Dgreenbaum
asked on
Internal vs external vpn
We have a standard Windows 2003 vpn set up. The firewall does port forwarding for vpn connections from the Internet to a dedicated Win2003 rras. We have only allowed remote access to the domain on a case by case basis, enabling Dial In on users domain accounts in AD. We are using pptp to do this.
Now we have a situation where we want to allow numerous users to connect via vpn from inside by using the the vpn server's private local ip address using wireless laptops (which are secured through the wireless system) . In testing, this works well and allows us to have staff log on to a laptop with a generic log on and then gain Windows authentication when they do the vpn connection.
The issue is that we don't want to give staff Dial In rights from the Internet (and don't want to enable through each and every use account). So far my solution is to set up a separate vpn server for the internal use. Before doing that, I'm wondering if there is a way to set up a way for the one rras server to distiguish between the internal and external users even though they are coming in on the same private internal ip address?
Now we have a situation where we want to allow numerous users to connect via vpn from inside by using the the vpn server's private local ip address using wireless laptops (which are secured through the wireless system) . In testing, this works well and allows us to have staff log on to a laptop with a generic log on and then gain Windows authentication when they do the vpn connection.
The issue is that we don't want to give staff Dial In rights from the Internet (and don't want to enable through each and every use account). So far my solution is to set up a separate vpn server for the internal use. Before doing that, I'm wondering if there is a way to set up a way for the one rras server to distiguish between the internal and external users even though they are coming in on the same private internal ip address?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Qlemo.... I'm going to set up a second rras and work with Remote Access Policies to get the right people access to it.
ASKER
he saw through my dilemma and gave a clear answer
Refer this links:
http://technet.microsoft.com/en-us/library/cc738142(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc995159.aspx
http://stackoverflow.com/questions/892958/how-can-i-get-the-active-directory-dialin-permission-setting-from-ldap-using-vbsc