Solved

VPN connection restriction per user by IP address

Posted on 2011-03-24
10
724 Views
Last Modified: 2012-05-11
SBS 2003, I'm thinking this is possible but not sure exactly how to accomplish. I'd like to restrict a particular user's vpn connection so that they can only connect from a particular IP address or a couple of different IP addresses. If possible, how?
0
Comment
Question by:dpacheco
  • 5
  • 4
10 Comments
 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
ID: 35210325
There is no native functionality in SBS that will allow this.  If you have 2003 Premium there may be a way to accomplish it in ISA, but you would need specialized assistance for ISA to do it.  A Firewall class router, not a comsumer grade one may allow this, but you would have to research it from the manufacturer.

Have to ask why, and what is the purpose of the VPN, where RWW is much more secure and a better experience overall.
0
 
LVL 1

Author Comment

by:dpacheco
ID: 35210449
To be able to control more tightly a temporary remote user who uses a Mac. RWW doesn't work with Mac. Why do you say it's more secure - times out? Why a better experience? I prefer VPN then RDP because it's faster.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 35215394
I am afraid I don't recall the details as I have not done it since Server 2000, but if you set up RADIUS with RRAS there are additional connection policies that can be used which allow you to restrict access by groups (not users, but you can create a group for that user) from a specific IP. With Server 2008 you can use the Network Policy Service which is a little easier to configure.

RWW is more secure in that VPN's have 1 security hole which is a wide open tunnel between an unknown remote computer and the server. The corportae network can be hacked by remote computers through that tunnel, and/or viruses can be transfered via the VPN. With the PPTP SBS VPN there is also no verification you are actually connecting to th correct site, which the SSL certificate does with RWW.

VPN's are also not as fast. There additionalanl packet overhead with the VPN, though copying files may actually be faster, but remote desktop access is not.
However, if running a MAC in an SBS world I can see the VPN being a very reasonable solution.
0
 
LVL 1

Author Comment

by:dpacheco
ID: 35216029
I understand the security concern regarding viruses, etc but my experience has always been that a VPN connection then rdp is faster than RWW. Haven't done this with sbs but you can issue certificates for a VPN connection rather than password authentication and disable local Internet access while connected to the VPN. Of course you can't usually create a vpn on a puclic computer and some hotels block these connections.  In any case unless I use something like gotomypc or vnc it will have to be VPN for this Mac.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35216437
Not suggesting a VPN is a terrible solution, just it has some downsides.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:dpacheco
ID: 35216610
I do usually use RWW for users because it's much easier to setup and easier for people to understand. For myself I use VPN because I can work on more than one system at a time.
In this particular case I don't think it's worth spending time trying to figure out how to configure Radius with RRAS, we can tighten some other things such as when they can login and which workstations.
Thanks.

0
 
LVL 1

Author Closing Comment

by:dpacheco
ID: 35216637
I'm saying partially on the solution complete because part of my question was how to do it.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35329086
dpacheco this question has been asked a few times so I decided to blog on the topic: "Restrict Windows VPN Client Access by Source IP", it may be of some help to you.
http://msmvps.com/blogs/robwill/archive/2011/04/05/restrict-windows-vpn-client-access-by-source-ip.aspx
0
 
LVL 1

Author Comment

by:dpacheco
ID: 35354771
Thanks RobWill, this is good info. My particular situation was that I needed to setup a particular user account to only be able to make a vpn connection from a particular IP Address. I did not want to restrict all connections. Unless I'm reading it wrong this document restricts by IP address not by User AND IP?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35355805
You are correct. I am afraid that limitation would be beyond the capabilities of RRAS.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I've often see, or have been asked, the question about the difference between the Exchange 2010 SP1 version, available as part of Small Business Server (SBS) 2011, and the “normal” Exchange 2010 SP1 Standard. The answer to the question is relativ…
The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now