Restrict WAN access

[Rodrigo_live]

Hi. In my company there’s a Windows 2003 Terminal Server that users access to
work every day. W e need to restrict access to LAN only TS for some users and
LAN & WAN access to others. I’ve managed to get TS Console to identify the
two NICs in the server (LAN and WAN) by duplicating the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp Key in the registry (renaming each one of them
after). This way I can distinct the LAN and WAN connection and set access
port (LAN uses default 3389 and WAN uses another port) and color depth etc
etc.
On the WAN adapter I’ve set only the group who should get access outside the
network and in the LAN adapter both groups (outside users and lan users).
This works fine because LAN users can’t logon from outside the network. BUT
there’s a problem. If the user leaves his session disconnected the TS Server
will reconnect him. I can’t just restrict disconnected time period because
users work every day with a lot of documents and they leave them opened to
the next day. I’ve discovered that the SYSTEM account is the responsible of
“reconnect sessions” so I’ve tried to remove that account from the WAN
adapter and it works! The sessions are not reconnected from the outside but
the problem is that Wan-enabled users can’t reconnect to their sessions and
the system generates a new one because can’t re establish the link with the
one opened. I’ve tried almost anything and still no luck. Even if I restrict
one session by user the wan-enabled users can’t reconnect to the disconnected
session they left opened but if I give the SYSTEM account the right to
reconnect them LAN users will get access from outside the network.
Someone recommend me to use 2X SecureRDP but despite this software is grate
it can’t distinguish between LAN and WAN adapters.
Any ideas will be greatly!!!

 

[James Yeomans BSc, MCSE]

RE: Restrict WAN access

Hi if i understand correctly you want some users to be able to access the
internet and some to be restricted. If this is the case and considering
you're working on a TS you shouldn't change any IP settings. on a
workstation you could remove the default gateway so the internet could not be
reached. However in this case you really need something else filteringt he
web traffic, say ISA server or another proxy type package. With ISA server
you can restrict internet access to specific users/groups. Thats the only
really sensible way to achieve what ytou are trying to.
--
James Yeomans, BSc, MCSE


"Rodrigo_live" wrote:

> Hi. In my company there’s a Windows 2003 Terminal Server that users access to
> work every day. W e need to restrict access to LAN only TS for some users and
> LAN & WAN access to others. I’ve managed to get TS Console to identify the
> two NICs in the server (LAN and WAN) by duplicating the
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
> Server\WinStations\RDP-Tcp Key in the registry (renaming each one of them
> after). This way I can distinct the LAN and WAN connection and set access
> port (LAN uses default 3389 and WAN uses another port) and color depth etc
> etc.
> On the WAN adapter I’ve set only the group who should get access outside the
> network and in the LAN adapter both groups (outside users and lan users).
> This works fine because LAN users can’t logon from outside the network. BUT
> there’s a problem. If the user leaves his session disconnected the TS Server
> will reconnect him. I can’t just restrict disconnected time period because
> users work every day with a lot of documents and they leave them opened to
> the next day. I’ve discovered that the SYSTEM account is the responsible of
> “reconnect sessions” so I’ve tried to remove that account from the WAN
> adapter and it works! The sessions are not reconnected from the outside but
> the problem is that Wan-enabled users can’t reconnect to their sessions and
> the system generates a new one because can’t re establish the link with the
> one opened. I’ve tried almost anything and still no luck. Even if I restrict
> one session by user the wan-enabled users can’t reconnect to the disconnected
> session they left opened but if I give the SYSTEM account the right to
> reconnect them LAN users will get access from outside the network.
> Someone recommend me to use 2X SecureRDP but despite this software is grate
> it can’t distinguish between LAN and WAN adapters.
> Any ideas will be greatly!!!
>

 

[Rodrigo_live]

RE: Restrict WAN access

James:

No, that's not what I need to do. I need to restrict access to the Terminal
Server from outside the network for some users. It's not related to internet
access, just access to the TS Server.

