firewall - How can I restrict a user in an AD environment only to have vpn access but no directory share rights?

07
2014-07
  • Enmos Proje

    I'm trying to restrict an AD account to only have vpn access rights but no domain user rights. Can it be done or should I try something out of windows server's boundaries?

    We are using a Fortigate firewall where we defined this user to only have access to the 8080 port after connecting with vpn authenticated by the AD. If I leave the settings in the current form, would that user be able to access the domain user shares?

    • Answers
    Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.

    Related Question

    windows 7 - Accessing network shares on Windows7 via SonicWall VPN client
  • Jack Lloyd

    I'm running Windows7 x64 (fully patched) and the SonicWall 4.2.6.0305 client (64-bit, claims to support Windows7).

    I can login to the VPN and access network resources (eg SSH to a machine that lives behind the VPN). However I cannot seem to be able to access shared filesystems.

    Windows is refusing to do discovery on the VPN network. I suspect part of the problem is Windows persistently considers the VPN connection to be a 'public network'. Normally, you can open the network and sharing center and modify this setting, however it does not give me a choice for the VPN. So I did the expedient thing and turned on file sharing for public networks. I also disabled the Windows firewall for good measure. Still no luck.

    I can access the server directly by putting \\192.168.1.240 in the taskbar, which brings up the list of shares on the server. However, trying to open any of the shares simply tells me "Windows cannot access \\192.168.1.240\share You do not have permission to access ..."; it never asks for a domain password.

    I also tried Windows7 native VPN functionality - it couldn't successfully connect to the VPN at all. I suspect this is because SonicWall is using some obnoxious special/undocumented authentication system; I had similar problems trying to connect on Linux with the normal IPsec tools there.

    What magical invocation or control panel option am I missing that will let this work? Are there any reasonable debugging strategies? I'm feeling quite frustrated at Windows tendency to not give me much useful information that might let me understand what it is trying to do and what is going wrong.


    • Related Answers
  • sam

    I had the same problem with shared folders and Windows 7. I don't think it has anything to do with the SonicWall. Windows 7 saves credentials for network connections in the Credential Manager (Control Panel -> User Accounts -> Credential Manager). If your saved credentials don't match when you try to access the share you'll get a "You do not have permission to access..." message and will not be prompted to enter credentials again.

    To fix the problem, I had to delete any saved credentials to the share in the Credential Manager. After deleting from the Credential Manager, I was prompted for a username and password when accessing the share and was able to enter the correct info.

  • James

    Behind a SW you have to map your shares via the IP address of the server. IE \192.168.168.3\Z

    I played with it for a long time and could not get the name mapping to work. This was a solution that worked for me.