Announcement

Collapse
No announcement yet.

Allowing ext company vpn access to one server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Allowing ext company vpn access to one server

    Hi guys, i have a little issue where i have an external company who needs access to one of our w2003 member servers to make some changes to the configurations of their software running on it. I can give them VPN access but am getting a sore head thinking about how to give them access to only the member server in question with admin rights, and not the rest of the w2k domain??

    Is there an easy way, or any way to do this???

    Thanking you all in advance

    Rob.

  • #2
    Re: Allowing ext company vpn access to one server

    What kind of vpn server do you have?
    Regards,
    csaba
    Regards,
    Csaba Papp
    MCSA+messaging, MCSE, CCNA
    ...............................
    Remember to give credit where credit is due and leave reputation points where appropriate
    .................................

    Comment


    • #3
      Re: Allowing ext company vpn access to one server

      Hi Csaba, it comes through a watchguard Firebox III/1000 which then authenticates the users windows login and password via a domain controller. Hope this helps!!

      Rob

      Comment


      • #4
        Re: Allowing ext company vpn access to one server

        You could do what I have done with external clients ?

        Provide a VPN account that you can disable when not needed.

        Set up something like VNC on the server. Log that server in as domain admin (or similar).

        Give them just the IP of the server with VNC on it.

        Be present when they make the changes to (a) learn what they are doing and (b) ensure they don't "wander" .. (You can both VNC on at the same time and make changes etc)

        When they have finished disable the VPN account and remove VNC.

        I know it's not the most perfect solution but it worked for our needs.

        Comment


        • #5
          Re: Allowing ext company vpn access to one server

          hi Jason, thanks for that, i'll give it a go, its simple enough as a work around isnt it?

          Cheers

          Rob.

          Comment


          • #6
            Re: Allowing ext company vpn access to one server

            Here is what you can do:

            1. If the requested user need admin right, add this user member only to the administrators group on the member server;
            2.Make this user account to expire as soon as posible. In this way, even if you forget to disable it, the account will be useless;
            3.If your software vendor only need access to its aplication, you can define a TS profile allowing this user to have access only to this. When the application is closed the TS connection will be ended also;

            some vpn solutins (like ISA 2000/2004/, CISCO s.o) let you to define network level restrictions, more exactly the user can access only a renage of IPs or subnets.
            I don't think that your VPN box has this capability.

            Regards,
            CSaba
            Regards,
            Csaba Papp
            MCSA+messaging, MCSE, CCNA
            ...............................
            Remember to give credit where credit is due and leave reputation points where appropriate
            .................................

            Comment


            • #7
              Re: Allowing ext company vpn access to one server

              Netxd has a better way I believe ... though for simplicity you could do both:

              1. Create the user an account that has VPN access.
              2. Set the expiry date to be very short (nice one Netxd !)
              3. Add this user to the local administrators group on the server in question.
              4. The user will need some way to connecting to the server once they have VPN'd in. I like VNC as it is free (version 4) and starts as a service. You can then leave the server on the logon screen for the client to login with.
              5. Like Netxd said, if you forget about the account it self expires and they only have admin rights to 1 PC.

              Many different ways of doing the same thing

              Comment

              Working...
              X