. I just need my user to be able to map a drive letter to a folder on the server so he can edit some spreadsheets.

It hadn't occured to me that I could create a new network and narrow the address range to just a single ip address. So i've done that...

Erm... I've got a problem now. I was logged in via Terminal Services to make the changes. When I clicked the Apply Changes button, I lost my TS connection. The website has also gone down. That was 30 minutes ago, so I think the server has crashed completely.

I've made numerous changes to the firewall configuration via TS. So I'm suprised that this has happened.

I'll have to go in there first thing in the morning to reboot it.

ipendleburyAuthor Commented:
Forget my previous post Keith,

It TS's into another of my servers and found that I could gain full access to the original server from there.

To test this VPN connection filtering, I had put my own IP address in as an external network. It would appear that doing so has blocked all access from my IP address to this server.

At least I have access again. I will experiment some more.

Keith AlabasterEnterprise ArchitectCommented:
lol, let us know if you need anything else Ian.

ipendleburyAuthor Commented:
This is really suprising. I had to delete the Network which had my own ip address in it before I could gain any access from my own ip address. Simply unckecking this network from the Access Networks and applying the changes had no effect.

I'm sure your original suggestion is the correct approach. I'm going out for the day. So i'll close this thread now and award the points.

Thanks for your help.

Keith AlabasterEnterprise ArchitectCommented:
thanks Ian. Obviously, if you have an issue later just carry this thread on and I will respond.

ipendleburyAuthor Commented:
Hello Keith,

I'll take you up on that offer to try and sort this problem out...

I've tried again defining my home ip address as a network. As soon as I do (Without enabling it in the VPN setup), all access to the server is blocked from my home. Again, i've managed to TS into another customer's server and TS into the original server from there.

If I look at the properties for the network object definition, I can see that there are several Tabs containing various settings.

If what I am trying to do is valid, then presumably these settings are invalid. Would you have any suggestions for how I can set this up correctly?

Keith AlabasterEnterprise ArchitectCommented:
Your home address is not a network. Add that and all will become somewhat dire.....

By default, as you (at home) are not on the internal LAN, you are an outsider, a danger, an alien. Anything that is not on the interal LAN comes into this category and is classed as external. Two exceptions exist to this rule.
1. You have added a perimeter network (with a third NIC).
2. You have created the VPN group and assigned an IP subnet for it to use for the clients. You cannot do a VPN for a single IP address; it gets confused s use a whole class C subnet. Remember, ANY ip address that is not in a group/network is classed as external. if you assign a small section to the VPN, all the other IPs of the subnet are external and it goes down the tubes. See my post above about using the verify vpn/remote access. This is often one of the most classic mistakes people make with ISA.

If you simply want to RDP in, then life is even simpler.
make the object for your home PC (actually the external IP address of your router)
select the new access a server rule, assign RDP (terminal services), enter the IP address of your RDP server internally, for the users, select your home PC object.

If neither of these meet the need, give me some more detail of the requirement and we will work out a solution.

ipendleburyAuthor Commented:
Hello Keith,

All we want, is to provide the remote user with the ability to modify spreadsheets on the SBS box. We've tried RDP, but in this case it's a bit slow because the remote office is in China!

The VPN scenario is better. Even though it takes a few seconds for his document to open, once it's open the he can use the document unhindered on his pc.

So i'm back to my original question. The remote office is on a fixed IP address. How can I limit it so that only that IP address can establish a VPN connection?
Keith AlabasterEnterprise ArchitectCommented:
One or two things you may want to consider...

1. use a subnet as per the book then allow only traffic from the static IP to pass through your external dsl router/firewall on 1723 or whichever port(s) you are using to the ISA VPN terminator.
2. Have you thought about RADIUS? You can assign an entire subnet as per the book but this guy /gal will be the only person who knows the RADIUS password.
3. Set up a site-to-site vpn on his router to the ISA server.
4. Assign the subnet (still that old chestnut I am afraid.) In the menu list for VPN clients, , select the windows user that is allowed the vpn access.

Did you ever download my ISA2004 vpn guide Ian?
ipendleburyAuthor Commented:
Hello Keith,

Yes i've got your VPN Guide. All 515 pages of it! I've never used Radius. So it's just a word to me at the moment.

His router has a Chinese setup menu. So I won't be delving into that.

I'll read the relevent chapters in the VPN Guide and try and get myself a bit more clued up on the concepts involved. Hopefully then i'll start making more sense.

Thanks for your help once again.

Keith AlabasterEnterprise ArchitectCommented:
Always welcome Ian.

option 4 may be the simplest. IE assign the subnet you want to use for the VPN but only assign the one windows user account as authorised to use the VPN.
Keith AlabasterEnterprise ArchitectCommented:
lol, and that is just one chapter of the MCSE/MCT guide to ISA2004 :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.