RRAS policy for outside vendors. How to limit access to specific servers?

I need to allow VPN access to a couple of outside vendors to gain access to two of my servers.  I have RRAS set up, and an AD security group that users must be a member of before RRAS will allow them in.  Is there a way to create a RRAS policy that will limit which servers inside my network a user or user group can RDC into once they have established the VPN connection?  I would prefer that they can only RDC to the server(s) I select and not to my entire network.  I do not have a DMZ, or a public website.
LVL 3
Lynn HuffIT DirectorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mcsweenSr. Network AdministratorCommented:
You will have to create another VPN policy in the Routing and Remote Access Console under Remote access Policies.

Set it up exactly like your current one but as a condition add "Windows-Groups" and add a group that has these restricted users in it.

Click Edit Profile, Click IP Tab, Click Input Filters, Click New, Define the Subnet or IP (if just 1 IP use 255.255.255.255 as your mask) for the systems you want to allow access to and select the protocol, OK, Change the radio button to "Permit only the packets listed below" and add more if you wish.

Make sure this policy is #1.  The way it works is when a user connects the RRAS server will test against policies in order until one matches.  Usually the last policy is a deny all policy
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
merowingerCommented:
Also you can define Group Policies which denys the user access to specific servers
0
Lynn HuffIT DirectorAuthor Commented:
Merowinger,

Thanks for the reply.  I won't have time to test your solution today.  Hopefully tommorow.  I'm trying to get the Input Filters vs Output Filters straight in my mind.  When I checked RRAS, it appears that INPUT is the destination and OUTPUT is the source.  Obviously IP traffic will flow both ways, so how do you keep straight which filter to use?

Good idea about using a GPO by the way.  I'll have to look in to that also.
0
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

merowingerCommented:
This was posted from mcsween ;)
0
Lynn HuffIT DirectorAuthor Commented:
McSween:

Thanks for the reply.  I won't have time to test your solution today.  Hopefully tommorow.  I'm trying to get the Input Filters vs Output Filters straight in my mind.  When I checked RRAS, it appears that INPUT is the destination and OUTPUT is the source.  Obviously IP traffic will flow both ways, so how do you keep straight which filter to use?

Good idea about using a GPO by the way.  I'll have to look in to that also.
0
mcsweenSr. Network AdministratorCommented:
Input filters define which resources on the network clients are allowed to access
Output filters define which clients/IPs/Networks are allowed to connect

You might define an output filter if you want someone to be able to VPN from a remote office but you don't want them connecting from home.  In this scenario you would define allow access from the remote office IP  and block all others.
0
Lynn HuffIT DirectorAuthor Commented:
Thank you very, very much.  I was able to test your solution this morning and it works exactly as I had hoped.  One note, I did have to allow the IP address of my DNS servers in order to get DNS to work over the VPN.  But, I then selected the remote users of the DNS servers so that my vendors cannot RDC into them.
0
mcsweenSr. Network AdministratorCommented:
You can define a protocol/port for each IP that is allowed.  DNS uses UDP 53 and sometimes TCP 53.  Leave the source port empty and enter 53 as the destination port.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.