Solved

Can I restrict (windows 2003/8) PPTP VPN access based on computer name (and/or IP address)

Posted on 2011-02-14
5
1,374 Views
Last Modified: 2012-05-11
We are testing setting up a Windows 2008 box for incoming VPN connections.  I can make a successful connection from a remote machine and access network resources. I restrict by user and time of day.

Is it possible to restrict by computer name also, using PPTP?
How about the incoming client public IP address?

Our VPN server has a single NIC and running Network Policy Server (NPS) locally. Firewall is passing the tcp port.
Remote computers are mostly XP Pro.  Some Win7 may come in to play soon.

None of the remote machines are planned to be part of the domain. One of the two test machines is a domain workstation and the other is not.  Not sure if we plan to make them part of the domain or not as I have not been able to successfully execute log on scripts, which would be the major benefit for us.  (but that is another issue)

0
Comment
Question by:PlazaProp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 70

Accepted Solution

by:
Qlemo earned 250 total points
ID: 34892673
To the best of my knowledge you cannot restrict PPTP connections by computer name.
You can put a firewall restriction on clients' public IPs before they reach the PPTP server, of course.
0
 
LVL 1

Author Comment

by:PlazaProp
ID: 34893316
Qlemo,  Are you suggesting that some setting be modified on the firewall on the edge of our network or the firewall on the windows server box?  I don't see anything in windows that will allow restriction by IP.  

I am not sure if I can restrict the port by IP address on our firewall but I am investigating.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 34893757
TACACS and RADIUS servers can use Multiple means of authentication prior to getting an IP through the VPN. It' s probably your best bet. TACACS can use AD for authentication. So, you can split AAA on a TACACS server. However RADIUS servers hold Authentication, Authorization, and Access (AAA)  on the one server.

A second option is:
Also, MAC address filtering on the switches will prevent them from getting anywhere within the network, if the MAC address isn't enabled on the switches. But, that is VERY admin intensive unless you only have a few machines. So, on your router, a MAC address filter ACL through the VPN connection will limit only the machines with those MAC addresses through your VPN tunnel.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 34894731
MAC address filtering will not work, as VPN connections do not maintain the original MAC addresses. MAC addresses are a feature of local networks only.

IP filtering can be done on several levels. One is the IP Filter list in the NICs TCP/IP properties. But I guess it is much easier to filter on the edge device (which forwards the VPN traffic).
0
 
LVL 1

Author Comment

by:PlazaProp
ID: 34896895
MAC address filtering would be nice for road warriors that could have changing IP addresses.  For our initial roll out the clients all have static IP so filtering by IP would work.  I have verified that I can do this on our firewall.  Thanks for the tip.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question