Security over VPN

[Jeff Li]

Hi all,

I built up a VPN b/w head office and branch office by a
pair of VPN devices (zyxel). Both-end are Windows 2000
Server. The VPN's objective is that I want the branch
office access the Web application in headoffice's server
only. The headoffice's server is also file server and
domain controller. What can I do so that the branch
office cannot browse computer(headoffice) and shared
folder in headoffice?

Regards

Jeff Li

 

[Steven L Umbach]

I am not familiar with the devices that you use but check their configuration to see
if they can restrict access of the vpn tunnel to only certain IP addresses on the
lan. If you are using the W2K server as the vpn server, you can configure packet
filters on the IP interface in rras or in Remote Access Policy. Another alternative
is to configure ipsec policy with either negotiation for ESP/AH protection which uses
kerberos machine authentication in the forest or ipsec filtering to limit access to
what IP addresses can access a computer via permit and block filter actions. ---
Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;310111 --- shows about
packet filtering.
http://www.securityfocus.com/infocus/1559 --- ipsec filtering

 

[Bill Grant]

The best way would be to configure filters on the VPN devices to only
allow HTTP traffic to cross the link. It would be difficult to control this
by changing settings on the Windows machines.