restrict RRAS access by hostname?

Posted on 2009-12-29
Last Modified: 2012-05-08
We have a 2003r2 server set up with RRAS and I was wondering if we can restrict a user from logging into that from more than just his/her work laptop?  I figured the hostname would be the most simple way to screen by, but didn't have alot of luck in finding a way to do it.  Maybe that isn't the best way to do it?  If someone has a way to "force" a user to only use his/her work issued laptop (hostname, mac address, etc...) I would love to find out how.  I am anxious to throttle some users from attaching with their home machines.
Question by:RTCA
    LVL 77

    Expert Comment

    by:Rob Williams
    Unfortunately that is one of the weakness of the Windows VPN. Anyone with access rights can install the client on any machine they want. This can be very risky as a VPN is a wide open tunnel between the corporate network and some other remote unknown network.

    You can restrict by user name and group membership, but not by host name or MAC address.

    In case you are thinking of IP restrictions: It is possible to assign static IP's and restrict by IP, but the IP is assigned to a user not a machine. Therefore the user is assigned the same IP regardless of the machine on which they install the client, ruling this option out as well.

    For better control you need to use a VPN router such as a Cisco where you have more control over distribution of the VPN client.

    Author Comment

    Rob, thanks for the info.  I have the group memberships in place allowing only certain users to come in, etc...but was hoping that RRAS was robust enough that you could restrict, for example, the user <henry> from establishing a VPN tunnel from his home computer, as opposed to using his work.  

    I know its a seperate piece, but when you look at the users accessing a remote desktop, it will list those usernames and the hostname they are accessing it from and was hoping the same might be true with RRAS.  

    Eh, such is life with Microsoft apparently, but I would have thought this question would have been asked before and maybe they would have had a solution for it.  We will look at migrating this application to the 515e then.  Thanks for the reply.
    LVL 77

    Accepted Solution

    >>"I would have thought this question would have been asked before "
    It has, frequently, and sorry to say there is no solution. It is a very logical request, but alas......
    LVL 77

    Expert Comment

    by:Rob Williams
    >>"I need your help.........."
    Though I am likely partial, I believe ID:26143206 clearly answered the question in detail, including other issues and options. Even tough the answer is "you can't do that", EE guidelines state that you can't do that is often the correct answer.  
    Thanks TheLearnedOne.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    The canonical version of this article is on my web site here: A companion presentation is available here:
    Deploying a Microsoft Access application in a Citrix environment is not difficult but takes a few steps. However, Citrix system people are often of little help, as they typically know next to nothing about Access. The script provided here will take …
    The viewer will learn how to simulate a series of sales calls dependent on a single skill level and learn how to simulate a series of sales calls dependent on two skill levels. Simulating Independent Sales Calls: Enter .75 into cell C2 – “skill leve…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now