VPN Quandary

JayrodEFJayrodEF Member Posts: 111 ■□□□□□□□□□
I need to grant VPN access to a consultant but only allow them to access certain servers on our network. All our systems are on the 10.0.0.x /24 subnet, and VPN clients are assigned IPs via DHCP in the same subnet. We're using Windows sever 2k3 as our VPN server with only one interface. Is there a way to limit said VPN connection to the specific servers either by IP or MAC or something? Any thoughts would be appreciated, thanks.

Comments

  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Look into packet filters. Is the same DHCP server assigning addresses to your other users, i.e. there's no way to differentiate between local and VPN user based on network address? You might want to setup an exclusion range and then have the VPN server assign addresses from it's own pool, so you know which addresses belong to VPN users. I'm not sure if packet filters allow you to specify a range, a network, etc. You may have to be more elaborate and put the VPN users on a different network, configure routing, and configure the packet filters based on the VPN network.

    Those are just some ideas off the top of my head. I'm not in a place where I can test/look into this any further. Maybe that'll at least give you a place to start (or if nothing else, bump the thread so someone else can chime in ;))
  • undomielundomiel Member Posts: 2,818
    Wouldn't it be easier to just grant him an account that is locked to logging in to only those specific servers?
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Easier? I thought we wanted a challenge icon_lol.gif
  • undomielundomiel Member Posts: 2,818
    Oh, my mistake! :) Then by all means let the packet filtering continue.
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
  • TontonsamTontonsam Member Posts: 90 ■■□□□□□□□□
    The answer of Undomiel seems correct and easier. But I am not involved in packet filter. My first solution was to have a router with 3 interfaces, put the server in one interface, vpn in one interface, local pcs in one eth and create policy rule. I am curious to know which exams cover ipsec or packet filter.
    MCP 70-270 / 70-290
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
  • JayrodEFJayrodEF Member Posts: 111 ■□□□□□□□□□
    Yes, I would like to grant him account that's locked to only access certain servers. The thing we're trying to avoid is we have a lot of open shares laying around with permssions for the everyone group and we're trying to minimize what could be accessed. That's why I was hoping for something IP based. Most of the servers that are needed to be accessed are Linux boxes anyway.
  • undomielundomiel Member Posts: 2,818
    You could set up the profile to assign him a specific IP address that you could then use to filter. But I think it would be easier to just toss his account into a deny group and then add that group to all of the shares with deny permissions. Less complex that way. But if you really want to block at the IP level then set up a profile to assign him a static IP address.
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
  • DragonNOA1DragonNOA1 Member Posts: 149 ■■■□□□□□□□
    Is this a M$ RAS? If so, have a special Remote Access Policy rule for this user that has a IP filter on it that only allows access to said server IP.
    The command line, an elegant weapon for a more civilized age
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    DragonNOA1 wrote:
    Is this a M$ RAS? If so, have a special Remote Access Policy rule for this user that has a IP filter on it that only allows access to said server IP.

    +1
    Easy enough to do with RRAS.
    All things are possible, only believe.
Sign In or Register to comment.