"James Yeomans BSc, MCSE" wrote:

> Hi if i understand correctly you want some users to be able to access the
> internet and some to be restricted. If this is the case and considering
> you're working on a TS you shouldn't change any IP settings. on a
> workstation you could remove the default gateway so the internet could not be
> reached. However in this case you really need something else filteringt he
> web traffic, say ISA server or another proxy type package. With ISA server
> you can restrict internet access to specific users/groups. Thats the only
> really sensible way to achieve what ytou are trying to.
> --
> James Yeomans, BSc, MCSE
>
>
> "Rodrigo_live" wrote:
>
> > Hi. In my company there’s a Windows 2003 Terminal Server that users access to
> > work every day. W e need to restrict access to LAN only TS for some users and
> > LAN & WAN access to others. I’ve managed to get TS Console to identify the
> > two NICs in the server (LAN and WAN) by duplicating the
> > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
> > Server\WinStations\RDP-Tcp Key in the registry (renaming each one of them
> > after). This way I can distinct the LAN and WAN connection and set access
> > port (LAN uses default 3389 and WAN uses another port) and color depth etc
> > etc.
> > On the WAN adapter I’ve set only the group who should get access outside the
> > network and in the LAN adapter both groups (outside users and lan users).
> > This works fine because LAN users can’t logon from outside the network. BUT
> > there’s a problem. If the user leaves his session disconnected the TS Server
> > will reconnect him. I can’t just restrict disconnected time period because
> > users work every day with a lot of documents and they leave them opened to
> > the next day. I’ve discovered that the SYSTEM account is the responsible of
> > “reconnect sessions” so I’ve tried to remove that account from the WAN
> > adapter and it works! The sessions are not reconnected from the outside but
> > the problem is that Wan-enabled users can’t reconnect to their sessions and
> > the system generates a new one because can’t re establish the link with the
> > one opened. I’ve tried almost anything and still no luck. Even if I restrict
> > one session by user the wan-enabled users can’t reconnect to the disconnected
> > session they left opened but if I give the SYSTEM account the right to
> > reconnect them LAN users will get access from outside the network.
> > Someone recommend me to use 2X SecureRDP but despite this software is grate
> > it can’t distinguish between LAN and WAN adapters.
> > Any ideas will be greatly!!!
> >

 

[James Yeomans BSc, MCSE]

RE: Restrict WAN access

Ah i see, ok completely different issue. Well how do they get remote access
to the terminal server in the first place, through a windows vpn? If so do
you want to keep the vpn for those users or do they not require remote
access. I think what you are trying to say is they require remote access but
you don't want them to be able to use TS from outside, just the inside????
correct??
--
James Yeomans, BSc, MCSE


"Rodrigo_live" wrote:

> James:
>
> No, that's not what I need to do. I need to restrict access to the Terminal
> Server from outside the network for some users. It's not related to internet
> access, just access to the TS Server.
>
> "James Yeomans BSc, MCSE" wrote:
>
> > Hi if i understand correctly you want some users to be able to access the
> > internet and some to be restricted. If this is the case and considering
> > you're working on a TS you shouldn't change any IP settings. on a
> > workstation you could remove the default gateway so the internet could not be
> > reached. However in this case you really need something else filteringt he
> > web traffic, say ISA server or another proxy type package. With ISA server
> > you can restrict internet access to specific users/groups. Thats the only
> > really sensible way to achieve what ytou are trying to.
> > --
> > James Yeomans, BSc, MCSE
> >
> >
> > "Rodrigo_live" wrote:
> >
> > > Hi. In my company there’s a Windows 2003 Terminal Server that users access to
> > > work every day. W e need to restrict access to LAN only TS for some users and
> > > LAN & WAN access to others. I’ve managed to get TS Console to identify the
> > > two NICs in the server (LAN and WAN) by duplicating the
> > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
> > > Server\WinStations\RDP-Tcp Key in the registry (renaming each one of them
> > > after). This way I can distinct the LAN and WAN connection and set access
> > > port (LAN uses default 3389 and WAN uses another port) and color depth etc
> > > etc.
> > > On the WAN adapter I’ve set only the group who should get access outside the
> > > network and in the LAN adapter both groups (outside users and lan users).
> > > This works fine because LAN users can’t logon from outside the network. BUT
> > > there’s a problem. If the user leaves his session disconnected the TS Server
> > > will reconnect him. I can’t just restrict disconnected time period because
> > > users work every day with a lot of documents and they leave them opened to
> > > the next day. I’ve discovered that the SYSTEM account is the responsible of
> > > “reconnect sessions” so I’ve tried to remove that account from the WAN
> > > adapter and it works! The sessions are not reconnected from the outside but
> > > the problem is that Wan-enabled users can’t reconnect to their sessions and
> > > the system generates a new one because can’t re establish the link with the
> > > one opened. I’ve tried almost anything and still no luck. Even if I restrict
> > > one session by user the wan-enabled users can’t reconnect to the disconnected
> > > session they left opened but if I give the SYSTEM account the right to
> > > reconnect them LAN users will get access from outside the network.
> > > Someone recommend me to use 2X SecureRDP but despite this software is grate
> > > it can’t distinguish between LAN and WAN adapters.
> > > Any ideas will be greatly!!!
> > >

