2

I have a few internet facing Windows (2008 R2) RDP servers and a user that I only want them to have access to the RDP server when they are on our local subnet, but allow the other users to have external access.

Is it possible to limit the RDP access of the user to the internal network only? Better yet, is there a way to limit a group's RDP access by IP?

I looked at using the Windows Firewall, but didn't see anything about limiting a specific user or group's access. I checked some of the group policy setting and could't find anything related to RDP access by IP.

drg
  • 286
  • 4
  • 13
  • 1
    Do you have a corporate firewall device/appliance protecting your data network with access control rules by chance? – Pimp Juice IT Jun 10 '17 at 02:48
  • To be honest I'm not sure. We have a Cisco ASA 5505 and it has some user configuration, but I don't know if I can integrate it with our Active Directory or not. I'll check into it – drg Jun 10 '17 at 03:18
  • You can definitely limit with Windows Firewall which IP addresses can connect 100% for sure I know this works as I've used it but in conjunction with Firewall appliance security policies and NAT rules. If you can do this via Windows Firewall based on IP address only regardless of which username, let me know and I'll add an answer for you with more determine on the configuration. – Pimp Juice IT Jun 10 '17 at 03:38

1 Answers1

2

A firewall can limit connections by source, port and destination, but it doesn't know anything about the user who's trying to log in on a secure connection. Therefore, you can only block all users or allow all users. On the other hand, RDP doesn't have a feature to restrict users by IP address, just by the login name.

Luckily, there's a solution: install RD Gateway. Allow connections from the Internet only through this gateway and use RD Gateway's Authorization Policies to allow anyone but the administrators to use the gateway. Your administrators inside your local network can still connect directly to the servers.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • Thanks! I'll try to setup RD Gateway. I looked at it briefly and it looks like I may have to change how my customers have to connect. That's a lot of inertia to overcome; they're not the most technically literate group. – drg Jun 13 '17 at 15:33