Routing and Remote Access (windows group) restriction policy RRS feed

  • Question

  • Hello!

    I have a Windows Server 2008 set up with two network cards to work as a router. One connects to the internet and other to the LAN. I have AD, DNS, DHCP & Network Policy & Access Services. I have also set up Routing & Remote Access ( NAT ).

    My goal is to use the windows server 2008 as a router so other computers in the domain can access the internet through the server. However, i would like to restrict the access of internet ONLY to the users in a certain Active Directory group. Can i acheive this, with in my current setup? If Yes, how?

    I know i could use below means to achieve something similar.

        a) MS forefront server or  

        b) set up of false proxy enforced by group policy 

        c) configure outbound windows firewall rule to deny traffic on port 80

    a) is not an option for our organisation. b) & c) will still allow traffix for computer that are not added to the domain. Therefore, its still a security issue.

    Any other way to achieve the goal. please let me know.

    Cheers! and thanks for your time in advance.

    Monday, August 15, 2011 12:15 PM


  • Hi,

    You stated you have AD, DNS, DHCP, and NPS. Is this all on one server, meaning this server you want to do this on is a domain controller?

    If so, I recommend and suggest to use a server that is not a domain controller for this task due to multihoming, which causes problems on a domain controller. A DC should only have one active interface and one IP, no more. Read more on this condition, what can occur, etc:

    Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, and/or PPPoE adapters - A multihomed DC is NOT a recommended configuration, however there are ways to configure such a DC to work properly. (Matter of fact, at this time, Microsoft does not recommend or support machines with teamed NICs, DC or not.)


    The better option is to use Forefront TMG for this task installed on a separate, physical (or virtual) server. However, you're saying this is not an option? May I ask why?

    Other options include getting a separate server for the NAT/NPS role, or a hardware applicance solution such as Bluecoat's Packeteer. Here's a similar post in the NIS forum to provide more info:

    TechnetThread: 'How can i log my users activity and content that they watched in NAT using windows 2003 RRAS"



    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Marked as answer by Rick Tan Monday, August 22, 2011 3:05 AM
    Monday, August 15, 2011 2:41 PM