• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 411
  • Last Modified:

Windows PPTP VPN restrictive access per user

Situation: Client needing a PPTP VPN solution that will allow for different groups of users to access different subnets. Ex: Group1 can only access, group2 can only access, etc. Using a VPN Client (cisco vpn client) on end users computers is not an option because they may have other VPN clients on their computers as they work for multiple organizations. SSL VPN would be great, but too pricey since there are hundreds of remote users.
     I've looked at a Windows VPN server since we're wanting the end users to use built-in VPN capabilities within the OS. Is there a way to assign different users access to different subnets? Or even assign different users different DHCP scopes? If I can get group1 to use DHCP scope1 and group2 to use DHCP scope2, then I can control subnet access on the backend via access-lists.

1 Solution
I have never tried it, but there is an option in Active Directory to assign a Static IP under the Remote Access Permissions. This article has details under "Assign a Static IP Address " http://technet.microsoft.com/en-us/library/ff687875(WS.10).aspx I'm not sure using a Windows server is going to give you the control you are looking for easily.

The other option is to user a Firewall that allows you to control access by user group. For example I have locations with a WatchGuard XTM firewall. The firewall has user groups that all allow for PPTP VPN to the firewall. The firewall also has LAN access rules based on those user groups. So all groups are allowed to authenticate to the firewall, but then the network access is granted by group to the various subnets. The licensing for PPTP users is much less than SSL. Check out WatchGuard XTM units or a similar firewall that can control network access by group.
Rob WilliamsCommented:
RRAS can filter based on the IP from which a user is connecting but it is "not pretty" and time consuming, assuming you knew all the connecting IP's.  These restrictions are usually controlled using NTFS permissions, or limiting to which servers a user can connect under the "log on to" tab in the user's profile.  This specifies to which computers and/or servers a user can access.  Similar restrictions can be applied using group policy.  Alternatively as suggested you can use a VPN appliance with more control.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now