I'm trying to limit the access of a single RD user to my Windows 2008 R2 Server based on IP address. The firewall Remote Desktop Inbound Rule (Tcp-In) works for all the users but it's not my case. Also I looked everywhere on the web but couldn't find a solution. I'm wondering if I can run a script after each login of the user, check the remote IP address and log him out if the IP address is not part of the authorized subnet. Is this a possible workaround?
Related
Environment (User):
Windows 10 laptop
AzureAD joined
User in the office
Side note: Majority of our users are domain joined, this user travels alot, so we set him up as AzureAD to see how it would work.
Environment (Network)
Firewall controls DHCP, routing, etc.
DNS is running on DC (windows server 2016); DNS = 192.168.1.10
DC is hosted in Azure (connected to on-prem via VPN to firewall)
Problem:
This user cant ping host (A) records on the DNS server. The user can ping the FQDN though. e.g. can not ping servername, can ping servername.internal.company.com
This is breaking a service this user needs to run.
All the machines settings for DNS are correctly set (getting pulled through from the firewall). It just seems like the azuread joined device is not able to authenticate to the DC/DNS to retrieve details about a host name, but I find it really weird it can get responses back when using the FQDN of the server?
Can anyone please suggest why this user is getting blocked? I am thinking that becasue this is an AzureAD user their is an authentication issue, any help on the matter is greatly appreciated.Thanks!
recently I have faced the same problem with azure windows VM I have tried all the best possible afford to resolve the issue, but not success finally I have to change the VM IP with azure login panel after restart internet is working.
I need to block all IP on a network and give unrestricted access to 3-4 computers.
So I have created IP Sec policy as follows:
IP List 1: added to 4 IPs and associated a filter to Permit
IP List 2: added to Any IP Address and associated a filter to Block
After adding this policy, application (using socket communication for IPC in local machine) is working fine in Win7 machine. But not in Win2k8 machine.
Please note for inpterprocess communication within a machine we use sockets.
When we enable block filter for all IPs in IPSec pollicy, the if there are programs which uses local machine IP itself like 10.78.78.78 connects to 10.78.78.78 (Both server and client application in same machine) for Inter process communication, then had to add a firewall exception for exempting authentication between the same machine IPs.
I am unable to connect to amazon ec2 instance (public domain) form office network. It works fine outside the office network.
Looks like something is getting blocked in the network. Not sure how to figure out or which logs need to be checked to find out what exactly is getting blocked.
Error Message:
ec2-54-218-186-23.us-west-2.compute.amazonaws.com took too long to respond.
Typically, if the connection takes too long to respond, the problem is due to the Security Group assigned to the instance. Check that it is allowing Inbound access from the entire Internet (0.0.0.0/0) on your desired port (Windows RDP port 3389, SSH port 80).
Of course, opening up access to the entire Internet is not good for security, so it is better to limit it to a smaller range of IP addresses, such as your corporate network and your home IP address.
Reason
Security groups enable you to control traffic to your instance, including the kind of traffic that can reach your instance. For example, you can allow computers from only your home network to access your instance using SSH. If your instance is a web server, you can allow all IP addresses to access your instance using HTTP or HTTPS, so that external users can browse the content on your web server.
Before You Start
Decide who requires access to your instance; for example, a single host or a specific network that you trust such as your local computer's public IPv4 address. The security group editor in the Amazon EC2 console can automatically detect the public IPv4 address of your local computer for you. Alternatively, you can use the search phrase "what is my IP address" in an internet browser, or use the following service: Check IP. If you are connecting through an ISP or from behind your firewall without a static IP address, you need to find out the range of IP addresses used by client computers.
Warning
If you use 0.0.0.0/0, you enable all IPv4 addresses to access your instance using SSH. If you use ::/0, you enable all IPv6 address to access your instance. This is acceptable for a short time in a test environment, but it's unsafe for production environments. In production, you authorize only a specific IP address or range of addresses to access your instance.
THE SOLUTION BEGINS HERE
Your default security groups and newly created security groups include default rules that do not enable you to access your instance from the Internet. To enable network access to your instance, you must allow inbound traffic to your instance. To open a port for inbound traffic, add a rule to a security group that you associated with your instance when you launched it.
