Guest Rodrigo_live Posted October 7, 2008 Posted October 7, 2008 Hi. In my company there’s a Windows 2003 Terminal Server that users access to work every day. W e need to restrict access to LAN only TS for some users and LAN & WAN access to others. I’ve managed to get TS Console to identify the two NICs in the server (LAN and WAN) by duplicating the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp Key in the registry (renaming each one of them after). This way I can distinct the LAN and WAN connection and set access port (LAN uses default 3389 and WAN uses another port) and color depth etc etc. On the WAN adapter I’ve set only the group who should get access outside the network and in the LAN adapter both groups (outside users and lan users). This works fine because LAN users can’t logon from outside the network. BUT there’s a problem. If the user leaves his session disconnected the TS Server will reconnect him. I can’t just restrict disconnected time period because users work every day with a lot of documents and they leave them opened to the next day. I’ve discovered that the SYSTEM account is the responsible of “reconnect sessions” so I’ve tried to remove that account from the WAN adapter and it works! The sessions are not reconnected from the outside but the problem is that Wan-enabled users can’t reconnect to their sessions and the system generates a new one because can’t re establish the link with the one opened. I’ve tried almost anything and still no luck. Even if I restrict one session by user the wan-enabled users can’t reconnect to the disconnected session they left opened but if I give the SYSTEM account the right to reconnect them LAN users will get access from outside the network. Someone recommend me to use 2X SecureRDP but despite this software is grate it can’t distinguish between LAN and WAN adapters. Any ideas will be greatly!!!
Guest James Yeomans BSc, MCSE Posted October 7, 2008 Posted October 7, 2008 RE: Restrict WAN access Hi if i understand correctly you want some users to be able to access the internet and some to be restricted. If this is the case and considering you're working on a TS you shouldn't change any IP settings. on a workstation you could remove the default gateway so the internet could not be reached. However in this case you really need something else filteringt he web traffic, say ISA server or another proxy type package. With ISA server you can restrict internet access to specific users/groups. Thats the only really sensible way to achieve what ytou are trying to. -- James Yeomans, BSc, MCSE "Rodrigo_live" wrote: > Hi. In my company there’s a Windows 2003 Terminal Server that users access to > work every day. W e need to restrict access to LAN only TS for some users and > LAN & WAN access to others. I’ve managed to get TS Console to identify the > two NICs in the server (LAN and WAN) by duplicating the > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal > Server\WinStations\RDP-Tcp Key in the registry (renaming each one of them > after). This way I can distinct the LAN and WAN connection and set access > port (LAN uses default 3389 and WAN uses another port) and color depth etc > etc. > On the WAN adapter I’ve set only the group who should get access outside the > network and in the LAN adapter both groups (outside users and lan users). > This works fine because LAN users can’t logon from outside the network. BUT > there’s a problem. If the user leaves his session disconnected the TS Server > will reconnect him. I can’t just restrict disconnected time period because > users work every day with a lot of documents and they leave them opened to > the next day. I’ve discovered that the SYSTEM account is the responsible of > “reconnect sessions” so I’ve tried to remove that account from the WAN > adapter and it works! The sessions are not reconnected from the outside but > the problem is that Wan-enabled users can’t reconnect to their sessions and > the system generates a new one because can’t re establish the link with the > one opened. I’ve tried almost anything and still no luck. Even if I restrict > one session by user the wan-enabled users can’t reconnect to the disconnected > session they left opened but if I give the SYSTEM account the right to > reconnect them LAN users will get access from outside the network. > Someone recommend me to use 2X SecureRDP but despite this software is grate > it can’t distinguish between LAN and WAN adapters. > Any ideas will be greatly!!! >
