Announcement

Collapse
No announcement yet.

Routing conditionally inside Server 2008

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Routing conditionally inside Server 2008

    We're trying to engineer a tech refresh of a network, upgrading from Server 2K3 to 2K8R2, and we're adding a Terminal Server into the mix. The original environment is one which is a collaborative network between multiple commercial partners. Local access has been thru local desktops, but some users no longer want a local access PC and a corporate laptop with VPN on their desks at the same time. We already have a remote connection capability in place thru a Juniper solution from the Internet for folks out of the hosting country, but only to web-based resources we offer internally.

    We want to expand this remote capability to include traffic from the corporate laptops that the local users hold, so they can use 1 PC to do everything. But if we implement a Terminal Server/Remote Desktop server for all comers local & remote, we have to disallow remote users from sending/receiving traffic thru one leg of our firewall, while still allowing local laptop users the ability to use the same leg. And, if that same local user connects remotely because they're travelling, etc., they should be blocked from using that leg as well.

    I've seen info on policy-based routing but not enough to tell us whether it will work in our case. Is there a way to identify a TS user's source-IP for their session, so we can use that to decide how/when to block outbound traffic from the TS to that leg on the firewall? Or are there any other suggestions anyone cares to offer?
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

  • #2
    Re: Routing conditionally inside Server 2008

    Hi,

    Why you want to block traffic and what traffic you like to block?
    Remote Dkestop technology create two connection, for example:

    10.0.0.2 (PC in VLAN2) -> 192.168.1.100 (TS in VLAN5) -> 2.2.2.2 (internet)

    As you can see, you have two sessions:

    10.0.0.2 (PC in VLAN2) -> 192.168.1.100 (TS in VLAN5)

    192.168.1.100 (TS in VLAN5) -> 2.2.2.2 (internet)

    So, by default, any session that will go out from the TS would use the source 192.168.1.100.

    However, in Windows 2008 / 2008 R2 you can setup a virtual IP for each RDP connection, so the source IP would be 192.168.1.101 for user1, 192.168.1.102 for user2.

    If you like to control internet surfing, please use trasperent proxy.
    Best Regards,

    Yuval Sinay

    LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

    Comment


    • #3
      Re: Routing conditionally inside Server 2008

      Thanks for answering. We have to block traffic due to customer requirements. Internal users can access resources only available via one sensitive subnet connected to our firewall, but external users cannot.

      The internal users want to be able to use their non-internal laptops to access their internet resources AND the private internal resources, which we can safely do. The problem is when those same internal users are using those same laptops to connect from externally (i.e. from home)--they aren't allowed to access the sensitive network.

      Since we're using roaming profiles, and the internal users expect to see the same profile whether they log into the TS from inside or outside, how do we stop any external user from trying to access the sensitive subnet but allow internal users to access that same subnet? We can bring the external traffic into the TS from 1 ip and the internal users in from a second ip, but it's when an internal user with an internal profile connects from the 1st ip--we want to block their access to the sensitive subnet if their login ip is not a specific value (if that's the right thing to focus on.)

      I'm not sure I understand exactly your notes below, but will consult with a colleague & see if we can make sense of it.
      *RicklesP*
      MSCA (2003/XP), Security+, CCNA

      ** Remember: credit where credit is due, and reputation points as appropriate **

      Comment


      • #4
        Re: Routing conditionally inside Server 2008

        Follow-up note: after re-reading yuval14's note again and doing some searching, it looks like the virtual IP option will do just what we want--we simply use a firewall rule to block traffic out to the private subnet from a specific source IP, that of the external users. Internal users will have virtual IPs assigned as they log in, and their traffic will be allowed as normal.

        Thanks for the pointer to the new TS function. Never set up TS before so hadn't seen/heard of it before.
        *RicklesP*
        MSCA (2003/XP), Security+, CCNA

        ** Remember: credit where credit is due, and reputation points as appropriate **

        Comment

        Working...
        X