?
Solved

VPN connection restriction per user by IP address

Posted on 2011-03-24
10
Medium Priority
?
774 Views
Last Modified: 2012-05-11
SBS 2003, I'm thinking this is possible but not sure exactly how to accomplish. I'd like to restrict a particular user's vpn connection so that they can only connect from a particular IP address or a couple of different IP addresses. If possible, how?
0
Comment
Question by:dpacheco
  • 5
  • 4
10 Comments
 
LVL 22

Expert Comment

by:Larry Struckmeyer MVP
ID: 35210325
There is no native functionality in SBS that will allow this.  If you have 2003 Premium there may be a way to accomplish it in ISA, but you would need specialized assistance for ISA to do it.  A Firewall class router, not a comsumer grade one may allow this, but you would have to research it from the manufacturer.

Have to ask why, and what is the purpose of the VPN, where RWW is much more secure and a better experience overall.
0
 
LVL 1

Author Comment

by:dpacheco
ID: 35210449
To be able to control more tightly a temporary remote user who uses a Mac. RWW doesn't work with Mac. Why do you say it's more secure - times out? Why a better experience? I prefer VPN then RDP because it's faster.
0
 
LVL 78

Accepted Solution

by:
Rob Williams earned 2000 total points
ID: 35215394
I am afraid I don't recall the details as I have not done it since Server 2000, but if you set up RADIUS with RRAS there are additional connection policies that can be used which allow you to restrict access by groups (not users, but you can create a group for that user) from a specific IP. With Server 2008 you can use the Network Policy Service which is a little easier to configure.

RWW is more secure in that VPN's have 1 security hole which is a wide open tunnel between an unknown remote computer and the server. The corportae network can be hacked by remote computers through that tunnel, and/or viruses can be transfered via the VPN. With the PPTP SBS VPN there is also no verification you are actually connecting to th correct site, which the SSL certificate does with RWW.

VPN's are also not as fast. There additionalanl packet overhead with the VPN, though copying files may actually be faster, but remote desktop access is not.
However, if running a MAC in an SBS world I can see the VPN being a very reasonable solution.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 1

Author Comment

by:dpacheco
ID: 35216029
I understand the security concern regarding viruses, etc but my experience has always been that a VPN connection then rdp is faster than RWW. Haven't done this with sbs but you can issue certificates for a VPN connection rather than password authentication and disable local Internet access while connected to the VPN. Of course you can't usually create a vpn on a puclic computer and some hotels block these connections.  In any case unless I use something like gotomypc or vnc it will have to be VPN for this Mac.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 35216437
Not suggesting a VPN is a terrible solution, just it has some downsides.
0
 
LVL 1

Author Comment

by:dpacheco
ID: 35216610
I do usually use RWW for users because it's much easier to setup and easier for people to understand. For myself I use VPN because I can work on more than one system at a time.
In this particular case I don't think it's worth spending time trying to figure out how to configure Radius with RRAS, we can tighten some other things such as when they can login and which workstations.
Thanks.

0
 
LVL 1

Author Closing Comment

by:dpacheco
ID: 35216637
I'm saying partially on the solution complete because part of my question was how to do it.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 35329086
dpacheco this question has been asked a few times so I decided to blog on the topic: "Restrict Windows VPN Client Access by Source IP", it may be of some help to you.
http://msmvps.com/blogs/robwill/archive/2011/04/05/restrict-windows-vpn-client-access-by-source-ip.aspx
0
 
LVL 1

Author Comment

by:dpacheco
ID: 35354771
Thanks RobWill, this is good info. My particular situation was that I needed to setup a particular user account to only be able to make a vpn connection from a particular IP Address. I did not want to restrict all connections. Unless I'm reading it wrong this document restricts by IP address not by User AND IP?
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 35355805
You are correct. I am afraid that limitation would be beyond the capabilities of RRAS.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The problem of the system drive in SBS 2003 getting full continues to be an issue, even though SBS 2008 and SBS 2011 are both in the market place.  There are several solutions to this, including adding additional drive space or using third party uti…
If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question