Adding a Rule for Inbound SSH Traffic to a Linux Instance
In the navigation pane of the Amazon EC2 console, choose Instances. Select your instance and look at the Description tab; Security groups lists the security groups that are associated with the instance. Choose view rules to display a list of the rules that are in effect for the instance.
In the navigation pane, choose Security Groups. Select one of the security groups associated with your instance.
In the details pane, on the Inbound tab, choose Edit. In the dialog, choose Add Rule, and then choose SSH from the Type list.
In the Source field, choose My IP to automatically populate the field with the public IPv4 address of your local computer. Alternatively, choose Custom and specify the public IPv4 address of your computer or network in CIDR notation. For example, if your IPv4 address is 203.0.113.25, specify 203.0.113.25/32 to list this single IPv4 address in CIDR notation. If your company allocates addresses from a range, specify the entire range, such as 203.0.113.0/24.
Choose Save.
You can find detailed solution here
We are a small, 300-seat organization with a mixed BYOD and Active Directory environment (Windows Server 2012 Standard, Windows 7 Enterprise) and we are having a very strange problem involving very specific-scope failures to resolve our organization's domain name on our domain-joined, company-controlled machines. For the purpose of this discussion, I'll use company.com instead of our domain name.
Background:
Active Directory Domain Controller is located at 172.16.1.3
The AD/DC machine is also running DHCP, DNS, and HTTP (IIS)
Our organizations websites at company.com and subdomain.company.com are hosted by IIS on the AD/DC machine
We have a split-DNS scenario in which the AD/DC server is used for internal DNS resolution but a different, off-site server provides DNS resolution for public queries
The IP address corresponding to company.com and subdomain.company.com is the public IP address used by a firewall at the edge of our network (both on the AD/DC DNS server and the off-site DNS server)
The firewall is correctly configured for NAT to pass HTTP and HTTPS requests it receives on its public IP address to the internal IP of the AD/DC server and reflects
Scenario 1:
A user on a domain-joined Windows 7 Enterprise machine is connected directly to our local network with local address 172.16.6.100 /16, issued by the DHCP server.
The DNS server entry is provided by DHCP (172.16.1.3)
This user is able to access the websites hosted at company.com and subdomain.company.com
Edit: nslookup has been run in this scenario and correctly returns the proper DNS record from the internal DNS server (172.16.1.3)
Scenario 2:
The same user on the same domain-joined Windows 7 Enterprise machine goes home and connects to the Internet using their residential ISP
The IP and DNS server entries for the client machine are provided by DHCP
This user can access any internet resources, such as google.com
This user cannot access the website at company.com or subdomain.company.com (a "host not resolved" error is returned)
When this user runs nslookup on company.com they DO receive the correct public IP address provided by DNS
HTTP/HTTPS requests to the IP address succeed and a webpage is returned properly by the server
This issue prevails across all web browsers
Using tracert company.com returns "unable to resolve target system name"
Using ping company.com returns "could not find host company.com"
When running Wireshark on the client before/during a failed request, no packets are sent by the client machine (either for DNS resolution or for an initial HTTP/ping/tracert request)
Restarting the DNS Client service does not resolve the problem
Stopping the DNS Client service does not resolve the problem
Using ipconfig /flushdns does not resolve this issue
Using route /f does not resolve this issue
Resetting the network connections using netsh int ip reset does not resolve this issue
Edit: nslookup has been run in this scenario and correctly returns the proper DNS record from the DNS server specified by the DHCP settings of the network used by the user
Scenario 3:
This same user on a personal (not domain-joined) Windows 7 Professional computer is able to access the websites at company.com and subdomain.company.com when connected to our local network
Edit: nslookup has been run in this scenario and correctly returns the proper DNS record from the internal DNS server (172.16.1.3)
Scenario 4:
This same user on a personal (not domain-joined) Windows 7 Professional computer is able to access the websites at company.com and subdomain.company.com when connected their home network
Edit: nslookup has been run in this scenario and correctly returns the proper DNS record from the DNS server specified by the DHCP settings of the network used by the user
Final Notes:
This issue seems to be generalized to affect all company-owned computers. We are using a common system image for all company-owned computers, which was just loaded in August. I have been scouring the internet in search of possible solutions and have come up empty handed so far -- I really appreciate any suggestions or advice you may have.
