VPN access restrictions

We have a 2003 domain and have an application that works over TCP/IP from a
main frame system.

Have created an network account put it into vpn group and enabled policy to
allow access, all works fine and user can access network and main frame
application.

Problem is we only want user to be able to access main frame application
over tcp/ip when vpn is established not any thing else.

Is it possible to remove access to browse network and all network resources
using a ras policy or filtering for this user only.

Thanks for any suggestions.

That isn't the way to tackle the problem. VPN just gives you an IP
connection to the network. What machines the user can access on the network
are best controlled by other methods.

"BINZA@" <mark1.smith(remove this)@virgin.net> wrote in message
news:(E-Mail Removed)...
> We have a 2003 domain and have an application that works over TCP/IP from
> a main frame system.
>
> Have created an network account put it into vpn group and enabled policy
> to allow access, all works fine and user can access network and main frame
> application.
>
> Problem is we only want user to be able to access main frame application
> over tcp/ip when vpn is established not any thing else.
>
> Is it possible to remove access to browse network and all network
> resources using a ras policy or filtering for this user only.
>
> Thanks for any suggestions.
>

Bill,
Could you suggest an other method as i cannot find a policy or setting in
account that prevents him from using shares or browsing network.
This restriction can apply completely ie: over vpn or when in an office
logging on locally.

"Bill Grant" <not.available@online> wrote in message
news:(E-Mail Removed)...
> That isn't the way to tackle the problem. VPN just gives you an IP
> connection to the network. What machines the user can access on the
> network are best controlled by other methods.
>
> "BINZA@" <mark1.smith(remove this)@virgin.net> wrote in message
> news:(E-Mail Removed)...
>> We have a 2003 domain and have an application that works over TCP/IP from
>> a main frame system.
>>
>> Have created an network account put it into vpn group and enabled policy
>> to allow access, all works fine and user can access network and main
>> frame application.
>>
>> Problem is we only want user to be able to access main frame application
>> over tcp/ip when vpn is established not any thing else.
>>
>> Is it possible to remove access to browse network and all network
>> resources using a ras policy or filtering for this user only.
>>
>> Thanks for any suggestions.
>>
>
>

It is odd that you want to stop browsing for a VPN client. Usually that
just doesn't work. Most questions in this ng are about how to make it work!

You can't use an AD policy to control browsing. The computer browser
service is an NT legacy app which uses Netbios names and LAN broadcasts.
That is why it doesn't usually work across a WAN and why you can't control
it from AD.

If you arrange things so that the VPN clients do not get DNS and WINS
addresses when they connect, they will only be able to access machines which
they know about.

If you are using W2k3, check in the RRAS console that you have not
allowed broadcasts from the VPN client.

"BINZA@" <mark1.smith(remove this)@virgin.net> wrote in message
news:(E-Mail Removed)...
> Bill,
> Could you suggest an other method as i cannot find a policy or setting in
> account that prevents him from using shares or browsing network.
> This restriction can apply completely ie: over vpn or when in an office
> logging on locally.
>
> "Bill Grant" <not.available@online> wrote in message
> news:(E-Mail Removed)...
>> That isn't the way to tackle the problem. VPN just gives you an IP
>> connection to the network. What machines the user can access on the
>> network are best controlled by other methods.
>>
>> "BINZA@" <mark1.smith(remove this)@virgin.net> wrote in message
>> news:(E-Mail Removed)...
>>> We have a 2003 domain and have an application that works over TCP/IP
>>> from a main frame system.
>>>
>>> Have created an network account put it into vpn group and enabled policy
>>> to allow access, all works fine and user can access network and main
>>> frame application.
>>>
>>> Problem is we only want user to be able to access main frame application
>>> over tcp/ip when vpn is established not any thing else.
>>>
>>> Is it possible to remove access to browse network and all network
>>> resources using a ras policy or filtering for this user only.
>>>
>>> Thanks for any suggestions.
>>>
>>
>>
>
>

Bill,
VPN works fine for all clients, however we have a guy who does not work for
us but has four computers on our network which he needs to support remotely.
Is it possible to make these changes for only one user but not effect the
rest of the VPN users?

Thanks for your help and time.

"Bill Grant" <not.available@online> wrote in message
news:%(E-Mail Removed)...
> It is odd that you want to stop browsing for a VPN client. Usually that
> just doesn't work. Most questions in this ng are about how to make it
> work!
>
> You can't use an AD policy to control browsing. The computer browser
> service is an NT legacy app which uses Netbios names and LAN broadcasts.
> That is why it doesn't usually work across a WAN and why you can't control
> it from AD.
>
> If you arrange things so that the VPN clients do not get DNS and WINS
> addresses when they connect, they will only be able to access machines
> which they know about.
>
> If you are using W2k3, check in the RRAS console that you have not
> allowed broadcasts from the VPN client.
>
> "BINZA@" <mark1.smith(remove this)@virgin.net> wrote in message
> news:(E-Mail Removed)...
>> Bill,
>> Could you suggest an other method as i cannot find a policy or setting in
>> account that prevents him from using shares or browsing network.
>> This restriction can apply completely ie: over vpn or when in an office
>> logging on locally.
>>
>> "Bill Grant" <not.available@online> wrote in message
>> news:(E-Mail Removed)...
>>> That isn't the way to tackle the problem. VPN just gives you an IP
>>> connection to the network. What machines the user can access on the
>>> network are best controlled by other methods.
>>>
>>> "BINZA@" <mark1.smith(remove this)@virgin.net> wrote in message
>>> news:(E-Mail Removed)...
>>>> We have a 2003 domain and have an application that works over TCP/IP
>>>> from a main frame system.
>>>>
>>>> Have created an network account put it into vpn group and enabled
>>>> policy to allow access, all works fine and user can access network and
>>>> main frame application.
>>>>
>>>> Problem is we only want user to be able to access main frame
>>>> application over tcp/ip when vpn is established not any thing else.
>>>>
>>>> Is it possible to remove access to browse network and all network
>>>> resources using a ras policy or filtering for this user only.
>>>>
>>>> Thanks for any suggestions.
>>>>
>>>
>>>
>>
>>
>
>