Assign a Windows VPN Client a Static IP

On occasion there is a need to assign a VPN client a static IP. In active directory under the Dial-in tab of a user’s profile there is an option to “Assign a Static IP Address”, but this only applies to true dial-in clients.


 


 


 


 


There is a way to achieve this using Remote Access Policies though it is a little crude.  Remote Access Policies cannot identify a VPN client by MAC address or even user name, therefore it is necessary to use groups. The “crude” part is if you have multiple VPN clients requiring a unique static IP, you need to create a separate group in active Directory for each user, a very inefficient option. The steps below assume RRAS has already been configured and enabled for VPN access.


 


Windows Server 2008:


  • Create a new group in Active Directory such as VPNuser1 and add your user to that group
  • Open the RRAS console, right click on Remote Access Logging & Policies and choose launch NPS











  • In the Network Policy Server console click on Network Policies, action, and new












  • Name the policy, select Remote Access Server (VPN-Dial up) in the drop down list, and then Next
  • Under conditions click Add, select User Groups, and Add
  • Click the  Add Groups ‘button’ and locate your group using the Object Type (Groups), Locations (your domain or workgroup server), Advanced, and Find Now ‘buttons’  [On occasion you may get an error about not finding the server. Just ignore and continue so long as it adds the group]








  • In the  Specify Access Permissions window select Access granted and Next










  • Accept all defaults in the following  two windows; Configure Authentication Methods,  Configure Constraints
  • Under Configure Settings choose  IP Settings, then Assign a static IPv4 address, and insert your chosen static IP. This must of course be part of your LAN subnet.








  • Under the Completing New Network Policy click Finish

 


 


Windows Server 2003:


  • Create a new group in Active Directory such as VPNuser1 and add your user to that group
  • In the RRAS console, right click on Remote Access Policies and choose New Remote Access Policy






  • Name the policy, and in the next window under Access Method select VPN





  • Under User or Group Access select Group, then click Add, and locate your group using the Object Type (Groups), Locations (your domain or workgroup server), Advanced, and Find Now ‘buttons’
  • Leave all defaults in the remaining windows and save.
  • Right click on the new policy and choose Properties.
  • Click the Edit Profile ‘button’
  • Under the IP tab select Assign a static IP address and enter the address and then exit selecting the OK/Apply buttons as you close the various windows.




 


 

13 thoughts on “Assign a Windows VPN Client a Static IP”

  1. I have spent the last 3 hours trying to figure out how to get a static IP address when logging into our company VPN. This fixed my problem. Thank you..Thank You..Thank You. You really are knowledgeable.

  2. With your instructions i found a easy way.
    NPS – Policies – Network Policies – double click Virtual Private Network (VPN) Access Policy then uncheck Ignore User account dial-in properties.

    Now you can configure your static IP-Address in AD User Dial-in tab.

  3. The very beginning of your article says:

    In active directory under the Dial-in tab of a user’s profile there is an option to “Assign a Static IP Address”, but this only applies to true dial-in clients.

    But that is incorrect. It applies to VPN users also. I just tested this and i was able to assign an specific static ip address to a user by setting that variable under their user attributes on the dialin tab. There was no need to do any of these group settings. This article works:
    http://support.microsoft.com/kb/303684

    I tested it using a 2003 RRAS server and a windows 7 client PC using PPTP connection.

  4. Assigning the static IP works. However, if this policy is enabled no other user except this particular VPN user is able to establish a VPN connecation.

  5. Thanks for the information. As an added information, following your steps then if you assign a static IP on user’s AD profile (Dial-In tab) it will assign this IP to this user. If no static IP is assign on user’s profile then it will use the IP in Remote Access Policy.

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>