Restricting user(s) access to IP /Protocol via PIX VPN and Windows Server 2003 RADIUS Server

500 points up for this one :)

Hey all, I have sifted through pages of related answers to my question before posting and cannot find anything definitive to answer question, so here's mine, hoping others are in the same predicament:

I am running Cisco PIX 515 with 2 windows 2003 standard servers running as RADIUS servers. Currently, the only users able to use VPN are IT staff, who are given full access to the network. The requirement of low-level users needing email only access has arisen, and for obvious reasons we wish to segregate their traffic to only the systems required. MS Routing and Remote access is not being used, so I am unable to implement a filter on this end. This leaves me to applying an ACL on the PIX to those users only, could someone help me out in this area, or is there an easier way that I am overlooking?

Many, many thanks!

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
Are you running Exchange? Do you have/can you implement Outlook Web Access?
You can use downlaodable ACL's with the radius server which basically allows you to place dynamic access lists on a user/group when they log in

PIX Version 6

PIX Version 7

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Lets see, the users would be probably needing to access the mail through outlook (OST) and probably access their machines right?

In that case, as long as the users don't belong to any administrators group there shouldn't be any problem. User will be able to connect via VPN ->authenticate via Radius to the AD and given proper permissions. Just add the user to the Remote Desktop Users on their individual pcs, which you can do probably via a script or so.

I don't see any other problem, because if they want to get onto a pc, then it is going to be only through Remote desktop. If you can also make sure that they use the *Compliant* machines to connect (Usually company provided laptops with all the antivirus and stuff), then there is no problem at all.

If it is only for E-Mail, I would consider Keith's suggestion of enabling Outlook Web Access (assuming you have Exchange Servers for mail). It is very simple to implement though.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.