 |
| Register | FAQ | Members List | Calendar | Links | Search | Today's Posts | Mark Forums Read |
|
||||||||
|
|
#1
11-17-2006, 09:43 AM
|
VPN access restrictions
We have a 2003 domain and have an application that works over TCP/IP from a
main frame system. Have created an network account put it into vpn group and enabled policy to allow access, all works fine and user can access network and main frame application. Problem is we only want user to be able to access main frame application over tcp/ip when vpn is established not any thing else. Is it possible to remove access to browse network and all network resources using a ras policy or filtering for this user only. Thanks for any suggestions. BINZA@ 
|
|
#2
11-18-2006, 03:35 AM
|
|||
|
|||
|
Re: VPN access restrictions
That isn't the way to tackle the problem. VPN just gives you an IP
connection to the network. What machines the user can access on the network are best controlled by other methods. "BINZA@" <mark1.smith(remove this)@virgin.net> wrote in message news:(E-Mail Removed)... > We have a 2003 domain and have an application that works over TCP/IP from > a main frame system. > > Have created an network account put it into vpn group and enabled policy > to allow access, all works fine and user can access network and main frame > application. > > Problem is we only want user to be able to access main frame application > over tcp/ip when vpn is established not any thing else. > > Is it possible to remove access to browse network and all network > resources using a ras policy or filtering for this user only. > > Thanks for any suggestions. >
|
|
#3
11-18-2006, 12:56 PM
|
|||
|
|||
|
Re: VPN access restrictions
Bill,
Could you suggest an other method as i cannot find a policy or setting in account that prevents him from using shares or browsing network. This restriction can apply completely ie: over vpn or when in an office logging on locally. "Bill Grant" <not.available@online> wrote in message news:(E-Mail Removed)... > That isn't the way to tackle the problem. VPN just gives you an IP > connection to the network. What machines the user can access on the > network are best controlled by other methods. > > "BINZA@" <mark1.smith(remove this)@virgin.net> wrote in message > news:(E-Mail Removed)... >> We have a 2003 domain and have an application that works over TCP/IP from >> a main frame system. >> >> Have created an network account put it into vpn group and enabled policy >> to allow access, all works fine and user can access network and main >> frame application. >> >> Problem is we only want user to be able to access main frame application >> over tcp/ip when vpn is established not any thing else. >> >> Is it possible to remove access to browse network and all network >> resources using a ras policy or filtering for this user only. >> >> Thanks for any suggestions. >> > >
|
|
#4
11-19-2006, 12:02 AM
|
|||
|
|||
|
Re: VPN access restrictions
It is odd that you want to stop browsing for a VPN client. Usually that
just doesn't work. Most questions in this ng are about how to make it work! You can't use an AD policy to control browsing. The computer browser service is an NT legacy app which uses Netbios names and LAN broadcasts. That is why it doesn't usually work across a WAN and why you can't control it from AD. If you arrange things so that the VPN clients do not get DNS and WINS addresses when they connect, they will only be able to access machines which they know about. If you are using W2k3, check in the RRAS console that you have not allowed broadcasts from the VPN client. "BINZA@" <mark1.smith(remove this)@virgin.net> wrote in message news:(E-Mail Removed)... > Bill, > Could you suggest an other method as i cannot find a policy or setting in > account that prevents him from using shares or browsing network. > This restriction can apply completely ie: over vpn or when in an office > logging on locally. > > "Bill Grant" <not.available@online> wrote in message > news:(E-Mail Removed)... >> That isn't the way to tackle the problem. VPN just gives you an IP >> connection to the network. What machines the user can access on the >> network are best controlled by other methods. >> >> "BINZA@" <mark1.smith(remove this)@virgin.net> wrote in message >> news:(E-Mail Removed)... >>> We have a 2003 domain and have an application that works over TCP/IP >>> from a main frame system. >>> >>> Have created an network account put it into vpn group and enabled policy >>> to allow access, all works fine and user can access network and main >>> frame application. >>> >>> Problem is we only want user to be able to access main frame application >>> over tcp/ip when vpn is established not any thing else. >>> >>> Is it possible to remove access to browse network and all network >>> resources using a ras policy or filtering for this user only. >>> >>> Thanks for any suggestions. >>> >> >> > >
|
|
#5
11-19-2006, 08:08 AM
|
|||
|
|||
|
Re: VPN access restrictions
Bill,
VPN works fine for all clients, however we have a guy who does not work for us but has four computers on our network which he needs to support remotely. Is it possible to make these changes for only one user but not effect the rest of the VPN users? Thanks for your help and time. "Bill Grant" <not.available@online> wrote in message news:%(E-Mail Removed)... > It is odd that you want to stop browsing for a VPN client. Usually that > just doesn't work. Most questions in this ng are about how to make it > work! > > You can't use an AD policy to control browsing. The computer browser > service is an NT legacy app which uses Netbios names and LAN broadcasts. > That is why it doesn't usually work across a WAN and why you can't control > it from AD. > > If you arrange things so that the VPN clients do not get DNS and WINS > addresses when they connect, they will only be able to access machines > which they know about. > > If you are using W2k3, check in the RRAS console that you have not > allowed broadcasts from the VPN client. > > "BINZA@" <mark1.smith(remove this)@virgin.net> wrote in message > news:(E-Mail Removed)... >> Bill, >> Could you suggest an other method as i cannot find a policy or setting in >> account that prevents him from using shares or browsing network. >> This restriction can apply completely ie: over vpn or when in an office >> logging on locally. >> >> "Bill Grant" <not.available@online> wrote in message >> news:(E-Mail Removed)... >>> That isn't the way to tackle the problem. VPN just gives you an IP >>> connection to the network. What machines the user can access on the >>> network are best controlled by other methods. >>> >>> "BINZA@" <mark1.smith(remove this)@virgin.net> wrote in message >>> news:(E-Mail Removed)... >>>> We have a 2003 domain and have an application that works over TCP/IP >>>> from a main frame system. >>>> >>>> Have created an network account put it into vpn group and enabled >>>> policy to allow access, all works fine and user can access network and >>>> main frame application. >>>> >>>> Problem is we only want user to be able to access main frame >>>> application over tcp/ip when vpn is established not any thing else. >>>> >>>> Is it possible to remove access to browse network and all network >>>> resources using a ras policy or filtering for this user only. >>>> >>>> Thanks for any suggestions. >>>> >>> >>> >> >> > >
|
 |
| Tags |
| access, restrictions, vpn |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
