Get Windows Firewall to allow connection from user coming in via VPN (Routing and Remote Access)

Question

A single NIC Windows Server has a number of services, for example FTP.

The same machine is also running Routing and Remote Access to provide VPN/NAT services to remote users. Meaning users who connecting who then browse the internet see the servers IP address.

I want to hide my FTP service so that the port (say port 123) is only accessible to users who are connected via the VPN, or are on the machine itself. I want port 123 hidden to the internet.

While the web is saturated in information on how to open VPN ports on a firewall, I can't find anything on how to restrict a port to VPN only users using the Windows Firewall.

Since Routing & Remote Access issues clients IP addresses from a defined IPv4 pool. I first tried adding this range to the Remote IP Addresses on the ALLOW rule. I also tried the servers public IP. However, all of this just prevents the connection. Only if the rule is set to 'Any IP Address' can the port be accessed.

How to open a port on Windows Firewall for VPN only users?

Answer 1

Since you know the VPN DHCP IP pools because you assigned them you know the valid IP range for VPN users. Just restrict the firewall to only allow the IP pool for FTP.

You can use the powershell command to get the IP pool

Get-RemoteAccessRoutingDomain -Name <name>

Answer 2

Couldn't comment due to low rep.

What kind of FTP server is it? Since I usually run Linux FTP servers, I would put the FTP server on a vLAN (on a different subnet). You could configure the VPN machines to connect to that subnet instead of the main subnet for the rest of the network by making the VPN Server a member of the vLAN network (with a virtual adapter). That would work well especially if the VPN machines connect to the internet through their own local networks instead of through the VPN tunnel (force tunnelling off). It really depends on your configuration though. My suggestion would be especially easy to implement if the FTP server is running as a virtual machine (then you just make it's adapter internal, and VPNs would connect through a bridge on the VPN server). Just some ideas. What is the exact setup you are using for your FTP and VPN servers? You said you are running FTP as a server role, so maybe you could consider setting it up as an Hyper-V client instead? I'm not a networking expert though, more familiar with VM setups where are the server components are kept discrete from each other (makes management easier IMHO).