Allow certain users to access RDP, only from certain IPs

I have a bunch of users sharing a terminal server in a business. Everyone needs access to the terminal server when they are on the premises, but only some should be allowed to access it remotely (from home, etc).

How do I lock it down so not all users can access the server from outside? I cant remove their remote access rights, they need that to access from their desks... and I can't firewall it off because some users DO need remote access.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

John GobertEnterprise Systems ConsultantCommented:
You can use your firewall rules to only allow RDP access in based on IP *but* you'd have to know the IP's of your allowed users and have a way to keep up with said IP's as they change (home users = DHCP internet connections).

Without using a separate RDP gateway for external access there's no good way to do what you're looking for on a single server.  You could run two terminal servers with one only being accessible from your LAN and the other being externally accessible with a restricted user access list.  

Another option would be to setup VPN access for the users that should have remote access so that only they can connect to the LAN from outside and then have RDP access.  It is pretty simple to setup routing and remote access services on Windows Server if you want to go the cheap and easy way.  Not sure about your firewall options but you may have solutions available to you there as well.

Does this make sense?
Dr_SnapidAuthor Commented:
Yes it does make sense, thanks. Your explanation mirrors my own knowledge of the situation. I was hoping there was something I did not know.

I cannot block RDP based on IP because certain users WILL need remote access - even from the same IP as other users may be blocked from. (we have manager and another staff member who live together, one must be allowed, the other blocked...)

Essentially what I need is a way to allow users to login to the terminal server only from IP addresses that I has specifically allowed for THAT SPECIFIC USER.... everyone allowed from local subnet, but only certain users from the internet. I dont know how to do that, or if its even possible
John GobertEnterprise Systems ConsultantCommented:
No it isn't possible.

The only way to accomplish this is by going alternate routes for external connectivity like those I mentioned.  Doing that gives you a way to maintain that separate user access list you need for external connectivity without causing problems for all users during the day (or vice versa).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.