Network Security.

Hi all.

We currently have a scenario where all our users connect
to a main terminal server, and from here they can terminal
serve to various other machines on the network.

What we would like to be able to do is limit where the
users can get access to.

So for instance user A can get access to 192.*.*.* but not
get access to 10.*.*.*

I have looked at ISA server but it doesnt seem to allow
you to specify IP ranges that users can access.

Any Ideas?? Many thanks.

anonymous
Wed Jun 09 11:51:02 CDT 2004

This is a job for router access control lists (ACLs). If users to be restricted are on different subnets from the machines they are to be restricted from, the network traffic by defintion must go through a router where you can implement ACLs to deny traffic from source IP address to destination IP address. ACLs can also be implemented on a firewall if the traffic is traversing one.

Lionel
Wed Jun 09 12:35:56 CDT 2004

You can use an IPSec strategy to define such filters. Terminal server
use TCP port 3389 by default.

Andy wrote:
> Hi all.
>
> We currently have a scenario where all our users connect
> to a main terminal server, and from here they can terminal
> serve to various other machines on the network.
>
> What we would like to be able to do is limit where the
> users can get access to.
>
> So for instance user A can get access to 192.*.*.* but not
> get access to 10.*.*.*
>
> I have looked at ISA server but it doesnt seem to allow
> you to specify IP ranges that users can access.
>
> Any Ideas?? Many thanks.

anonymous
Wed Jun 09 13:21:03 CDT 2004

Unless there is no router to configure ACLs to block traffic, IPSEC would be a major overkill solution

Lionel
Wed Jun 09 14:32:00 CDT 2004

jbiddlew wrote:
> Unless there is no router to configure ACLs to block traffic, IPSEC
> would be a major overkill solution

If you don't use the encryption and authentication feature, only the
filtering part, it's not so difficult to set up, and it doesn't require
anything except the Windows box itself. :-)

anonymous
Wed Jun 09 15:21:10 CDT 2004

Thats interesting, I didn't know that about Windows IPSec. But if there are routers involved, as was alluded to by the different network numbers of the mentioned IP address, its best to centralize access control in one place, and thats probably the router(s) as opposed to individual windows machines and terminals. Any opinions?

Lionel
Wed Jun 09 15:38:49 CDT 2004

jbiddlew wrote:
> Thats interesting, I didn't know that about Windows IPSec. But if
> there are routers involved, as was alluded to by the different
> network numbers of the mentioned IP address, its best to centralize
> access control in one place, and thats probably the router(s) as
> opposed to individual windows machines and terminals. Any opinions?

I agree. Network boundaries (especially when there is a firewall box
there) are the preferred place to put filters.

anonymous
Wed Jun 09 16:04:23 CDT 2004

But if they are all connecting from one terminal server
to the destination machines (that I want to restrict
access to) then they all take on the same IP address (of
the terminal server they use to connect via) so in effect
the router would not be able to differentiate between
users would it?

I think possibly I am trying to do something that just
isnt possible... but thought it may be worth asking.

Thankyou


>-----Original Message-----
>This is a job for router access control lists (ACLs).
If users to be restricted are on different subnets from
the machines they are to be restricted from, the network
traffic by defintion must go through a router where you
can implement ACLs to deny traffic from source IP address
to destination IP address. ACLs can also be implemented
on a firewall if the traffic is traversing one.
>.
>