How to restrict network access through NPS
Question
Answers
-
Hi,
There are two ways to restrict access for VPN clients. One is to use NAP with remediation server groups. The other method can be used with NAP or without it and involves configuring IP filters.
All you need to do is add an IP filter to the network policy that is matched by your VPN client when they enter the network. You can set the filter to allow access to a certain network, or to deny access to a certain network. Below is an example of how to deny access to the entire 10.0.0.0/8 network. You do not need NAP for this.
If you really want to use NAP, you will not be able to use Group Policy for this because you are restricting access to the internal network. The internal network contains the domain controller that deploys Group Policy. You can configure these settings locally on each client computer, or you can just use IP filters instead as shown above.
-Greg
P.S. Theoretically there is also another way to restrict access, by supplying a pool of IP addresses from the VPN server that has no route to the internal network, but has a route to the Internet. This is a strange thing to do however because VPN clients typically already have access to the Internet, so there would be no reason for them to connect to the VPN... unless these are internal clients.- Edited by Greg LindsayMicrosoft employee Tuesday, September 18, 2012 7:54 PM
- Proposed as answer by Greg LindsayMicrosoft employee Saturday, September 22, 2012 6:02 AM
- Marked as answer by Aiden_Cao Monday, September 24, 2012 4:37 AM
All replies
-
Hi,
Thanks for your question.
You may consider to deployment the NAP enforcement for VPN connection. If the VPN client does not meet the security requirements, it will only get restricted network access.
For more detailed information, please refer to the following articles.
NAP Enforcement for VPN
http://technet.microsoft.com/en-us/library/cc753622(v=ws.10).aspx
VPN Enforcement Example
http://technet.microsoft.com/en-us/library/dd125309(v=ws.10).aspx
Step-by-Step Guide: Demonstrate NAP VPN Enforcement in a Test Lab
http://www.microsoft.com/en-us/download/details.aspx?id=5536
Best Regards,
Aiden
Aiden Cao
TechNet Community Support
-
Hi,
There are two ways to restrict access for VPN clients. One is to use NAP with remediation server groups. The other method can be used with NAP or without it and involves configuring IP filters.
All you need to do is add an IP filter to the network policy that is matched by your VPN client when they enter the network. You can set the filter to allow access to a certain network, or to deny access to a certain network. Below is an example of how to deny access to the entire 10.0.0.0/8 network. You do not need NAP for this.
If you really want to use NAP, you will not be able to use Group Policy for this because you are restricting access to the internal network. The internal network contains the domain controller that deploys Group Policy. You can configure these settings locally on each client computer, or you can just use IP filters instead as shown above.
-Greg
P.S. Theoretically there is also another way to restrict access, by supplying a pool of IP addresses from the VPN server that has no route to the internal network, but has a route to the Internet. This is a strange thing to do however because VPN clients typically already have access to the Internet, so there would be no reason for them to connect to the VPN... unless these are internal clients.- Edited by Greg LindsayMicrosoft employee Tuesday, September 18, 2012 7:54 PM
- Proposed as answer by Greg LindsayMicrosoft employee Saturday, September 22, 2012 6:02 AM
- Marked as answer by Aiden_Cao Monday, September 24, 2012 4:37 AM