 

[Rodrigo_live]

RE: Restrict WAN access

Well… some users should have access to Terminal Server from outside the
company, others shouldn’t. Let me be clear in this point. From inside the
company (LAN) everyone needs to access the TS server and they do every day.
From outside (WAN) I need to make sure only some users can access it.
Actually all users can access the server from outside the company because
there’s a publishing rule in the ISA server that redirects port 3388 (TS port
for the WAN) to the TS server. That way users that need to work from home
access the TS server using the RDP Client in Windows XP/Vista. Using VPNs
it’s not an option because no one has vpn dial access allowed. This is
primarily by security.

"James Yeomans BSc, MCSE" wrote:

> Ah i see, ok completely different issue. Well how do they get remote access
> to the terminal server in the first place, through a windows vpn? If so do
> you want to keep the vpn for those users or do they not require remote
> access. I think what you are trying to say is they require remote access but
> you don't want them to be able to use TS from outside, just the inside????
> correct??
> --
> James Yeomans, BSc, MCSE
>
>
> "Rodrigo_live" wrote:
>
> > James:
> >
> > No, that's not what I need to do. I need to restrict access to the Terminal
> > Server from outside the network for some users. It's not related to internet
> > access, just access to the TS Server.
> >
> > "James Yeomans BSc, MCSE" wrote:
> >
> > > Hi if i understand correctly you want some users to be able to access the
> > > internet and some to be restricted. If this is the case and considering
> > > you're working on a TS you shouldn't change any IP settings. on a
> > > workstation you could remove the default gateway so the internet could not be
> > > reached. However in this case you really need something else filteringt he
> > > web traffic, say ISA server or another proxy type package. With ISA server
> > > you can restrict internet access to specific users/groups. Thats the only
> > > really sensible way to achieve what ytou are trying to.
> > > --
> > > James Yeomans, BSc, MCSE
> > >
> > >
> > > "Rodrigo_live" wrote:
> > >
> > > > Hi. In my company there’s a Windows 2003 Terminal Server that users access to
> > > > work every day. W e need to restrict access to LAN only TS for some users and
> > > > LAN & WAN access to others. I’ve managed to get TS Console to identify the
> > > > two NICs in the server (LAN and WAN) by duplicating the
> > > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
> > > > Server\WinStations\RDP-Tcp Key in the registry (renaming each one of them
> > > > after). This way I can distinct the LAN and WAN connection and set access
> > > > port (LAN uses default 3389 and WAN uses another port) and color depth etc
> > > > etc.
> > > > On the WAN adapter I’ve set only the group who should get access outside the
> > > > network and in the LAN adapter both groups (outside users and lan users).
> > > > This works fine because LAN users can’t logon from outside the network. BUT
> > > > there’s a problem. If the user leaves his session disconnected the TS Server
> > > > will reconnect him. I can’t just restrict disconnected time period because
> > > > users work every day with a lot of documents and they leave them opened to
> > > > the next day. I’ve discovered that the SYSTEM account is the responsible of
> > > > “reconnect sessions” so I’ve tried to remove that account from the WAN
> > > > adapter and it works! The sessions are not reconnected from the outside but
> > > > the problem is that Wan-enabled users can’t reconnect to their sessions and
> > > > the system generates a new one because can’t re establish the link with the
> > > > one opened. I’ve tried almost anything and still no luck. Even if I restrict
> > > > one session by user the wan-enabled users can’t reconnect to the disconnected
> > > > session they left opened but if I give the SYSTEM account the right to
> > > > reconnect them LAN users will get access from outside the network.
> > > > Someone recommend me to use 2X SecureRDP but despite this software is grate
> > > > it can’t distinguish between LAN and WAN adapters.
> > > > Any ideas will be greatly!!!
> > > >

 

[James Yeomans BSc, MCSE]

RE: Restrict WAN access

Ok i see thats clearer now. Out of interest why don't you want them to access
it from outside the lan? You could consider restricting log on hours if its
user working from outside in just the evenings. Not overly familiar with ISA
server but there may be a way in that to block this for certain groups. I
suspect there is. I suggest posting this question in the ISA forum so that
someone there can answer it?
James.
--
James Yeomans, BSc, MCSE