Guest Rodrigo_live Posted October 7, 2008 Posted October 7, 2008 RE: Restrict WAN access James: No, that's not what I need to do. I need to restrict access to the Terminal Server from outside the network for some users. It's not related to internet access, just access to the TS Server. "James Yeomans BSc, MCSE" wrote: > Hi if i understand correctly you want some users to be able to access the > internet and some to be restricted. If this is the case and considering > you're working on a TS you shouldn't change any IP settings. on a > workstation you could remove the default gateway so the internet could not be > reached. However in this case you really need something else filteringt he > web traffic, say ISA server or another proxy type package. With ISA server > you can restrict internet access to specific users/groups. Thats the only > really sensible way to achieve what ytou are trying to. > -- > James Yeomans, BSc, MCSE > > > "Rodrigo_live" wrote: > > > Hi. In my company there’s a Windows 2003 Terminal Server that users access to > > work every day. W e need to restrict access to LAN only TS for some users and > > LAN & WAN access to others. I’ve managed to get TS Console to identify the > > two NICs in the server (LAN and WAN) by duplicating the > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal > > Server\WinStations\RDP-Tcp Key in the registry (renaming each one of them > > after). This way I can distinct the LAN and WAN connection and set access > > port (LAN uses default 3389 and WAN uses another port) and color depth etc > > etc. > > On the WAN adapter I’ve set only the group who should get access outside the > > network and in the LAN adapter both groups (outside users and lan users). > > This works fine because LAN users can’t logon from outside the network. BUT > > there’s a problem. If the user leaves his session disconnected the TS Server > > will reconnect him. I can’t just restrict disconnected time period because > > users work every day with a lot of documents and they leave them opened to > > the next day. I’ve discovered that the SYSTEM account is the responsible of > > “reconnect sessions” so I’ve tried to remove that account from the WAN > > adapter and it works! The sessions are not reconnected from the outside but > > the problem is that Wan-enabled users can’t reconnect to their sessions and > > the system generates a new one because can’t re establish the link with the > > one opened. I’ve tried almost anything and still no luck. Even if I restrict > > one session by user the wan-enabled users can’t reconnect to the disconnected > > session they left opened but if I give the SYSTEM account the right to > > reconnect them LAN users will get access from outside the network. > > Someone recommend me to use 2X SecureRDP but despite this software is grate > > it can’t distinguish between LAN and WAN adapters. > > Any ideas will be greatly!!! > >
Guest James Yeomans BSc, MCSE Posted October 7, 2008 Posted October 7, 2008 RE: Restrict WAN access Ah i see, ok completely different issue. Well how do they get remote access to the terminal server in the first place, through a windows vpn? If so do you want to keep the vpn for those users or do they not require remote access. I think what you are trying to say is they require remote access but you don't want them to be able to use TS from outside, just the inside???? correct?? -- James Yeomans, BSc, MCSE "Rodrigo_live" wrote: > James: > > No, that's not what I need to do. I need to restrict access to the Terminal > Server from outside the network for some users. It's not related to internet > access, just access to the TS Server. > > "James Yeomans BSc, MCSE" wrote: > > > Hi if i understand correctly you want some users to be able to access the > > internet and some to be restricted. If this is the case and considering > > you're working on a TS you shouldn't change any IP settings. on a > > workstation you could remove the default gateway so the internet could not be > > reached. However in this case you really need something else filteringt he > > web traffic, say ISA server or another proxy type package. With ISA server > > you can restrict internet access to specific users/groups. Thats the only > > really sensible way to achieve what ytou are trying to. > > -- > > James Yeomans, BSc, MCSE > > > > > > "Rodrigo_live" wrote: > > > > > Hi. In my company there’s a Windows 2003 Terminal Server that users access to > > > work every day. W e need to restrict access to LAN only TS for some users and > > > LAN & WAN access to others. I’ve managed to get TS Console to identify the > > > two NICs in the server (LAN and WAN) by duplicating the > > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal > > > Server\WinStations\RDP-Tcp Key in the registry (renaming each one of them > > > after). This way I can distinct the LAN and WAN connection and set access > > > port (LAN uses default 3389 and WAN uses another port) and color depth etc > > > etc. > > > On the WAN adapter I’ve set only the group who should get access outside the > > > network and in the LAN adapter both groups (outside users and lan users). > > > This works fine because LAN users can’t logon from outside the network. BUT > > > there’s a problem. If the user leaves his session disconnected the TS Server > > > will reconnect him. I can’t just restrict disconnected time period because > > > users work every day with a lot of documents and they leave them opened to > > > the next day. I’ve discovered that the SYSTEM account is the responsible of > > > “reconnect sessions” so I’ve tried to remove that account from the WAN > > > adapter and it works! The sessions are not reconnected from the outside but > > > the problem is that Wan-enabled users can’t reconnect to their sessions and > > > the system generates a new one because can’t re establish the link with the > > > one opened. I’ve tried almost anything and still no luck. Even if I restrict > > > one session by user the wan-enabled users can’t reconnect to the disconnected > > > session they left opened but if I give the SYSTEM account the right to > > > reconnect them LAN users will get access from outside the network. > > > Someone recommend me to use 2X SecureRDP but despite this software is grate > > > it can’t distinguish between LAN and WAN adapters. > > > Any ideas will be greatly!!! > > >
