Restrict Some Remote Desktop Users to only access from inside the office

Matt Kendall
Matt Kendall used Ask the Experts™
on
Hi,

I have a Windows 2012 R2 Hyper-V server with 3 VMs.  One of the VMs is setup for Remote Desktop Services and we have about 13 users connect into this server to work.  Most of them connect to it from within the office.  Some of the users connect from outside of the office.  The managers asked me if there's a way that I can restrict remote access for some of the users.  They would be able to work at their computer within the office but if they go home and feel like they want to remote into their session, they would be restricted from logging into their session when they're out of the office.  What's the best and most simple way to accomplish this?  Thanks in advance for your help!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Information Services Manager
Commented:
The best way in my opinion would be to remove all public IP access, and instead use a hardware or software VPN.   Users without the VPN would not be able to access the remote desktop servers.
MaheshArchitect
Distinguished Expert 2018

Commented:
What you are trying to achieve is not possible out of the box functionality
Better you use VPN as suggested above which will allow only those users RDP who can connect through VPN and on VPN you set who can connect through VPN and who cannot
Distinguished Expert 2018

Commented:
Hope efukly you are not allowing users direct  access from outside the office. Maybe they are using a VPN as already suggested. But at the very least they should be using RD Gateway, which is a core RDS role.  RD Gateway has policies to control access so modifying the RAP/CAP policy should accomish your goal.
Fundamentals of JavaScript

Learn the fundamentals of the popular programming language JavaScript so that you can explore the realm of web development.

Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
On top of everything mentioned here, you can also use the Windows firewall to block RDP etc. based on dynamic rules
https://www.experts-exchange.com/articles/31687/Windows-Firewall-as-Code.html
kevinhsiehNetwork Engineer

Commented:
I do this the way Cliff says, which is via RD Gateway policies. It is native to Windows, and is what you should be using to access RD over the internet. You can also do the same thing with a competent VPN that can filter traffic based upon which group profile a user gets.

You should not directly expose port 3389 to the Internet.
Matt KendallTech / Business owner operator

Author

Commented:
Thanks for the advice!  I setup a VPN to help control access and it works great.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial