Assign a Windows VPN Client a Static IP

On occasion there is a need to assign a VPN client a static IP. In active directory under the Dial-in tab of a user’s profile there is an option to “Assign a Static IP Address”, but this only applies to true dial-in clients.


 


 


 


 


There is a way to achieve this using Remote Access Policies though it is a little crude.  Remote Access Policies cannot identify a VPN client by MAC address or even user name, therefore it is necessary to use groups. The “crude” part is if you have multiple VPN clients requiring a unique static IP, you need to create a separate group in active Directory for each user, a very inefficient option. The steps below assume RRAS has already been configured and enabled for VPN access.


 


Windows Server 2008:


  • Create a new group in Active Directory such as VPNuser1 and add your user to that group
  • Open the RRAS console, right click on Remote Access Logging & Policies and choose launch NPS











  • In the Network Policy Server console click on Network Policies, action, and new












  • Name the policy, select Remote Access Server (VPN-Dial up) in the drop down list, and then Next
  • Under conditions click Add, select User Groups, and Add
  • Click the  Add Groups ‘button’ and locate your group using the Object Type (Groups), Locations (your domain or workgroup server), Advanced, and Find Now ‘buttons’  [On occasion you may get an error about not finding the server. Just ignore and continue so long as it adds the group]








  • In the  Specify Access Permissions window select Access granted and Next










  • Accept all defaults in the following  two windows; Configure Authentication Methods,  Configure Constraints
  • Under Configure Settings choose  IP Settings, then Assign a static IPv4 address, and insert your chosen static IP. This must of course be part of your LAN subnet.








  • Under the Completing New Network Policy click Finish

 


 


Windows Server 2003:


  • Create a new group in Active Directory such as VPNuser1 and add your user to that group
  • In the RRAS console, right click on Remote Access Policies and choose New Remote Access Policy






  • Name the policy, and in the next window under Access Method select VPN





  • Under User or Group Access select Group, then click Add, and locate your group using the Object Type (Groups), Locations (your domain or workgroup server), Advanced, and Find Now ‘buttons’
  • Leave all defaults in the remaining windows and save.
  • Right click on the new policy and choose Properties.
  • Click the Edit Profile ‘button’
  • Under the IP tab select Assign a static IP address and enter the address and then exit selecting the OK/Apply buttons as you close the various windows.