RE: Restrict WAN access

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Well… some users should have access to Terminal Server from outside the
company, others shouldn’t. Let me be clear in this point. From inside the
company (LAN) everyone needs to access the TS server and they do every day.
From outside (WAN) I need to make sure only some users can access it.
Actually all users can access the server from outside the company because
there’s a publishing rule in the ISA server that redirects port 3388 (TS port
for the WAN) to the TS server. That way users that need to work from home
access the TS server using the RDP Client in Windows XP/Vista. Using VPNs
it’s not an option because no one has vpn dial access allowed. This is
primarily by security.

"James Yeomans BSc, MCSE" wrote:

Ah i see, ok completely different issue. Well how do they get remote access
to the terminal server in the first place, through a windows vpn? If so do
you want to keep the vpn for those users or do they not require remote
access. I think what you are trying to say is they require remote access but
you don't want them to be able to use TS from outside, just the inside????
correct??
--
James Yeomans, BSc, MCSE


"Rodrigo_live" wrote:

James:

No, that's not what I need to do. I need to restrict access to the Terminal
Server from outside the network for some users. It's not related to internet
access, just access to the TS Server.

"James Yeomans BSc, MCSE" wrote:

Hi if i understand correctly you want some users to be able to access the
internet and some to be restricted. If this is the case and considering
you're working on a TS you shouldn't change any IP settings. on a
workstation you could remove the default gateway so the internet could not be
reached. However in this case you really need something else filteringt he
web traffic, say ISA server or another proxy type package. With ISA server
you can restrict internet access to specific users/groups. Thats the only
really sensible way to achieve what ytou are trying to.
--
James Yeomans, BSc, MCSE


"Rodrigo_live" wrote:

Hi. In my company there’s a Windows 2003 Terminal Server that users access to
work every day. W e need to restrict access to LAN only TS for some users and
LAN & WAN access to others. I’ve managed to get TS Console to identify the
two NICs in the server (LAN and WAN) by duplicating the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp Key in the registry (renaming each one of them
after). This way I can distinct the LAN and WAN connection and set access
port (LAN uses default 3389 and WAN uses another port) and color depth etc
etc.
On the WAN adapter I’ve set only the group who should get access outside the
network and in the LAN adapter both groups (outside users and lan users).
This works fine because LAN users can’t logon from outside the network. BUT
there’s a problem. If the user leaves his session disconnected the TS Server
will reconnect him. I can’t just restrict disconnected time period because
users work every day with a lot of documents and they leave them opened to
the next day. I’ve discovered that the SYSTEM account is the responsible of
“reconnect sessions” so I’ve tried to remove that account from the WAN
adapter and it works! The sessions are not reconnected from the outside but
the problem is that Wan-enabled users can’t reconnect to their sessions and
the system generates a new one because can’t re establish the link with the
one opened. I’ve tried almost anything and still no luck. Even if I restrict
one session by user the wan-enabled users can’t reconnect to the disconnected
session they left opened but if I give the SYSTEM account the right to
reconnect them LAN users will get access from outside the network.
Someone recommend me to use 2X SecureRDP but despite this software is grate
it can’t distinguish between LAN and WAN adapters.
Any ideas will be greatly!!!

.

Relevant Pages

  • RE: Restrict WAN access
    ... I need to restrict access to the Terminal ... Server from outside the network for some users. ... LAN & WAN access to others. ...
    (microsoft.public.windows.terminal_services)
  • RE: Restrict WAN access
    ... I will post it on ISA groups. ... company (LAN) everyone needs to access the TS server and they do every day. ... From outside (WAN) I need to make sure only some users can access it. ...
    (microsoft.public.windows.terminal_services)
  • Re: WORM? ... server generating NBT-NS (port 137) traffic on WAN interface
    ... issue on the SBS2003 server itself (problem turned out to be IP Packet ... the LAN does have Trend Micro ... mentioned a WAN NIC, so I have to assume you are running 2 nics and SBS is ... packets that are leaving the SBS2003 WAN interface ... ...
    (microsoft.public.windows.server.sbs)
  • problem with Routing & Remote Access
    ... Server has 2 NIC cards - one for LAN ... our MCSEs updated the NIC drivers on the server on Monday (both LAN and WAN ... connection into the network. ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: smbclient timeout, file truncated / 9.1 Pro (was Re: libpopt.so.0 conflict...
    ... >and the OS/2 machines on the LAN. ... NETBEUI was invented to allow windows clients to use an OS/2 server. ... 9 buffer small read and write requests until the buffer is full ... Acknowledgment Timeout ...
    (alt.os.linux.suse)