restrict user to local TS access and deny remote

[blin]

Is there a way with Windows 2003 Terminal Services to allow a user to login from the LAN but not remotely (over the Internet) on the same Terminal Server?

[blin]

If you do not mind it applying to all users, you can configure windows firewall to only allow RDP connections from the local subnet. If you want to allow some users to access the server via the Internet and some only the local LAN, you can accomplish this with multiple RDP-Tcp listeners.

For example, on the RDP-Tcp listener for the LAN, grant access using TS Configuration (tscc.msc) only to the TS LAN Users group (as well as administrators, etc.). On the other RDP-Tcp listener, grant access to the TS Internet Users group (as well as administrators, etc.). The second listener is the one that you have your firewall forwarding incoming rdp traffic to.

Using the gui interface you can create a listener for each nic in your server. This is done in TS Configuration as well. If you want to create multiple listeners on a single nic, you will need to use a different tcp port for each listener and manually create the new listener in the registry.

If you install RD Gateway in your environment you could use that to control which users can access the server from the Internet. Downside is you would need to buy Server 2008 R2 (or 2008) and then buy RDS CALs for the users coming in via the Internet.

-TP