?
Solved

VPN connection restriction per user by IP address

Posted on 2011-03-24
10
Medium Priority
?
763 Views
Last Modified: 2012-05-11
SBS 2003, I'm thinking this is possible but not sure exactly how to accomplish. I'd like to restrict a particular user's vpn connection so that they can only connect from a particular IP address or a couple of different IP addresses. If possible, how?
0
Comment
Question by:dpacheco
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 22

Expert Comment

by:Larry Struckmeyer MVP
ID: 35210325
There is no native functionality in SBS that will allow this.  If you have 2003 Premium there may be a way to accomplish it in ISA, but you would need specialized assistance for ISA to do it.  A Firewall class router, not a comsumer grade one may allow this, but you would have to research it from the manufacturer.

Have to ask why, and what is the purpose of the VPN, where RWW is much more secure and a better experience overall.
0
 
LVL 1

Author Comment

by:dpacheco
ID: 35210449
To be able to control more tightly a temporary remote user who uses a Mac. RWW doesn't work with Mac. Why do you say it's more secure - times out? Why a better experience? I prefer VPN then RDP because it's faster.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 2000 total points
ID: 35215394
I am afraid I don't recall the details as I have not done it since Server 2000, but if you set up RADIUS with RRAS there are additional connection policies that can be used which allow you to restrict access by groups (not users, but you can create a group for that user) from a specific IP. With Server 2008 you can use the Network Policy Service which is a little easier to configure.

RWW is more secure in that VPN's have 1 security hole which is a wide open tunnel between an unknown remote computer and the server. The corportae network can be hacked by remote computers through that tunnel, and/or viruses can be transfered via the VPN. With the PPTP SBS VPN there is also no verification you are actually connecting to th correct site, which the SSL certificate does with RWW.

VPN's are also not as fast. There additionalanl packet overhead with the VPN, though copying files may actually be faster, but remote desktop access is not.
However, if running a MAC in an SBS world I can see the VPN being a very reasonable solution.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:dpacheco
ID: 35216029
I understand the security concern regarding viruses, etc but my experience has always been that a VPN connection then rdp is faster than RWW. Haven't done this with sbs but you can issue certificates for a VPN connection rather than password authentication and disable local Internet access while connected to the VPN. Of course you can't usually create a vpn on a puclic computer and some hotels block these connections.  In any case unless I use something like gotomypc or vnc it will have to be VPN for this Mac.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35216437
Not suggesting a VPN is a terrible solution, just it has some downsides.
0
 
LVL 1

Author Comment

by:dpacheco
ID: 35216610
I do usually use RWW for users because it's much easier to setup and easier for people to understand. For myself I use VPN because I can work on more than one system at a time.
In this particular case I don't think it's worth spending time trying to figure out how to configure Radius with RRAS, we can tighten some other things such as when they can login and which workstations.
Thanks.

0
 
LVL 1

Author Closing Comment

by:dpacheco
ID: 35216637
I'm saying partially on the solution complete because part of my question was how to do it.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35329086
dpacheco this question has been asked a few times so I decided to blog on the topic: "Restrict Windows VPN Client Access by Source IP", it may be of some help to you.
http://msmvps.com/blogs/robwill/archive/2011/04/05/restrict-windows-vpn-client-access-by-source-ip.aspx
0
 
LVL 1

Author Comment

by:dpacheco
ID: 35354771
Thanks RobWill, this is good info. My particular situation was that I needed to setup a particular user account to only be able to make a vpn connection from a particular IP Address. I did not want to restrict all connections. Unless I'm reading it wrong this document restricts by IP address not by User AND IP?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35355805
You are correct. I am afraid that limitation would be beyond the capabilities of RRAS.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A lot of problems and solutions are available on the net for the error message "Source server does not meet minimum requirements for migration" while performing a migration from Small Business Server 2003 to SBS 2008. This error pops up just before …
If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question