Restrict login to terminal services by user by IP address range

all my users at the office use terminal services to do their work on one of our servers. As the system is installed, some of my users need to access the system from remote locations outside the firewall. I have setup everything so that they can have access.
My problem is the following, i want to restrict a few users from login in to their terminal service session if they are outside the firewall without using a VPN. Because, right know, if somebody knows the server address (and they all know it), they can login to their session.
Is there a type of a user policy I can use that would allow a user to login the terminal services if the machine he uses to connect is within a private IP address range?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simple logon script that will do logoff based on IP address or IP address range can solve problem for you...

Hope this help!
vortex350Author Commented:
Could you give me an example?
Toni UranjekConsultant/TrainerCommented:
Hi vortex350,

Try this utility:
You will have to register to download but it's freeware.



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
a simple way to do this is to go to properties of your computer and go to remote tab and on the remote desktop portion go to select users and you can choose a computer name by this way you will restrict the access but the computer name which will resolve to an ip
Rob WilliamsCommented:
>>" i want to restrict a few users from login in to their terminal service session if they are outside the firewall without using a VPN"
Not sure I understand the question. Users can only connect to your terminal server with out using the VPN, if you have port 3389 forwarded to the terminal server. Remove the forwarding and only VPN users can connect. They will be using the LAN IP not the public IP. It's much more secure to use a VPN for all users.
Perhaps I have misunderstood.

If you also want to restrict VPN users, you can do so with polices in your VPN configuration, assuming they are connecting from a site with a static IP, however, that is probably not the case.

Should you want a logon script that monitors your user connections, and the IP's from which they connect, please advise. That might help with your problem, at least to be able to "slap some hands".
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.