• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 542
  • Last Modified:

RRAS policy for outside vendors. How to limit access to specific servers?

I need to allow VPN access to a couple of outside vendors to gain access to two of my servers.  I have RRAS set up, and an AD security group that users must be a member of before RRAS will allow them in.  Is there a way to create a RRAS policy that will limit which servers inside my network a user or user group can RDC into once they have established the VPN connection?  I would prefer that they can only RDC to the server(s) I select and not to my entire network.  I do not have a DMZ, or a public website.
0
Lynn Huff
Asked:
Lynn Huff
  • 3
  • 3
  • 2
1 Solution
 
mcsweenSr. Network AdministratorCommented:
You will have to create another VPN policy in the Routing and Remote Access Console under Remote access Policies.

Set it up exactly like your current one but as a condition add "Windows-Groups" and add a group that has these restricted users in it.

Click Edit Profile, Click IP Tab, Click Input Filters, Click New, Define the Subnet or IP (if just 1 IP use 255.255.255.255 as your mask) for the systems you want to allow access to and select the protocol, OK, Change the radio button to "Permit only the packets listed below" and add more if you wish.

Make sure this policy is #1.  The way it works is when a user connects the RRAS server will test against policies in order until one matches.  Usually the last policy is a deny all policy
0
 
merowingerCommented:
Also you can define Group Policies which denys the user access to specific servers
0
 
Lynn HuffIT DirectorAuthor Commented:
Merowinger,

Thanks for the reply.  I won't have time to test your solution today.  Hopefully tommorow.  I'm trying to get the Input Filters vs Output Filters straight in my mind.  When I checked RRAS, it appears that INPUT is the destination and OUTPUT is the source.  Obviously IP traffic will flow both ways, so how do you keep straight which filter to use?

Good idea about using a GPO by the way.  I'll have to look in to that also.
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
merowingerCommented:
This was posted from mcsween ;)
0
 
Lynn HuffIT DirectorAuthor Commented:
McSween:

Thanks for the reply.  I won't have time to test your solution today.  Hopefully tommorow.  I'm trying to get the Input Filters vs Output Filters straight in my mind.  When I checked RRAS, it appears that INPUT is the destination and OUTPUT is the source.  Obviously IP traffic will flow both ways, so how do you keep straight which filter to use?

Good idea about using a GPO by the way.  I'll have to look in to that also.
0
 
mcsweenSr. Network AdministratorCommented:
Input filters define which resources on the network clients are allowed to access
Output filters define which clients/IPs/Networks are allowed to connect

You might define an output filter if you want someone to be able to VPN from a remote office but you don't want them connecting from home.  In this scenario you would define allow access from the remote office IP  and block all others.
0
 
Lynn HuffIT DirectorAuthor Commented:
Thank you very, very much.  I was able to test your solution this morning and it works exactly as I had hoped.  One note, I did have to allow the IP address of my DNS servers in order to get DNS to work over the VPN.  But, I then selected the remote users of the DNS servers so that my vendors cannot RDC into them.
0
 
mcsweenSr. Network AdministratorCommented:
You can define a protocol/port for each IP that is allowed.  DNS uses UDP 53 and sometimes TCP 53.  Leave the source port empty and enter 53 as the destination port.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now