Solved

VPN connection restriction per user by IP address

Posted on 2011-03-24
10
742 Views
Last Modified: 2012-05-11
SBS 2003, I'm thinking this is possible but not sure exactly how to accomplish. I'd like to restrict a particular user's vpn connection so that they can only connect from a particular IP address or a couple of different IP addresses. If possible, how?
0
Comment
Question by:dpacheco
  • 5
  • 4
10 Comments
 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
ID: 35210325
There is no native functionality in SBS that will allow this.  If you have 2003 Premium there may be a way to accomplish it in ISA, but you would need specialized assistance for ISA to do it.  A Firewall class router, not a comsumer grade one may allow this, but you would have to research it from the manufacturer.

Have to ask why, and what is the purpose of the VPN, where RWW is much more secure and a better experience overall.
0
 
LVL 1

Author Comment

by:dpacheco
ID: 35210449
To be able to control more tightly a temporary remote user who uses a Mac. RWW doesn't work with Mac. Why do you say it's more secure - times out? Why a better experience? I prefer VPN then RDP because it's faster.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 35215394
I am afraid I don't recall the details as I have not done it since Server 2000, but if you set up RADIUS with RRAS there are additional connection policies that can be used which allow you to restrict access by groups (not users, but you can create a group for that user) from a specific IP. With Server 2008 you can use the Network Policy Service which is a little easier to configure.

RWW is more secure in that VPN's have 1 security hole which is a wide open tunnel between an unknown remote computer and the server. The corportae network can be hacked by remote computers through that tunnel, and/or viruses can be transfered via the VPN. With the PPTP SBS VPN there is also no verification you are actually connecting to th correct site, which the SSL certificate does with RWW.

VPN's are also not as fast. There additionalanl packet overhead with the VPN, though copying files may actually be faster, but remote desktop access is not.
However, if running a MAC in an SBS world I can see the VPN being a very reasonable solution.
0
ScreenConnect 6.0 Free Trial

At ScreenConnect, partner feedback doesn't fall on deaf ears. We collected partner suggestions off of their virtual wish list and transformed them into one game-changing release: ScreenConnect 6.0. Explore all of the extras and enhancements for yourself!

 
LVL 1

Author Comment

by:dpacheco
ID: 35216029
I understand the security concern regarding viruses, etc but my experience has always been that a VPN connection then rdp is faster than RWW. Haven't done this with sbs but you can issue certificates for a VPN connection rather than password authentication and disable local Internet access while connected to the VPN. Of course you can't usually create a vpn on a puclic computer and some hotels block these connections.  In any case unless I use something like gotomypc or vnc it will have to be VPN for this Mac.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35216437
Not suggesting a VPN is a terrible solution, just it has some downsides.
0
 
LVL 1

Author Comment

by:dpacheco
ID: 35216610
I do usually use RWW for users because it's much easier to setup and easier for people to understand. For myself I use VPN because I can work on more than one system at a time.
In this particular case I don't think it's worth spending time trying to figure out how to configure Radius with RRAS, we can tighten some other things such as when they can login and which workstations.
Thanks.

0
 
LVL 1

Author Closing Comment

by:dpacheco
ID: 35216637
I'm saying partially on the solution complete because part of my question was how to do it.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35329086
dpacheco this question has been asked a few times so I decided to blog on the topic: "Restrict Windows VPN Client Access by Source IP", it may be of some help to you.
http://msmvps.com/blogs/robwill/archive/2011/04/05/restrict-windows-vpn-client-access-by-source-ip.aspx
0
 
LVL 1

Author Comment

by:dpacheco
ID: 35354771
Thanks RobWill, this is good info. My particular situation was that I needed to setup a particular user account to only be able to make a vpn connection from a particular IP Address. I did not want to restrict all connections. Unless I'm reading it wrong this document restricts by IP address not by User AND IP?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35355805
You are correct. I am afraid that limitation would be beyond the capabilities of RRAS.
0

Featured Post

ScreenConnect 6.0 Free Trial

Check out the updates in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI that improves session organization and overall user experience. See the enhancements for yourself!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Written by Glen Knight (demazter) as part of a series of how-to articles. Introduction One of the biggest consumers of disk space with Small Business Server 2008(SBS) is Windows Server Update Services, more affectionately known as WSUS. For t…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question