I have a few internet facing Windows (2008 R2) RDP servers and a user that I only want them to have access to the RDP server when they are on our local subnet, but allow the other users to have external access.
Is it possible to limit the RDP access of the user to the internal network only? Better yet, is there a way to limit a group's RDP access by IP?
I looked at using the Windows Firewall, but didn't see anything about limiting a specific user or group's access. I checked some of the group policy setting and could't find anything related to RDP access by IP.
A firewall can limit connections by source, port and destination, but it doesn't know anything about the user who's trying to log in on a secure connection. Therefore, you can only block all users or allow all users. On the other hand, RDP doesn't have a feature to restrict users by IP address, just by the login name.
Luckily, there's a solution: install RD Gateway. Allow connections from the Internet only through this gateway and use RD Gateway's Authorization Policies to allow anyone but the administrators to use the gateway. Your administrators inside your local network can still connect directly to the servers.