We have a 2008R2 Remote Desktop server running as a VM, and just about to release access to a small user community (less than 30), but now management wants to open the floodgates to a larger user base. My issue is this: the original plan involves a specific path to reach the RD server, and users connecting thru that path have access to any resources in the domain and beyond, just as they would thru a local, interactive logon at a desktop client. Let’s call that Path A.
Now we must allow for a new connection (Path B) into the same RD server, but their traffic beyond that server must be restricted (i.e no web browsing beyond our domain limits). The awkward bit is that the same interactive users could be some of the ones using the new path, as well as the old path, but not at the same time.
So what we want is to block some user-initiated outbound traffic from the server if the user RDP session initiated via Path B, but not block anything if the user initiated via Path A. I thought I remembered reading that a user’s outbound traffic from the RD session always left the server by the NIC that the session came in on, but I can’t find that now. If it’s true, then setting up rules in our ASA should be straight-forward. Otherwise, we go back to the drawing board.
You must be logged in to reply to this topic.
Create a free account today to participate in forum conversations, comment on posts and more.