"Rodrigo_live" wrote:

> Well… some users should have access to Terminal Server from outside the
> company, others shouldn’t. Let me be clear in this point. From inside the
> company (LAN) everyone needs to access the TS server and they do every day.
> From outside (WAN) I need to make sure only some users can access it.
> Actually all users can access the server from outside the company because
> there’s a publishing rule in the ISA server that redirects port 3388 (TS port
> for the WAN) to the TS server. That way users that need to work from home
> access the TS server using the RDP Client in Windows XP/Vista. Using VPNs
> it’s not an option because no one has vpn dial access allowed. This is
> primarily by security.
>
> "James Yeomans BSc, MCSE" wrote:
>
> > Ah i see, ok completely different issue. Well how do they get remote access
> > to the terminal server in the first place, through a windows vpn? If so do
> > you want to keep the vpn for those users or do they not require remote
> > access. I think what you are trying to say is they require remote access but
> > you don't want them to be able to use TS from outside, just the inside????
> > correct??
> > --
> > James Yeomans, BSc, MCSE
> >
> >
> > "Rodrigo_live" wrote:
> >
> > > James:
> > >
> > > No, that's not what I need to do. I need to restrict access to the Terminal
> > > Server from outside the network for some users. It's not related to internet
> > > access, just access to the TS Server.
> > >
> > > "James Yeomans BSc, MCSE" wrote:
> > >
> > > > Hi if i understand correctly you want some users to be able to access the
> > > > internet and some to be restricted. If this is the case and considering
> > > > you're working on a TS you shouldn't change any IP settings. on a
> > > > workstation you could remove the default gateway so the internet could not be
> > > > reached. However in this case you really need something else filteringt he
> > > > web traffic, say ISA server or another proxy type package. With ISA server
> > > > you can restrict internet access to specific users/groups. Thats the only
> > > > really sensible way to achieve what ytou are trying to.
> > > > --
> > > > James Yeomans, BSc, MCSE
> > > >
> > > >
> > > > "Rodrigo_live" wrote:
> > > >
> > > > > Hi. In my company there’s a Windows 2003 Terminal Server that users access to
> > > > > work every day. W e need to restrict access to LAN only TS for some users and
> > > > > LAN & WAN access to others. I’ve managed to get TS Console to identify the
> > > > > two NICs in the server (LAN and WAN) by duplicating the
> > > > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
> > > > > Server\WinStations\RDP-Tcp Key in the registry (renaming each one of them
> > > > > after). This way I can distinct the LAN and WAN connection and set access
> > > > > port (LAN uses default 3389 and WAN uses another port) and color depth etc
> > > > > etc.
> > > > > On the WAN adapter I’ve set only the group who should get access outside the
> > > > > network and in the LAN adapter both groups (outside users and lan users).
> > > > > This works fine because LAN users can’t logon from outside the network. BUT
> > > > > there’s a problem. If the user leaves his session disconnected the TS Server
> > > > > will reconnect him. I can’t just restrict disconnected time period because
> > > > > users work every day with a lot of documents and they leave them opened to
> > > > > the next day. I’ve discovered that the SYSTEM account is the responsible of
> > > > > “reconnect sessions” so I’ve tried to remove that account from the WAN
> > > > > adapter and it works! The sessions are not reconnected from the outside but
> > > > > the problem is that Wan-enabled users can’t reconnect to their sessions and
> > > > > the system generates a new one because can’t re establish the link with the
> > > > > one opened. I’ve tried almost anything and still no luck. Even if I restrict
> > > > > one session by user the wan-enabled users can’t reconnect to the disconnected
> > > > > session they left opened but if I give the SYSTEM account the right to
> > > > > reconnect them LAN users will get access from outside the network.
> > > > > Someone recommend me to use 2X SecureRDP but despite this software is grate
> > > > > it can’t distinguish between LAN and WAN adapters.
> > > > > Any ideas will be greatly!!!
> > > > >

 

[Rodrigo_live]

RE: Restrict WAN access

Thank you! I will post it on ISA groups. The reason we need to do this is
because some employes had been "playing" with the system from ouside the
company and we can't restrict logon times because there's a lot of people
working a they all have diferent work hours. Thanks for your help.

