VPN how to disable access to service globally

[lukaszOdulinski]

Hi
I've got configured vpn server and on this server are couple of services like(subversion,

http://www,ftp,smtp)

to which I would like to forbid access if someone is not logged into VPN.

for example if you type in browser ip.address.of.server nothing will happen if you are not logged into VPN. But if you are logged into VPN the startup page will appear.

Where I can set this kind of restrictions?

 

[Stevehewitt]

Hi,

I'm a bit confused! You have a Windows 2003 Server setup with Routing and Remote Access for VPN's between it and client machines?

What restrictions do you mean? E.G. A VPN client cannot do xxx or run xxx but a local can? Or Vice-versa?

I'll be honest, VPN policy management is poor at best. As remote machines are not domain members you cannot apply remote policies on them - therefore the only security and restrictions that can be applied will be on the server. Setting out restirictions can be done on the server, but only globally as a local computer group policy or non-group policy VPN policies. However the RRAS policy management is not very flexible on this sort of thing (as it's just the policy on connectivity rather than network/machine usage)

I you can specify exactly what you want from the VPN I'll try and get back to you.

Thanks,




Steve.

"They have the internet on computers now!" - Homer Simpson

 

[lukaszOdulinski]

All I want is that some services would be available locally not globally, so if I log into vpn and I will be treated as a part of a network, I will have access to services but if I'm not there will be no access. For example Http, remote desktop, ftp and so on.

General rule no access for users from internet only possible access from vpn.

 

[Stevehewitt]

Sorry - but i'm still not sure I understand what you are asking.

If I do understand correctly, simply put a firewall in. (or use the one on SP1 - although I'd recommend a dedicated hardware box).
Simply block all ports but enable VPN-Passthrough, then once you authenticate against the server and are connected firewall rules would no longer apply. (As the firewall can only see it's VPN traffic rather than what you're trying to do over the VPN). Services are running on the server then you should be able to connect fine.

Hope this helps,




Steve.

"They have the internet on computers now!" - Homer Simpson

 

[lukaszOdulinski]

Well I follow your advise and I and firewall rules to my global interface in Routing and remote access. I enabled only VPN Gateway (PPTP) but this is not what I intend. This result that I can connect to my VPN but after that I dont have any access to http service for example. When I enable http service it will work when I am connected to VPN and when I'm not. The second situation unwanted.

 

[Stevehewitt]

If you have an external firewall setup to block all access (and it sits between the Win2k3 server and the internet) but it will support VPN-Passthrough setup to send all VPN requests to the Win2k3 box then you should be fine. The firewall will block all requests on all ports including port 80. However once your VPN connection is established you will be accessing your network/server instead of going via the port blocking on the firewall.

Once connected to the VPN, from your client you should be able to browse to the local IP of your HTTP server (e.g.

http://192.168.0.1).

Steve.

"They have the internet on computers now!" - Homer Simpson