Guest Rodrigo_live Posted October 7, 2008 Posted October 7, 2008 RE: Restrict WAN access Well… some users should have access to Terminal Server from outside the company, others shouldn’t. Let me be clear in this point. From inside the company (LAN) everyone needs to access the TS server and they do every day. From outside (WAN) I need to make sure only some users can access it. Actually all users can access the server from outside the company because there’s a publishing rule in the ISA server that redirects port 3388 (TS port for the WAN) to the TS server. That way users that need to work from home access the TS server using the RDP Client in Windows XP/Vista. Using VPNs it’s not an option because no one has vpn dial access allowed. This is primarily by security. "James Yeomans BSc, MCSE" wrote: > Ah i see, ok completely different issue. Well how do they get remote access > to the terminal server in the first place, through a windows vpn? If so do > you want to keep the vpn for those users or do they not require remote > access. I think what you are trying to say is they require remote access but > you don't want them to be able to use TS from outside, just the inside???? > correct?? > -- > James Yeomans, BSc, MCSE > > > "Rodrigo_live" wrote: > > > James: > > > > No, that's not what I need to do. I need to restrict access to the Terminal > > Server from outside the network for some users. It's not related to internet > > access, just access to the TS Server. > > > > "James Yeomans BSc, MCSE" wrote: > > > > > Hi if i understand correctly you want some users to be able to access the > > > internet and some to be restricted. If this is the case and considering > > > you're working on a TS you shouldn't change any IP settings. on a > > > workstation you could remove the default gateway so the internet could not be > > > reached. However in this case you really need something else filteringt he > > > web traffic, say ISA server or another proxy type package. With ISA server > > > you can restrict internet access to specific users/groups. Thats the only > > > really sensible way to achieve what ytou are trying to. > > > -- > > > James Yeomans, BSc, MCSE > > > > > > > > > "Rodrigo_live" wrote: > > > > > > > Hi. In my company there’s a Windows 2003 Terminal Server that users access to > > > > work every day. W e need to restrict access to LAN only TS for some users and > > > > LAN & WAN access to others. I’ve managed to get TS Console to identify the > > > > two NICs in the server (LAN and WAN) by duplicating the > > > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal > > > > Server\WinStations\RDP-Tcp Key in the registry (renaming each one of them > > > > after). This way I can distinct the LAN and WAN connection and set access > > > > port (LAN uses default 3389 and WAN uses another port) and color depth etc > > > > etc. > > > > On the WAN adapter I’ve set only the group who should get access outside the > > > > network and in the LAN adapter both groups (outside users and lan users). > > > > This works fine because LAN users can’t logon from outside the network. BUT > > > > there’s a problem. If the user leaves his session disconnected the TS Server > > > > will reconnect him. I can’t just restrict disconnected time period because > > > > users work every day with a lot of documents and they leave them opened to > > > > the next day. I’ve discovered that the SYSTEM account is the responsible of > > > > “reconnect sessions” so I’ve tried to remove that account from the WAN > > > > adapter and it works! The sessions are not reconnected from the outside but > > > > the problem is that Wan-enabled users can’t reconnect to their sessions and > > > > the system generates a new one because can’t re establish the link with the > > > > one opened. I’ve tried almost anything and still no luck. Even if I restrict > > > > one session by user the wan-enabled users can’t reconnect to the disconnected > > > > session they left opened but if I give the SYSTEM account the right to > > > > reconnect them LAN users will get access from outside the network. > > > > Someone recommend me to use 2X SecureRDP but despite this software is grate > > > > it can’t distinguish between LAN and WAN adapters. > > > > Any ideas will be greatly!!! > > > >