"James Yeomans BSc, MCSE" wrote:

> Ok i see thats clearer now. Out of interest why don't you want them to access
> it from outside the lan? You could consider restricting log on hours if its
> user working from outside in just the evenings. Not overly familiar with ISA
> server but there may be a way in that to block this for certain groups. I
> suspect there is. I suggest posting this question in the ISA forum so that
> someone there can answer it?
> James.
> --
> James Yeomans, BSc, MCSE
>
>
> "Rodrigo_live" wrote:
>
> > Well… some users should have access to Terminal Server from outside the
> > company, others shouldn’t. Let me be clear in this point. From inside the
> > company (LAN) everyone needs to access the TS server and they do every day.
> > From outside (WAN) I need to make sure only some users can access it.
> > Actually all users can access the server from outside the company because
> > there’s a publishing rule in the ISA server that redirects port 3388 (TS port
> > for the WAN) to the TS server. That way users that need to work from home
> > access the TS server using the RDP Client in Windows XP/Vista. Using VPNs
> > it’s not an option because no one has vpn dial access allowed. This is
> > primarily by security.
> >
> > "James Yeomans BSc, MCSE" wrote:
> >
> > > Ah i see, ok completely different issue. Well how do they get remote access
> > > to the terminal server in the first place, through a windows vpn? If so do
> > > you want to keep the vpn for those users or do they not require remote
> > > access. I think what you are trying to say is they require remote access but
> > > you don't want them to be able to use TS from outside, just the inside????
> > > correct??
> > > --
> > > James Yeomans, BSc, MCSE
> > >
> > >
> > > "Rodrigo_live" wrote:
> > >
> > > > James:
> > > >
> > > > No, that's not what I need to do. I need to restrict access to the Terminal
> > > > Server from outside the network for some users. It's not related to internet
> > > > access, just access to the TS Server.
> > > >
> > > > "James Yeomans BSc, MCSE" wrote:
> > > >
> > > > > Hi if i understand correctly you want some users to be able to access the
> > > > > internet and some to be restricted. If this is the case and considering
> > > > > you're working on a TS you shouldn't change any IP settings. on a
> > > > > workstation you could remove the default gateway so the internet could not be
> > > > > reached. However in this case you really need something else filteringt he
> > > > > web traffic, say ISA server or another proxy type package. With ISA server
> > > > > you can restrict internet access to specific users/groups. Thats the only
> > > > > really sensible way to achieve what ytou are trying to.
> > > > > --
> > > > > James Yeomans, BSc, MCSE
> > > > >
> > > > >
> > > > > "Rodrigo_live" wrote:
> > > > >
> > > > > > Hi. In my company there’s a Windows 2003 Terminal Server that users access to
> > > > > > work every day. W e need to restrict access to LAN only TS for some users and
> > > > > > LAN & WAN access to others. I’ve managed to get TS Console to identify the
> > > > > > two NICs in the server (LAN and WAN) by duplicating the
> > > > > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
> > > > > > Server\WinStations\RDP-Tcp Key in the registry (renaming each one of them
> > > > > > after). This way I can distinct the LAN and WAN connection and set access
> > > > > > port (LAN uses default 3389 and WAN uses another port) and color depth etc
> > > > > > etc.
> > > > > > On the WAN adapter I’ve set only the group who should get access outside the
> > > > > > network and in the LAN adapter both groups (outside users and lan users).
> > > > > > This works fine because LAN users can’t logon from outside the network. BUT
> > > > > > there’s a problem. If the user leaves his session disconnected the TS Server
> > > > > > will reconnect him. I can’t just restrict disconnected time period because
> > > > > > users work every day with a lot of documents and they leave them opened to
> > > > > > the next day. I’ve discovered that the SYSTEM account is the responsible of
> > > > > > “reconnect sessions” so I’ve tried to remove that account from the WAN
> > > > > > adapter and it works! The sessions are not reconnected from the outside but
> > > > > > the problem is that Wan-enabled users can’t reconnect to their sessions and
> > > > > > the system generates a new one because can’t re establish the link with the
> > > > > > one opened. I’ve tried almost anything and still no luck. Even if I restrict
> > > > > > one session by user the wan-enabled users can’t reconnect to the disconnected
> > > > > > session they left opened but if I give the SYSTEM account the right to
> > > > > > reconnect them LAN users will get access from outside the network.
> > > > > > Someone recommend me to use 2X SecureRDP but despite this software is grate
> > > > > > it can’t distinguish between LAN and WAN adapters.
> > > > > > Any ideas will be greatly!!!
> > > > > >