[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 294
  • Last Modified:

Restricting user(s) access to IP /Protocol via PIX VPN and Windows Server 2003 RADIUS Server

500 points up for this one :)

Hey all, I have sifted through pages of related answers to my question before posting and cannot find anything definitive to answer question, so here's mine, hoping others are in the same predicament:

I am running Cisco PIX 515 with 2 windows 2003 standard servers running as RADIUS servers. Currently, the only users able to use VPN are IT staff, who are given full access to the network. The requirement of low-level users needing email only access has arisen, and for obvious reasons we wish to segregate their traffic to only the systems required. MS Routing and Remote access is not being used, so I am unable to implement a filter on this end. This leaves me to applying an ACL on the PIX to those users only, could someone help me out in this area, or is there an easier way that I am overlooking?

Many, many thanks!



0
suburbia_sims
Asked:
suburbia_sims
  • 2
1 Solution
 
Keith AlabasterCommented:
Are you running Exchange? Do you have/can you implement Outlook Web Access?
0
 
billwhartonCommented:
You can use downlaodable ACL's with the radius server which basically allows you to place dynamic access lists on a user/group when they log in


PIX Version 6
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/mngacl.htm#wp1030990


PIX Version 7
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b5e.html#wp1043681
0
 
rsivanandanCommented:
Lets see, the users would be probably needing to access the mail through outlook (OST) and probably access their machines right?

In that case, as long as the users don't belong to any administrators group there shouldn't be any problem. User will be able to connect via VPN ->authenticate via Radius to the AD and given proper permissions. Just add the user to the Remote Desktop Users on their individual pcs, which you can do probably via a script or so.

I don't see any other problem, because if they want to get onto a pc, then it is going to be only through Remote desktop. If you can also make sure that they use the *Compliant* machines to connect (Usually company provided laptops with all the antivirus and stuff), then there is no problem at all.

Cheers,
Rajesh
0
 
rsivanandanCommented:
If it is only for E-Mail, I would consider Keith's suggestion of enabling Outlook Web Access (assuming you have Exchange Servers for mail). It is very simple to implement though.

Cheers,
Rajesh
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now