Guest James Yeomans BSc, MCSE Posted October 7, 2008 Posted October 7, 2008 RE: Restrict WAN access Ok i see thats clearer now. Out of interest why don't you want them to access it from outside the lan? You could consider restricting log on hours if its user working from outside in just the evenings. Not overly familiar with ISA server but there may be a way in that to block this for certain groups. I suspect there is. I suggest posting this question in the ISA forum so that someone there can answer it? James. -- James Yeomans, BSc, MCSE "Rodrigo_live" wrote: > Well… some users should have access to Terminal Server from outside the > company, others shouldn’t. Let me be clear in this point. From inside the > company (LAN) everyone needs to access the TS server and they do every day. > From outside (WAN) I need to make sure only some users can access it. > Actually all users can access the server from outside the company because > there’s a publishing rule in the ISA server that redirects port 3388 (TS port > for the WAN) to the TS server. That way users that need to work from home > access the TS server using the RDP Client in Windows XP/Vista. Using VPNs > it’s not an option because no one has vpn dial access allowed. This is > primarily by security. > > "James Yeomans BSc, MCSE" wrote: > > > Ah i see, ok completely different issue. Well how do they get remote access > > to the terminal server in the first place, through a windows vpn? If so do > > you want to keep the vpn for those users or do they not require remote > > access. I think what you are trying to say is they require remote access but > > you don't want them to be able to use TS from outside, just the inside???? > > correct?? > > -- > > James Yeomans, BSc, MCSE > > > > > > "Rodrigo_live" wrote: > > > > > James: > > > > > > No, that's not what I need to do. I need to restrict access to the Terminal > > > Server from outside the network for some users. It's not related to internet > > > access, just access to the TS Server. > > > > > > "James Yeomans BSc, MCSE" wrote: > > > > > > > Hi if i understand correctly you want some users to be able to access the > > > > internet and some to be restricted. If this is the case and considering > > > > you're working on a TS you shouldn't change any IP settings. on a > > > > workstation you could remove the default gateway so the internet could not be > > > > reached. However in this case you really need something else filteringt he > > > > web traffic, say ISA server or another proxy type package. With ISA server > > > > you can restrict internet access to specific users/groups. Thats the only > > > > really sensible way to achieve what ytou are trying to. > > > > -- > > > > James Yeomans, BSc, MCSE > > > > > > > > > > > > "Rodrigo_live" wrote: > > > > > > > > > Hi. In my company there’s a Windows 2003 Terminal Server that users access to > > > > > work every day. W e need to restrict access to LAN only TS for some users and > > > > > LAN & WAN access to others. I’ve managed to get TS Console to identify the > > > > > two NICs in the server (LAN and WAN) by duplicating the > > > > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal > > > > > Server\WinStations\RDP-Tcp Key in the registry (renaming each one of them > > > > > after). This way I can distinct the LAN and WAN connection and set access > > > > > port (LAN uses default 3389 and WAN uses another port) and color depth etc > > > > > etc. > > > > > On the WAN adapter I’ve set only the group who should get access outside the > > > > > network and in the LAN adapter both groups (outside users and lan users). > > > > > This works fine because LAN users can’t logon from outside the network. BUT > > > > > there’s a problem. If the user leaves his session disconnected the TS Server > > > > > will reconnect him. I can’t just restrict disconnected time period because > > > > > users work every day with a lot of documents and they leave them opened to > > > > > the next day. I’ve discovered that the SYSTEM account is the responsible of > > > > > “reconnect sessions” so I’ve tried to remove that account from the WAN > > > > > adapter and it works! The sessions are not reconnected from the outside but > > > > > the problem is that Wan-enabled users can’t reconnect to their sessions and > > > > > the system generates a new one because can’t re establish the link with the > > > > > one opened. I’ve tried almost anything and still no luck. Even if I restrict > > > > > one session by user the wan-enabled users can’t reconnect to the disconnected > > > > > session they left opened but if I give the SYSTEM account the right to > > > > > reconnect them LAN users will get access from outside the network. > > > > > Someone recommend me to use 2X SecureRDP but despite this software is grate > > > > > it can’t distinguish between LAN and WAN adapters. > > > > > Any ideas will be greatly!!! > > > > >
