Restricting Terminal Services connections to VPN

[Ruben Kerkhof]

Good evening,

I'm building an Windows 2003 server, which is going to be used in a
colocation environment.
I installed RRAS and I've successfully created a vpn connection to my
server.
Is it possible to restrict the use of Remote Desktop, so that traffic is
only accepted over the vpn-connection, and not over the internet?

I was looking for a way to tell Terminal Services to use the vpn-adapter,
but haven't found a way to do this.

Kind regards,

Ruben Kerkhof
(e-mail address removed)
MCSE 2000, MCSE 2003, MCDBA, MCAD

 

[Robert L [MS-MVP]]

not sure the issue, but I am thinking you may want to modify the routing
table.

--
For more and other information, go to http://www.ChicagoTech.net

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
http://www.ChicagoTech.net
Networking Solutions, http://www.chicagotech.net/networksolutions.htm
VPN Solutions, http://www.chicagotech.net/vpnsolutions.htm
VPN Process and Error Analysis, http://www.chicagotech.net/VPN process.htm
VPN Troubleshooting, http://www.chicagotech.net/vpn.htm
This posting is provided "AS IS" with no warranties.

 

[Ruben Kerkhof]

On the client or on the server?
You mean I'll have to limt the routing on the client so all data goes thru
the vpn-tunnel?
No idea where to look for, I'm an MCSE, not a Cisco engineer ;-)

 

[Bill Grant]

On the server. Is the server directly connected to the Internet? If you
block the RDP protocol on the server's public interface, clients cannot
connect through it using RDP. They will still be able to use RDP from a VPN
connection because VPN traffic comes through while still encrypted.

If you have a firewall, you can do this in the firewall settings. If
not, you can use packet filters in RRAS. In the RRAS console, right-click
the public interface,select properties and look for Input Filters.

 

[Ruben Kerkhof]

The server is not yet connected to the net.
So if I understand your answer correctly I have to disable everything except
VPN and then only VPN-traffic will be allowed.
Stupid I didn't think about that before.

I was always in the assumption that the packet filters in RRAS only
influenced the traffic over the VPN-connection, and not the rest.
I must be wrong, and you're right

A big part of the problems is that the server is in my private subnet.

For example:

My client is 192.168.1.2 (assigned by dhcp from my wireless router) and my
server is 192.168.1.200
Do I have to let RRAS assign dhcp-adresses to my client, and if so, in what
range?
Not in the same range as my client already is, I guess?