Solved

VPN connection restriction per user by IP address

Posted on 2011-03-24
10
734 Views
Last Modified: 2012-05-11
SBS 2003, I'm thinking this is possible but not sure exactly how to accomplish. I'd like to restrict a particular user's vpn connection so that they can only connect from a particular IP address or a couple of different IP addresses. If possible, how?
0
Comment
Question by:dpacheco
  • 5
  • 4
10 Comments
 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
ID: 35210325
There is no native functionality in SBS that will allow this.  If you have 2003 Premium there may be a way to accomplish it in ISA, but you would need specialized assistance for ISA to do it.  A Firewall class router, not a comsumer grade one may allow this, but you would have to research it from the manufacturer.

Have to ask why, and what is the purpose of the VPN, where RWW is much more secure and a better experience overall.
0
 
LVL 1

Author Comment

by:dpacheco
ID: 35210449
To be able to control more tightly a temporary remote user who uses a Mac. RWW doesn't work with Mac. Why do you say it's more secure - times out? Why a better experience? I prefer VPN then RDP because it's faster.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 35215394
I am afraid I don't recall the details as I have not done it since Server 2000, but if you set up RADIUS with RRAS there are additional connection policies that can be used which allow you to restrict access by groups (not users, but you can create a group for that user) from a specific IP. With Server 2008 you can use the Network Policy Service which is a little easier to configure.

RWW is more secure in that VPN's have 1 security hole which is a wide open tunnel between an unknown remote computer and the server. The corportae network can be hacked by remote computers through that tunnel, and/or viruses can be transfered via the VPN. With the PPTP SBS VPN there is also no verification you are actually connecting to th correct site, which the SSL certificate does with RWW.

VPN's are also not as fast. There additionalanl packet overhead with the VPN, though copying files may actually be faster, but remote desktop access is not.
However, if running a MAC in an SBS world I can see the VPN being a very reasonable solution.
0
 
LVL 1

Author Comment

by:dpacheco
ID: 35216029
I understand the security concern regarding viruses, etc but my experience has always been that a VPN connection then rdp is faster than RWW. Haven't done this with sbs but you can issue certificates for a VPN connection rather than password authentication and disable local Internet access while connected to the VPN. Of course you can't usually create a vpn on a puclic computer and some hotels block these connections.  In any case unless I use something like gotomypc or vnc it will have to be VPN for this Mac.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35216437
Not suggesting a VPN is a terrible solution, just it has some downsides.
0
New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

 
LVL 1

Author Comment

by:dpacheco
ID: 35216610
I do usually use RWW for users because it's much easier to setup and easier for people to understand. For myself I use VPN because I can work on more than one system at a time.
In this particular case I don't think it's worth spending time trying to figure out how to configure Radius with RRAS, we can tighten some other things such as when they can login and which workstations.
Thanks.

0
 
LVL 1

Author Closing Comment

by:dpacheco
ID: 35216637
I'm saying partially on the solution complete because part of my question was how to do it.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35329086
dpacheco this question has been asked a few times so I decided to blog on the topic: "Restrict Windows VPN Client Access by Source IP", it may be of some help to you.
http://msmvps.com/blogs/robwill/archive/2011/04/05/restrict-windows-vpn-client-access-by-source-ip.aspx
0
 
LVL 1

Author Comment

by:dpacheco
ID: 35354771
Thanks RobWill, this is good info. My particular situation was that I needed to setup a particular user account to only be able to make a vpn connection from a particular IP Address. I did not want to restrict all connections. Unless I'm reading it wrong this document restricts by IP address not by User AND IP?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35355805
You are correct. I am afraid that limitation would be beyond the capabilities of RRAS.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The problem of the system drive in SBS 2003 getting full continues to be an issue, even though SBS 2008 and SBS 2011 are both in the market place.  There are several solutions to this, including adding additional drive space or using third party uti…
Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
Need to grow your business through quality cloud solutions? With everything required to build a cloud platform and solution, you may feel like the distance between you and the cloud is quite long. Help is here. Spend some time learning about the Con…
A company’s greatest vulnerability is their email. CEO fraud, ransomware and spear phishing attacks are the no1 threat to a company’s security. Cybercrime is responsible for the largest loss of money to companies today with losses projected to r…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now