This is quite an interesting scenario. Looking at your scenario 3, user with personal computer can access the services but why is the DNS entry coming from your corporate IP and not users home DNS. Is the machine on company network?
Verify this:
When user tries to access service from home on company computer, is the IP details from home internet router or company network via VPN?
I developed a client/server simulation application. I deployed client and server on two different Windows XP machines. Somehow, the client is not able to send requests to the server.
I tried below options:
Pinged server machine successfully from client using ip-address.
Pinged client machine successfully from server using ip-address.
Checked netstat command line tool from both machines. Server is in LISTENING mode and client is in SYS_SENT mode. But the foreign address it is using to send is host name not the ip address.
Pinged server machine unsuccessfully using host name from client.
Pinged client machine successfully using host name from server.
I feel the problem is when the client is trying to connect to the server using the host name.
Could you please let me know how to force an application to use an ip address instead of a host name? Is there any other way to map the host name to an ip address?
Go to your client machine and type in:
nslookup server.company.com
substituting the real host name of your server for server.company.com, of course.
That should tell you which DNS server your client is using (if any) and what it thinks the problem is with the name.
To force an application to use an IP address, generally you just configure it to use the IP address instead of a host name. If the host name is hard-coded, or the application insists on using a host name in preference to an IP address (as one of your other comments seems to indicate), then you're probably out of luck there.
However, you can change the way that most machine resolve the host names, such as with /etc/resolv.conf and /etc/hosts on UNIXy systems and a local hosts file on Windows-y systems.
Try tracert to resolve the hostname. IE you have Ip address 8.8.8.8 so you would use; tracert 8.8.8.8
You could use a C function getaddrinfo() to get the numerical address - both ipv4 and ipv6.
See the example code here
This is hard to answer without more detail about the network architecture. Some things to investigate are:
Is it possible that client and/or server is behind a NAT device, a firewall, or similar?
Is any of the IP addresses involved a "local" address, like 192.168.x.y or 10.x.y.z?
What are the host names, are they "real" DNS:able names or something more local and/or Windows-specific?
How does the client look up the server? There must be a place in code or config data that holds the host name, simply try using the IP there instead if you want to avoid the lookup.
Windows XP has the Windows Firewall which can interfere with network traffic if not configured properly. You can turn off the Windows Firewall, if you have administrator privileges, by accessing the Windows Firewall applet through the Control Panel. If your application works with the Windows Firewall turned off then the problem is probably due to the settings of the firewall.
We have an application which runs on multiple PCs communicating using UDP/IP and we have been doing experiments so that the application can run on a PC with a user who does not have administrator privileges. In order for our application to communicate between multiple PCs we have had to use an administrator account to modify the Windows Firewall settings.
In our application, one PC is designated as the server and the others are clients in a server/client group and there may be several groups on the same subnet.
The first change was to use the functionality of the Exceptions tab of the Windows Firewall applet to create an exception for the port that we use for communication.
We are using host name lookup so that the clients can locate their assigned server by using the computer name which is composed of a mnemonic prefix with a dash followed by an assigned terminal number (for instance SERVER100-1). This allows several servers with their assigned clients to coexist on the same subnet. The client uses its prefix to generate the computer name for the assigned server and to then use host name lookup to discover the IP address of the assigned server.
What we found is that the host name lookup using the computer name (assigned through the Computer Name tab of the System Properties dialog) would not work unless the server PC's Windows Firewall had the File and Printer Sharing Service port enabled.
So we had to make two changes: (1) setup an exception for the port we used for communication and (2) enable File and Printer Service in the Exceptions tab to allow for the host name lookup.
** EDIT **
You may also find this Microsoft Knowledge Base article on helpful on Windows XP networking.
And see this article on NETBIOS name resolution in Windows.