Customer has a network with several locations. All the locations have a branch-office VPN to the main location where the server is located. The application being run is accessed via RDP to this server.
Customer has a requirement that all users have their own login credentials, nobody shares. That means no generic logins by station. The credential also must be unique by location, so if an employee works at one location one day, another on another day, he needs a different login at each location.
The problem is I have no way in place to check that the user has logged in correctly by location, since both sets of credentials are valid. I need to be able to restrict, hopefully by source network, which usernames (or groups) are allowed to log in.
Each location has its own network address. Main office could be 192.168.1.0/24, first branch could be 192.168.2.0/24, second branch 192.168.3.0/24, etc. Each branch network has free access to the home network through the VPN tunnels.
I think I am going to be needing RD Gateway with some network policies, but my experiments with a lab network have not been productive. It seems the policies are designed to build a single set of restrictions rather than a this-or-this-or-this group of policies.
To clarify, I am not trying to restrict RDP access by IP. ALL IPs have RDP access. I am trying to restrict credentials to specific networks. User group A can login only from location 1, user group B can login in only from location 2, etc.
My original idea was to create multiple listeners on different ports and specify allowed access by listener, but 2008R2 will not let you put multiple listeners on the same NIC.
So any other ideas?
Customer has a requirement that all users have their own login credentials, nobody shares. That means no generic logins by station. The credential also must be unique by location, so if an employee works at one location one day, another on another day, he needs a different login at each location.
The problem is I have no way in place to check that the user has logged in correctly by location, since both sets of credentials are valid. I need to be able to restrict, hopefully by source network, which usernames (or groups) are allowed to log in.
Each location has its own network address. Main office could be 192.168.1.0/24, first branch could be 192.168.2.0/24, second branch 192.168.3.0/24, etc. Each branch network has free access to the home network through the VPN tunnels.
I think I am going to be needing RD Gateway with some network policies, but my experiments with a lab network have not been productive. It seems the policies are designed to build a single set of restrictions rather than a this-or-this-or-this group of policies.
To clarify, I am not trying to restrict RDP access by IP. ALL IPs have RDP access. I am trying to restrict credentials to specific networks. User group A can login only from location 1, user group B can login in only from location 2, etc.
My original idea was to create multiple listeners on different ports and specify allowed access by listener, but 2008R2 will not let you put multiple listeners on the same NIC.
So any other ideas?
