Restrict Some Remote Desktop Users to only access from inside the office


I have a Windows 2012 R2 Hyper-V server with 3 VMs.  One of the VMs is setup for Remote Desktop Services and we have about 13 users connect into this server to work.  Most of them connect to it from within the office.  Some of the users connect from outside of the office.  The managers asked me if there's a way that I can restrict remote access for some of the users.  They would be able to work at their computer within the office but if they go home and feel like they want to remote into their session, they would be restricted from logging into their session when they're out of the office.  What's the best and most simple way to accomplish this?  Thanks in advance for your help!
Matt KendallTech / Business owner operatorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ron MalmsteadInformation Services ManagerCommented:
The best way in my opinion would be to remove all public IP access, and instead use a hardware or software VPN.   Users without the VPN would not be able to access the remote desktop servers.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
What you are trying to achieve is not possible out of the box functionality
Better you use VPN as suggested above which will allow only those users RDP who can connect through VPN and on VPN you set who can connect through VPN and who cannot
Cliff GaliherCommented:
Hope efukly you are not allowing users direct  access from outside the office. Maybe they are using a VPN as already suggested. But at the very least they should be using RD Gateway, which is a core RDS role.  RD Gateway has policies to control access so modifying the RAP/CAP policy should accomish your goal.
Get a highly available system for cyber protection

The Acronis SDI Appliance is a new plug-n-play solution with pre-configured Acronis Software-Defined Infrastructure software that gives service providers and enterprises ready access to a fault-tolerant system, which combines universal storage and high-performance virtualization.

Shaun VermaakTechnical SpecialistCommented:
On top of everything mentioned here, you can also use the Windows firewall to block RDP etc. based on dynamic rules
I do this the way Cliff says, which is via RD Gateway policies. It is native to Windows, and is what you should be using to access RD over the internet. You can also do the same thing with a competent VPN that can filter traffic based upon which group profile a user gets.

You should not directly expose port 3389 to the Internet.
Matt KendallTech / Business owner operatorAuthor Commented:
Thanks for the advice!  I setup a VPN to help control access and it works great.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.