VPN restrict access to certain IP address


We have a Microsoft PPTP VPN using RAS in a Windows 2003 Server Active Directory environment.  My question is this:

We would like to restrict access to certain IP address by user/group using GPO I assume this can be done but we are struggling to find where this setting is kept within the Group Policy.

We have set up a user that belongs to a group within a specific OU so we can apply a GP to that particular OU.

Thanks in advance for any help offered


Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi wayfarer1210,

group policy will not allow you to block access to an IP address    i think you will need to outline what you are trying to acheive a little more :)

wayfarer1210Author Commented:

We do not want to block access to IP addresses we would like to allow access to certain IP addresses only which in turn blocks access to any other IP address on our network.  OK this is the situation in full:

We have a support company who will be supporting two servers remotely, when they log in via VPN we would like to restrict their access to only the two IP addresses of those servers.

Hopefully that will give you a better idea as to what we are trying to acheive?


hmm i think you will need to be looking at products such as ISA to implement this level of security as GP wont offer you this
HTML5 and CSS3 Fundamentals

Build a website from the ground up by first learning the fundamentals of HTML5 and CSS3, the two popular programming languages used to present content online. HTML deals with fonts, colors, graphics, and hyperlinks, while CSS describes how HTML elements are to be displayed.

Actually you should be able to restict users and IP addresses in the Routing And Remote Access section of the Server.  Goto Administrative Tools and then RRAS (Routing and Remote Access).  Next goto the Remote Access Policies, and find the policies that match the conditions your support comany will be logging in as.  Right-click and goto properties.  You should see a button that says "Edit Profile" or something similar.  Click that and go to the IP tab.  You should be able to setup filters that way.

Be careful when fooling around with RRAS security policies.  They are, IMHO, by far more complicated than GPO and NTFS permissions put together.  

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
We did this recently on a Nortel VPN by enabling split tunneling.  Then we defined the "networks" which were allowed in the tunnel to the IP address in question with a host mask.  For instance: would be a "network" (host) allowed into the tunnel.

Works great as long as the same IP doesn't exist on the other side of the VPN.
wayfarer1210Author Commented:
Thanks for all the help guys
Glad I could help.  Hope everything works out.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.