Guest Rodrigo_live Posted October 7, 2008 Posted October 7, 2008 RE: Restrict WAN access Thank you! I will post it on ISA groups. The reason we need to do this is because some employes had been "playing" with the system from ouside the company and we can't restrict logon times because there's a lot of people working a they all have diferent work hours. Thanks for your help. "James Yeomans BSc, MCSE" wrote: > Ok i see thats clearer now. Out of interest why don't you want them to access > it from outside the lan? You could consider restricting log on hours if its > user working from outside in just the evenings. Not overly familiar with ISA > server but there may be a way in that to block this for certain groups. I > suspect there is. I suggest posting this question in the ISA forum so that > someone there can answer it? > James. > -- > James Yeomans, BSc, MCSE > > > "Rodrigo_live" wrote: > > > Well… some users should have access to Terminal Server from outside the > > company, others shouldn’t. Let me be clear in this point. From inside the > > company (LAN) everyone needs to access the TS server and they do every day. > > From outside (WAN) I need to make sure only some users can access it. > > Actually all users can access the server from outside the company because > > there’s a publishing rule in the ISA server that redirects port 3388 (TS port > > for the WAN) to the TS server. That way users that need to work from home > > access the TS server using the RDP Client in Windows XP/Vista. Using VPNs > > it’s not an option because no one has vpn dial access allowed. This is > > primarily by security. > > > > "James Yeomans BSc, MCSE" wrote: > > > > > Ah i see, ok completely different issue. Well how do they get remote access > > > to the terminal server in the first place, through a windows vpn? If so do > > > you want to keep the vpn for those users or do they not require remote > > > access. I think what you are trying to say is they require remote access but > > > you don't want them to be able to use TS from outside, just the inside???? > > > correct?? > > > -- > > > James Yeomans, BSc, MCSE > > > > > > > > > "Rodrigo_live" wrote: > > > > > > > James: > > > > > > > > No, that's not what I need to do. I need to restrict access to the Terminal > > > > Server from outside the network for some users. It's not related to internet > > > > access, just access to the TS Server. > > > > > > > > "James Yeomans BSc, MCSE" wrote: > > > > > > > > > Hi if i understand correctly you want some users to be able to access the > > > > > internet and some to be restricted. If this is the case and considering > > > > > you're working on a TS you shouldn't change any IP settings. on a > > > > > workstation you could remove the default gateway so the internet could not be > > > > > reached. However in this case you really need something else filteringt he > > > > > web traffic, say ISA server or another proxy type package. With ISA server > > > > > you can restrict internet access to specific users/groups. Thats the only > > > > > really sensible way to achieve what ytou are trying to. > > > > > -- > > > > > James Yeomans, BSc, MCSE > > > > > > > > > > > > > > > "Rodrigo_live" wrote: > > > > > > > > > > > Hi. In my company there’s a Windows 2003 Terminal Server that users access to > > > > > > work every day. W e need to restrict access to LAN only TS for some users and > > > > > > LAN & WAN access to others. I’ve managed to get TS Console to identify the > > > > > > two NICs in the server (LAN and WAN) by duplicating the > > > > > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal > > > > > > Server\WinStations\RDP-Tcp Key in the registry (renaming each one of them > > > > > > after). This way I can distinct the LAN and WAN connection and set access > > > > > > port (LAN uses default 3389 and WAN uses another port) and color depth etc > > > > > > etc. > > > > > > On the WAN adapter I’ve set only the group who should get access outside the > > > > > > network and in the LAN adapter both groups (outside users and lan users). > > > > > > This works fine because LAN users can’t logon from outside the network. BUT > > > > > > there’s a problem. If the user leaves his session disconnected the TS Server > > > > > > will reconnect him. I can’t just restrict disconnected time period because > > > > > > users work every day with a lot of documents and they leave them opened to > > > > > > the next day. I’ve discovered that the SYSTEM account is the responsible of > > > > > > “reconnect sessions” so I’ve tried to remove that account from the WAN > > > > > > adapter and it works! The sessions are not reconnected from the outside but > > > > > > the problem is that Wan-enabled users can’t reconnect to their sessions and > > > > > > the system generates a new one because can’t re establish the link with the > > > > > > one opened. I’ve tried almost anything and still no luck. Even if I restrict > > > > > > one session by user the wan-enabled users can’t reconnect to the disconnected > > > > > > session they left opened but if I give the SYSTEM account the right to > > > > > > reconnect them LAN users will get access from outside the network. > > > > > > Someone recommend me to use 2X SecureRDP but despite this software is grate > > > > > > it can’t distinguish between LAN and WAN adapters. > > > > > > Any ideas will be greatly!!! > > > > > >
Recommended Posts