On occasion there is a need to assign a VPN client a static IP. In active directory under the Dial-in tab of a user’s profile there is an option to “Assign a Static IP Address”, but this only applies to true dial-in clients.
There is a way to achieve this using Remote Access Policies though it is a little crude. Remote Access Policies cannot identify a VPN client by MAC address or even user name, therefore it is necessary to use groups. The “crude” part is if you have multiple VPN clients requiring a unique static IP, you need to create a separate group in active Directory for each user, a very inefficient option. The steps below assume RRAS has already been configured and enabled for VPN access.
Windows Server 2008:
- Create a new group in Active Directory such as VPNuser1 and add your user to that group
- Open the RRAS console, right click on Remote Access Logging & Policies and choose launch NPS
- In the Network Policy Server console click on Network Policies, action, and new
- Name the policy, select Remote Access Server (VPN-Dial up) in the drop down list, and then Next
- Under conditions click Add, select User Groups, and Add
- Click the Add Groups ‘button’ and locate your group using the Object Type (Groups), Locations (your domain or workgroup server), Advanced, and Find Now ‘buttons’ [On occasion you may get an error about not finding the server. Just ignore and continue so long as it adds the group]
- In the Specify Access Permissions window select Access granted and Next
- Accept all defaults in the following two windows; Configure Authentication Methods, Configure Constraints
- Under Configure Settings choose IP Settings, then Assign a static IPv4 address, and insert your chosen static IP. This must of course be part of your LAN subnet.
- Under the Completing New Network Policy click Finish
Windows Server 2003:
- Create a new group in Active Directory such as VPNuser1 and add your user to that group
- In the RRAS console, right click on Remote Access Policies and choose New Remote Access Policy
- Name the policy, and in the next window under Access Method select VPN
- Under User or Group Access select Group, then click Add, and locate your group using the Object Type (Groups), Locations (your domain or workgroup server), Advanced, and Find Now ‘buttons’
- Leave all defaults in the remaining windows and save.
- Right click on the new policy and choose Properties.
- Click the Edit Profile ‘button’
- Under the IP tab select Assign a static IP address and enter the address and then exit selecting the OK/Apply buttons as you close the various windows.
Thanks for this info – gotta say you know your VPN stuff
awesome help! thank you!
I have spent the last 3 hours trying to figure out how to get a static IP address when logging into our company VPN. This fixed my problem. Thank you..Thank You..Thank You. You really are knowledgeable.
Thanks a lot, I saved another day of troubleshooting! I can confirm this works well on SBS 2011.
With your instructions i found a easy way.
NPS – Policies – Network Policies – double click Virtual Private Network (VPN) Access Policy then uncheck Ignore User account dial-in properties.
Now you can configure your static IP-Address in AD User Dial-in tab.
The very beginning of your article says:
In active directory under the Dial-in tab of a user’s profile there is an option to “Assign a Static IP Address”, but this only applies to true dial-in clients.
But that is incorrect. It applies to VPN users also. I just tested this and i was able to assign an specific static ip address to a user by setting that variable under their user attributes on the dialin tab. There was no need to do any of these group settings. This article works:
http://support.microsoft.com/kb/303684
I tested it using a 2003 RRAS server and a windows 7 client PC using PPTP connection.
Thanks for the TIP. Worked
You’re the man. THANK YOU, really made my day!!
BRAVO.
You are the MACHINE.
Thanks so much
Excellent, Thanks very much.
Assigning the static IP works. However, if this policy is enabled no other user except this particular VPN user is able to establish a VPN connecation.
Thanks for the information. As an added information, following your steps then if you assign a static IP on user’s AD profile (Dial-In tab) it will assign this IP to this user. If no static IP is assign on user’s profile then it will use the IP in Remote Access Policy.
Thank you.