Thermochemist
New Around Here
Need Help Confining Remote Desktops to within a VPN Connection
Setup:
Small business network consisting of a Win 2K3 Server (w/RRAS), several WinXP Pro workstations, Comcast Broadband connection, using a Linksys RVS4000 VPN Router (latest firmware 1.2.11).
(1) A VPN Connection is successfully established by using a Network Connection configured in MS Win XP Pro; by specifying the WAN IP of 173.12.26.1xx
(2) Port Forwarding has been successfully configured in the RVS4000 to allow VPN Connections using PPTP (ports 1723 and 47 for GRE); they go to the RRAS Server on the local LAN static IP of 192.168.2.6.
(3) Once a valid VPN Connection is established (via a shortcut on the desktop for the Network Connection), the Remote Desktop program (native to Win XP Pro) is used to successfully connect to the RRAS Server (at static IP 192.168.2.6) AS expected / desired (see point 2 above).
Remote Desktop Connections work without any problems to/from any desired computer from within the local LAN (at the business locale); so we know RD is configured correctly on the workstations. Workstations have been configured to "listen" for RD requests on different ports; for example, to RD to a workstation with a static IP of 192.168.2.8, the user specifies 192.168.2.8:3391 in the RD session to get the connection.
Note: User home networks have a LAN IP with a different subnet (192.168.1.x); so there are no conflicts there.
The Problem
Besides the Server, we'd like to RD, from Remote locations (user homes) to several workstations which have all been configured with static IPs (192.168.2.x). Currently, the ONLY RD connection that works Remotely, as expected / desired, is the one that goes to the Server at static IP 192.168.2.6; once the VPN Connection is made.
If a Port Forwarding entry is made in the RVS4000 for the additional workstations (example, Port 3391 to get forwarded to 192.168.2.8) the Remote Desktop connection WORKS. Unfortunately, it works when a user (ANY User..!) types in the WAN IP of 173.12.16.1xx PLUS the port 3391.
This is NOT what we want..! RD access to any of the workstations using the local LAN IP in the 192.168.2.x range should ONLY be restricted to be accessible WITHIN a valid VPN Connection.
If a VPN Connection is established and a LAN IP other than 192.168.2.6 is specified in an RD sesion, say 192.168.2.8:3391, then it does NOT work. A generic Remote Desktop Disconnected window appears after a short delay.
A PING can connect to the business Router (192.168.2.1), the Server (.2.6), AND the desired workstation (.2.8). It is unknown why an RD session can NOT be established with any computer other than the Server after a VPN Connection is established..!
I suspect problem resolution would be somewhere on the EDIT IP ACL LIST tab of the RVS4000 (???) I've tried for days trying to configure such, but have had no luck.
I've tried first creating a new Service named RemDTop where I specify the range of RD Ports workstations will use (339x to 339y). Then I use that with a created ALLOW Rule where the Source is LAN (since I don't want WAN access, right?), and the Destination IP is a range for the workstations using those RD Ports (192.168.2.x to 192.168.2.y). When done, it's Enabled.
Here's where I'm stuck..!
Is the ACL List the way to go..?
IF so, what parameters should I be specifying for the Source (LAN, WAN; Any Net, Range..?).
Any point in the right direction would be greatly appreciated..!
Thank you.
Setup:
Small business network consisting of a Win 2K3 Server (w/RRAS), several WinXP Pro workstations, Comcast Broadband connection, using a Linksys RVS4000 VPN Router (latest firmware 1.2.11).
(1) A VPN Connection is successfully established by using a Network Connection configured in MS Win XP Pro; by specifying the WAN IP of 173.12.26.1xx
(2) Port Forwarding has been successfully configured in the RVS4000 to allow VPN Connections using PPTP (ports 1723 and 47 for GRE); they go to the RRAS Server on the local LAN static IP of 192.168.2.6.
(3) Once a valid VPN Connection is established (via a shortcut on the desktop for the Network Connection), the Remote Desktop program (native to Win XP Pro) is used to successfully connect to the RRAS Server (at static IP 192.168.2.6) AS expected / desired (see point 2 above).
Remote Desktop Connections work without any problems to/from any desired computer from within the local LAN (at the business locale); so we know RD is configured correctly on the workstations. Workstations have been configured to "listen" for RD requests on different ports; for example, to RD to a workstation with a static IP of 192.168.2.8, the user specifies 192.168.2.8:3391 in the RD session to get the connection.
Note: User home networks have a LAN IP with a different subnet (192.168.1.x); so there are no conflicts there.
The Problem
Besides the Server, we'd like to RD, from Remote locations (user homes) to several workstations which have all been configured with static IPs (192.168.2.x). Currently, the ONLY RD connection that works Remotely, as expected / desired, is the one that goes to the Server at static IP 192.168.2.6; once the VPN Connection is made.
If a Port Forwarding entry is made in the RVS4000 for the additional workstations (example, Port 3391 to get forwarded to 192.168.2.8) the Remote Desktop connection WORKS. Unfortunately, it works when a user (ANY User..!) types in the WAN IP of 173.12.16.1xx PLUS the port 3391.
This is NOT what we want..! RD access to any of the workstations using the local LAN IP in the 192.168.2.x range should ONLY be restricted to be accessible WITHIN a valid VPN Connection.
If a VPN Connection is established and a LAN IP other than 192.168.2.6 is specified in an RD sesion, say 192.168.2.8:3391, then it does NOT work. A generic Remote Desktop Disconnected window appears after a short delay.
A PING can connect to the business Router (192.168.2.1), the Server (.2.6), AND the desired workstation (.2.8). It is unknown why an RD session can NOT be established with any computer other than the Server after a VPN Connection is established..!
I suspect problem resolution would be somewhere on the EDIT IP ACL LIST tab of the RVS4000 (???) I've tried for days trying to configure such, but have had no luck.
I've tried first creating a new Service named RemDTop where I specify the range of RD Ports workstations will use (339x to 339y). Then I use that with a created ALLOW Rule where the Source is LAN (since I don't want WAN access, right?), and the Destination IP is a range for the workstations using those RD Ports (192.168.2.x to 192.168.2.y). When done, it's Enabled.
Here's where I'm stuck..!
Is the ACL List the way to go..?
IF so, what parameters should I be specifying for the Source (LAN, WAN; Any Net, Range..?).
Any point in the right direction would be greatly appreciated..!
Thank you.