Allow certain users to access RDP, only from certain IPs
I have a bunch of users sharing a terminal server in a business. Everyone needs access to the terminal server when they are on the premises, but only some should be allowed to access it remotely (from home, etc).
How do I lock it down so not all users can access the server from outside? I cant remove their remote access rights, they need that to access from their desks... and I can't firewall it off because some users DO need remote access.
How do I lock it down so not all users can access the server from outside? I cant remove their remote access rights, they need that to access from their desks... and I can't firewall it off because some users DO need remote access.
ASKER
Yes it does make sense, thanks. Your explanation mirrors my own knowledge of the situation. I was hoping there was something I did not know.
I cannot block RDP based on IP because certain users WILL need remote access - even from the same IP as other users may be blocked from. (we have manager and another staff member who live together, one must be allowed, the other blocked...)
Essentially what I need is a way to allow users to login to the terminal server only from IP addresses that I has specifically allowed for THAT SPECIFIC USER.... everyone allowed from local subnet, but only certain users from the internet. I dont know how to do that, or if its even possible
I cannot block RDP based on IP because certain users WILL need remote access - even from the same IP as other users may be blocked from. (we have manager and another staff member who live together, one must be allowed, the other blocked...)
Essentially what I need is a way to allow users to login to the terminal server only from IP addresses that I has specifically allowed for THAT SPECIFIC USER.... everyone allowed from local subnet, but only certain users from the internet. I dont know how to do that, or if its even possible
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Without using a separate RDP gateway for external access there's no good way to do what you're looking for on a single server. You could run two terminal servers with one only being accessible from your LAN and the other being externally accessible with a restricted user access list.
Another option would be to setup VPN access for the users that should have remote access so that only they can connect to the LAN from outside and then have RDP access. It is pretty simple to setup routing and remote access services on Windows Server if you want to go the cheap and easy way. Not sure about your firewall options but you may have solutions available to you there as well.
Does this make sense?