VPN Quandary

I need to grant VPN access to a consultant but only allow them to access certain servers on our network. All our systems are on the 10.0.0.x /24 subnet, and VPN clients are assigned IPs via DHCP in the same subnet. We're using Windows sever 2k3 as our VPN server with only one interface. Is there a way to limit said VPN connection to the specific servers either by IP or MAC or something? Any thoughts would be appreciated, thanks.

Find more posts tagged with

Comments

dynamik

Look into packet filters. Is the same DHCP server assigning addresses to your other users, i.e. there's no way to differentiate between local and VPN user based on network address? You might want to setup an exclusion range and then have the VPN server assign addresses from it's own pool, so you know which addresses belong to VPN users. I'm not sure if packet filters allow you to specify a range, a network, etc. You may have to be more elaborate and put the VPN users on a different network, configure routing, and configure the packet filters based on the VPN network.

Those are just some ideas off the top of my head. I'm not in a place where I can test/look into this any further. Maybe that'll at least give you a place to start (or if nothing else, bump the thread so someone else can chime in

)

undomiel

Wouldn't it be easier to just grant him an account that is locked to logging in to only those specific servers?

dynamik

Easier? I thought we wanted a challenge

undomiel

Oh, my mistake!

Then by all means let the packet filtering continue.

Tontonsam

The answer of Undomiel seems correct and easier. But I am not involved in packet filter. My first solution was to have a router with 3 interfaces, put the server in one interface, vpn in one interface, local pcs in one eth and create policy rule. I am curious to know which exams cover ipsec or packet filter.

dynamik

291.

JayrodEF

Yes, I would like to grant him account that's locked to only access certain servers. The thing we're trying to avoid is we have a lot of open shares laying around with permssions for the everyone group and we're trying to minimize what could be accessed. That's why I was hoping for something IP based. Most of the servers that are needed to be accessed are Linux boxes anyway.

undomiel

You could set up the profile to assign him a specific IP address that you could then use to filter. But I think it would be easier to just toss his account into a deny group and then add that group to all of the shares with deny permissions. Less complex that way. But if you really want to block at the IP level then set up a profile to assign him a static IP address.

DragonNOA1

Is this a M$ RAS? If so, have a special Remote Access Policy rule for this user that has a IP filter on it that only allows access to said server IP.

sprkymrk

DragonNOA1 wrote:

Is this a M$ RAS? If so, have a special Remote Access Policy rule for this user that has a IP filter on it that only allows access to said server IP.

+1
Easy enough to do with RRAS.