Apply packet filters for business partner extranet

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Apply packet filters for business partner extranet

In this example, the network administrator is managing authorization by using groups. All user accounts have the Remote Access Permission (Dial-in or VPN) option set to Control access through Remote Access Policy.

The network administrator wants to restrict access for all business partner virtual private network (VPN) connections to the resources of an extranet--a specific network segment that contains Web and file servers. In this example, the extranet is the subnet of 192.168.47.0/24. All business partner user accounts are members of the Partners group.

After remote access permission is set for all user accounts, the administrator completes the following steps.

Use the New Remote Access Policy Wizard to create a custom policy with the following settings:

  • Policy name: Business partner connections to extranet

  • Conditions: Windows-Groups matches Partners

  • Permission: Grant remote access permission

  • Profile settings, Dial-in Constraints tab: Select Allow access only through these media and the Virtual (VPN) media type.

  • Profile settings, IP tab, Input packet filter:

    • Deny all traffic except those listed below

    • Destination network, IP address: 192.168.47.0

    • Destination network, Subnet mask: 255.255.255.0

    • Protocol: Any

  • Profile settings, IP tab, Output packet filter:

    • Deny all traffic except those listed below

    • Source network, IP address: 192.168.47.0

    • Source network, Subnet mask: 255.255.255.0

    • Protocol: Any

  • Profile settings, Authentication tab: Select both Microsoft Encrypted Authentication version 2 (MS-CHAP v2) and Microsoft Encrypted Authentication. For both of these authentication types, select User can change password after it has expired.

  • Clear all other check boxes.

  • Profile settings, Encryption tab: Select the Strongest encryption check box, and then clear all other check boxes

    For more information, see Add a remote access policy.

Delete the default policies.

For more information, see Delete a remote access policy.