Restricting login to RAS

Hello
Does anyone know if there is a way to restrict which Active Directory users can login to RAS?
I know there is a way to filter Published Resources by user or group. However wondered if you could stop all Active Directory users from being able to login.

 

Hi MatE1,
Could you please describe to us why do you want it and what behavior do you expect? Your answers might help me to suggest you something or probably file a new feature request in RAS.
Thanks in advance!

 

Hi Eugene
I can't think of anything specific at the moment. Maybe if there was some security concern where you didn't want a user/group of users to be able to login to RAS. At the moment it seems that any AD user can login and what they can do is only based on the published resources filtering. If that is the case then that is fine. I just want to make sure i am not missing something.
Thanks

 

Hi Mat, thanks for your time.
Indeed a normal practice is to publish resources to a particular AD group and manage members of this group from AD. When people out of the group log into RAS they don't see resources and can't connect to servers.

We don't see a real use case for preventing login to RAS per-user and don't really get such requests (often). That's why we don't have this functionality in the product.
Anyway, I'll count you as "+1" requestor for the corresponding feature and maybe it will be released someday.

At the same time there are few ways to prohibit logon to RAS which work for some situations:
1) Two Factor Authentication.
Parallels RAS has built-in support for various 2FA services. You could configure who can log in to RAS on 2FA side. It helps to increase security in general and save account passwords from being brute-forced.
2) Trusts.
If you have 2 domains in a trust and want only users of 1 domain to be able to login to RAS, then you can configure it in Administration -> Authentication

I can't come up with anything extra at the moment.

 

I have a Windows Server 2019 Environment. I have several VPN users who connect from their home machines to the VPN and then initial outbound RDP connections from the corporate network to another network.

 

Also in active directory you can configure a static remote ip address. Also in the Network Access Permission click Allow to allow the user to connect through VPN, Deny -self explainatory, Control access through NPS network policy you would click if you used NAP.

 

Any other update?

 

We have no Proxy in place, hence everyone has unrestricted access. Port restrictions are in place on the firewall. We have Tellsubway Server 2003 RRAS box handling all the incoming VPN connectivity.

Many thanks in advance.

 

NAP is available only in server 2008 or above. It is not available in 2003, and it is a little more complicated to deploy but in short, you basically configure a connection policy for computers to connect. If they meet certain conditions that are required, they are allowed inside the network, if not they can be sent to a remediation network where they can try to meet the compliance checks. You also have to enable NAP clients through Group Policy.

 

As I thinking that if you are using your personal Network then you may be able to restrict user RAS Login. But in that case, you must have to shift your network IP address using Tellsubway VPN and you may able to restrict RAS Login.