Petri.com forums Home Forums Start Page Forums Frequently Asked Questions FAQ Member List Members List
Go Back   Petri IT Knowledgebase Forums > Microsoft Networking Services > Terminal Services
Petri.com is happy to award RicklesP the title of Most Valuable Member !!!
Register Calendar Calendar Search Petri IT Knowledgebase Forums Search Todays Posts Today's Posts Mark Forums Read
Notices

Routing conditionally inside Server 2008

Routing conditionally inside Server 2008

this thread has 3 replies and has been viewed 1122 times

Closed Thread
 
Thread Tools Search this Thread Display Modes
  #1  
Old 26th March 2012, 18:00
RicklesP's Avatar
MVM RicklesP RicklesP is offline
Member
MVM
 
 Join Date: Mar 2010
  6 month star 12 month star
 Location: Linconlshire, UK
 Posts: 510
 Reputation: RicklesP has a spectacular aura aboutRicklesP has a spectacular aura about (169)
Red face Routing conditionally inside Server 2008

We're trying to engineer a tech refresh of a network, upgrading from Server 2K3 to 2K8R2, and we're adding a Terminal Server into the mix. The original environment is one which is a collaborative network between multiple commercial partners. Local access has been thru local desktops, but some users no longer want a local access PC and a corporate laptop with VPN on their desks at the same time. We already have a remote connection capability in place thru a Juniper solution from the Internet for folks out of the hosting country, but only to web-based resources we offer internally.

We want to expand this remote capability to include traffic from the corporate laptops that the local users hold, so they can use 1 PC to do everything. But if we implement a Terminal Server/Remote Desktop server for all comers local & remote, we have to disallow remote users from sending/receiving traffic thru one leg of our firewall, while still allowing local laptop users the ability to use the same leg. And, if that same local user connects remotely because they're travelling, etc., they should be blocked from using that leg as well.

I've seen info on policy-based routing but not enough to tell us whether it will work in our case. Is there a way to identify a TS user's source-IP for their session, so we can use that to decide how/when to block outbound traffic from the TS to that leg on the firewall? Or are there any other suggestions anyone cares to offer?
  #2  
Old 27th March 2012, 22:21
MVP yuval14 yuval14 is offline
MVP
MVP
 
 Join Date: Oct 2003
  6 month star 12 month star
 Location: IL
 Posts: 2,022
  Send a message via MSN to yuval14
 Reputation: yuval14 is a glorious beacon of lightyuval14 is a glorious beacon of lightyuval14 is a glorious beacon of lightyuval14 is a glorious beacon of lightyuval14 is a glorious beacon of lightyuval14 is a glorious beacon of light (506)
Default Re: Routing conditionally inside Server 2008

Hi,

Why you want to block traffic and what traffic you like to block?
Remote Dkestop technology create two connection, for example:

10.0.0.2 (PC in VLAN2) -> 192.168.1.100 (TS in VLAN5) -> 2.2.2.2 (internet)

As you can see, you have two sessions:

10.0.0.2 (PC in VLAN2) -> 192.168.1.100 (TS in VLAN5)

192.168.1.100 (TS in VLAN5) -> 2.2.2.2 (internet)

So, by default, any session that will go out from the TS would use the source 192.168.1.100.

However, in Windows 2008 / 2008 R2 you can setup a virtual IP for each RDP connection, so the source IP would be 192.168.1.101 for user1, 192.168.1.102 for user2.

If you like to control internet surfing, please use trasperent proxy.
__________________
Best Regards,

Yuval Sinay

LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14
  #3  
Old 29th March 2012, 21:28
RicklesP's Avatar
MVM RicklesP RicklesP is offline
Member
MVM
 
 Join Date: Mar 2010
  6 month star 12 month star
 Location: Linconlshire, UK
 Posts: 510
 Reputation: RicklesP has a spectacular aura aboutRicklesP has a spectacular aura about (169)
Default Re: Routing conditionally inside Server 2008

Thanks for answering. We have to block traffic due to customer requirements. Internal users can access resources only available via one sensitive subnet connected to our firewall, but external users cannot.

The internal users want to be able to use their non-internal laptops to access their internet resources AND the private internal resources, which we can safely do. The problem is when those same internal users are using those same laptops to connect from externally (i.e. from home)--they aren't allowed to access the sensitive network.

Since we're using roaming profiles, and the internal users expect to see the same profile whether they log into the TS from inside or outside, how do we stop any external user from trying to access the sensitive subnet but allow internal users to access that same subnet? We can bring the external traffic into the TS from 1 ip and the internal users in from a second ip, but it's when an internal user with an internal profile connects from the 1st ip--we want to block their access to the sensitive subnet if their login ip is not a specific value (if that's the right thing to focus on.)

I'm not sure I understand exactly your notes below, but will consult with a colleague & see if we can make sense of it.
  #4  
Old 5th April 2012, 10:19
RicklesP's Avatar
MVM RicklesP RicklesP is offline
Member
MVM
 
 Join Date: Mar 2010
  6 month star 12 month star
 Location: Linconlshire, UK
 Posts: 510
 Reputation: RicklesP has a spectacular aura aboutRicklesP has a spectacular aura about (169)
Thumbs up Re: Routing conditionally inside Server 2008

Follow-up note: after re-reading yuval14's note again and doing some searching, it looks like the virtual IP option will do just what we want--we simply use a firewall rule to block traffic out to the private subnet from a specific source IP, that of the external users. Internal users will have virtual IPs assigned as they log in, and their traffic will be allowed as normal.

Thanks for the pointer to the new TS function. Never set up TS before so hadn't seen/heard of it before.
Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
routing in windows server 2008 rithish Windows Server 2008 / 2008 R2 2 13th March 2012 17:37
Can't use 3rd Paper Tray using Easy Print inside Windows Server 2008 Terminal session SwedishViking Terminal Services 1 18th February 2011 00:50
Cisco ASA 5520 Routing on Inside or NONAT problem ABasit Cisco Security PIX/ASA/VPN 3 5th November 2010 18:10
Use Cisco 1841 Router to replace Routing and Remote Access in Server 2008 Easyb Cisco Routers & Switches How-to 14 9th August 2010 17:03
Server 2008 Standard and Internet Routing Setup FURRYNUTZ Windows Server 2008 / 2008 R2 1 22nd December 2008 09:23


All times are GMT +3. The time now is 15:37.

Steel Blue 3.5.4 vBulletin Style ©2006 vBEnhanced
Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
 

Valid XHTML 1.0!   Valid CSS!

Copyright 2005 Daniel Petri