Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Restrict a servers access to a network

Status
Not open for further replies.
Bubbalouie

Bubbalouie

Technical User
Mar 25, 2009
107
US
Hi,

I have an outside vendor who will be sending me a Win2k8 terminal server to allow them to access a couple of our internal servers to do some work for us.

I would like to restrict that terminal server in a a manner that would allow it access only two internal IP addresses, the two servers they need to access and I don't want them able to go anywhere else on our network.

I can set up the RDP access from outside with no problem but I don't know how to go about restricting them from other IP's in the network. Is that something I would do at the router level or do I need to be looking at my switches?

The router is a cisco 2900 series router.

Thanks In Advance!
 
Sort by date Sort by votes
Leapfrogging is difficult to defend against if the servers in question have access to other resources on the network. Can you share more about your topology? Do you have a flat network or do you make use of VLANs?

 
Upvote 0 Downvote
So, you will setup RDP access from "Outside" to this new terminal server?
The new terminal server then needs to access two servers internally, again using RDP?.

My first thought is:
- Why do you need this new terminal server? Couldn't you just expose two public addresses NATd to the two servers they need access to? Does the TS server add anything, apart from more power/space/heat in your server room?

Otherwise, I suppose you could,
- Patch the 2 servers' OOB management port into a new VLAN on your network, VLAN299.
- patch the new TS server into VLAN299
- put one simple access list on the switch where VLAN299 is routed, blocking all connections coming out of that VLAN.

 
Upvote 0 Downvote
Thanks for the quick feed back!

There are two application server on my network they need access to. The terminal server has the clients for those two applications installed on it. The vendor will rdp onto the terminal server to access those applications.

My network is setup as follows:

192.168.1.x/24 Data - Default vlan
192.168.6.x/24 Data - (legacy app)
192.168.13.x/24 Data - Guest Wireless
192.168.32.x/24 Voice
10.0.2.x/24 Data
10.0.1.x/24 Data (unused)
10.0.0.x/24 Network Management

router/firewall
|
--------switch1----------
| | |
| switch2 |
switch3 switch5
| |
switch4 switch6

The two application servers are on Switch6. The terminal server is on Switch4. Switch1 is the 'core' switch that takes care of routing. The switches are HP Procurve 2910al-48G-PoE Switch.

The two app servers that need to be accessed are on the 192.168.1.x/24 network (192.168.1.37 and 192.168.1.253).

I kinda like the idea of sitting them on a little used network, 10.0.2.x/24 and restricting access to the two servers on 192.168.1.x/24. I do have a few devices (2 nas, and a workstation) on 10.0.2.x/24 that everyone needs access to and need access to the rest of the networks. I need to save 10.0.1.x/24 for a project next year where I'm going to split two buildings out from the rest of the campus.

192.168.6.x/24 is used only for 1 app server and it's db server, but I have to keep it around for awhile.

If I could assign it either a 192.168.6.x/24 or 10.0.1.x/24 static and create an access list to restrict it to those two ip's on the 192.168.1.x/24 network that would be perfect.

Thanks Again!



 
Upvote 0 Downvote
well, my network diagram didn't come out exactly as i'd planned...
 
Upvote 0 Downvote
the router, switch1 and switch2 are in one building.

switch3 and switch4 in another building.

switch5 and switch6 in another building.

switch3 connects via fiber to switch1 as does switch5.
 
Upvote 0 Downvote
I think I personally would approach it like this:
The new TS is in an Untrusted Security Zone.
The Servers are in a Trusted Security Zone.
Anytime you desire connections between two different security zones, you have to pass those connections through a Gateway where Security Policies dictate what is allowed and what is not allowed.

Exactly like a DMZ v. an internal LAN.

Now, a gateway needs to address the risk - a gateway between a DMZ and a LAN is usually a proper firewall.
You need to decide if you have the existing network to put the new TS into the DMZ,
OR, create a new ZOne for it

You need to decide how to gateway it - a proper firewall you are already using, or an access list on your core (routing) switch.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Luzbel
  • Locked
  • Question
Connecting HVAC controller to network
Replies
0
Views
171
Luzbel
Luzbel
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
236
madwok
madwok
PThomp3344
  • Locked
  • Question
Trying to connect to Cisco Unified Controller web interface: UC520W-16U-4FXO-K9
Replies
1
Views
191
bdk76
bdk76
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
402
BIS
BIS
jarod_paris
  • Locked
  • Question
firmware for an AP2800 WiFi terminal
Replies
0
Views
162
jarod_paris
jarod_paris

Part and Inventory Search

Sponsor

Back
Top