IP Filtering in Windows 2003 Server

11-15-2005, 05:03 PM

I have a Windows 2003 sat on the LAN. On the LAN is a ADSL modem router
conencted to the internet.

The Modem/Router does not support IP Filtering so I am left trying to
get the Windows 2003 Server to do so.

What I require is this:

>From my home internet connection IP address (for example) 1.2.3.4
Remote Desktop to the Server at 4.3.2.1

I have port forwarded 3389 from the modem/router to the servers IP
address, and everything is connecting fine, every one on the net
literally.

How can I tell Windows 2003 to only allow access to RDP from the LAN ip
range (192.168.1.0/255) and also my IP address 1.2.3.4

Is this at all possible with out thirdparty firewalls etc?

Thanks.

11-15-2005, 06:44 PM

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> I have a Windows 2003 sat on the LAN. On the LAN is a ADSL modem router
> conencted to the internet.
>
> The Modem/Router does not support IP Filtering so I am left trying to
> get the Windows 2003 Server to do so.

No you can't. Unless you get rid of the "combo" modem/router unit and
replace it with just a "modem" and then run your server with two Nics and
use it in the postition of the "router" portion of what the "modem/router"
used to be.

If you do this currently with the Server and still keep the "combo" unit you
will be creating a "Back-to-Back DMZ" environment. If you know what that is
and know how to deal with it then fine,...but if not,..then don't.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

11-16-2005, 09:24 AM

Phillip Windell wrote:
> <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) oups.com...
>
>>I have a Windows 2003 sat on the LAN. On the LAN is a ADSL modem router
>>conencted to the internet.
>>
>>The Modem/Router does not support IP Filtering so I am left trying to
>>get the Windows 2003 Server to do so.
>
>
> No you can't. Unless you get rid of the "combo" modem/router unit and
> replace it with just a "modem" and then run your server with two Nics and
> use it in the postition of the "router" portion of what the "modem/router"
> used to be.
>
> If you do this currently with the Server and still keep the "combo" unit you
> will be creating a "Back-to-Back DMZ" environment. If you know what that is
> and know how to deal with it then fine,...but if not,..then don't.
>
But a b2b dmz network is still no good as the combo box cannot filter on
IP address. So all traffic will be flowing in.

I find it very hard to believe that windows 2003 routing cannot filter
on IP. But thanks for your time and input. Much appreciated.

Paul.

11-16-2005, 03:07 PM

"Paul Goodyear" <(E-Mail Removed)> wrote in message
news:XNDef.12842$(E-Mail Removed) k...

> > If you do this currently with the Server and still keep the "combo" unit
you
> > will be creating a "Back-to-Back DMZ" environment. If you know what that
is
> > and know how to deal with it then fine,...but if not,..then don't.
> >
> But a b2b dmz network is still no good as the combo box cannot filter on
> IP address. So all traffic will be flowing in.

First the combo box is a NAT Device,...traffic will *not* be "flowing
in",...it just doesn't work that way,...NAT doesn't work that way. NAT is
*one-way* and it is outbound only. The only thing that comes in would be
situation where you specifically setup a Static Nat for something. Many of
these devices call it "forwarding a port" even though that is incorrect
terminology and there is no such thing as "forwarding a port". The IP#s are
being forwarded, not the ports and the correct term for it is,... (no not
"forwarding an IP") is Static NAT when the port#s match on both ends,... and
it is called Static NAT with PAT when the port number don't match. PAT is
"Port Address Translation".

But I digress, terminology is one of those "soap-boxes" I can never stop
myself from getting on.

> I find it very hard to believe that windows 2003 routing cannot filter
> on IP. But thanks for your time and input. Much appreciated.

Yes it does. It is done in RRAS.

MMC-->Servername-->IP Routing-->General

1. Choose the Interface that represents the External on (faces the "combo"
box).
2. Right-click-->Properties
3. Use the Inbound Filters or the Outbound Filters button,..whichever
applies to what you want to do.

The filtering in "Windows Routing" is rudimentary, that is all it was ever
meant to be,..it isn't by "accident". The real product for doing extensive
and complex filtering is ISA Server, that it what it was designed for.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Assistance Setting up IP Filtering in a 2003 Routing Remote Access Server	Nathaniel	Windows Networking	5	02-13-2007 05:52 PM
Migrating to Windows Server 2003 from Windows Server 2000 and using Remote Desktop Client	Navodit	Windows Networking	1	09-13-2006 07:38 PM
TCP/IP Stack Improvements in Windows Server 2003 and Windows Server 2003 Service Pack 1	Deepak Bansal [MS]	Windows Networking	0	06-14-2005 01:14 AM
Webcast on TCP/IP Stack Improvements in Windows Server 2003 and Windows Server 2003 Service Pack 1	Deepak Bansal [MS]	Windows Networking	0	06-13-2005 11:55 PM
Unable to access Windows 2003 file server in a Windows 2003/XP Active Directory Domain	Edward Ray	Windows Networking	0	11-21-2003 03:03 AM