Hello, I'm thinking about implementing the following scenario: two VPN "gateways" (like "intranet.contoso.com" and "extranet.contoso.com"), users in Active Directory group A are allowed to connect only to intranet VPN, users in group B are allowed to connect only to extranet VPN. Clients in intranet should be given broader access (more static routes to some internal networks) whereas clients in extranet are only allowed to access one, specific network. The two VPNs should have different subnets, of course. I think the isolation part could be done easily using some firewall but how to start: how to differentiate clients and assign them different addresses and static routes? It's simple if you have two Windows Server 2008 boxes but is it possible to use only one system? Maybe Network Access Protection would be be useful? Currently I have only one VPN configured with DHCP Relay Agent on the Internal interface in RRAS. DHCP is assigning static routes. I'm really looking forward to all suggestions and hints :) Thanks in advance, Regards, Wojciech

Hi Wojciech, Thanks for post here. You don’t have to deploy another RRAS server, you may like consider to deploy NPS for VLANs to redirect users who connect remotely to the different VLANs ,so that they will be separated even acquired address in same segment. Meanwhile ,please notice that this solution require to use VLAN-aware network hardware. Configure NPS for VLANs http://technet.microsoft.com/en-us/library/cc731649(WS.10).aspx Hope that’s helpful. Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Tiger, That looks promising, I'll give it a try today and get back if I have some more questions/mark as answer if it works :) Thank you for your post! Regards, Wojciech edit: I followed the instructions from the website you gave me and clients can connect. However it seems that they're still in the default VLAN because after the connection I can access all network resources. I expected the connectivity to break until I configure new VLAN interface on my router and allow it to route between my network and the new VPN VLAN. Do I need to configure Connection Request Policy as well? In the document only Network Policy is mentioned. Also there is a note Tunnel-Tag attribute only needed if my NAS server needs it. My NAS server is RRAS, right? Does it need this setting? Regards, Wojciech

Hi Wojciech, Thanks for update. Based on my knowledge of NPS, you may like use RADIUS(NPS) server to authenticate the incoming connection for RRAS server and define VLAN attributes in network policy on RADIUS server, so that RADIUS server would follow the policies to redirect incoming sessions to different VLANs. RADIUS Server for Dial-Up or VPN Connections http://technet.microsoft.com/en-us/library/cc731108(WS.10).aspx VLAN Attributes Used in Network Policy http://technet.microsoft.com/en-us/library/cc754422(WS.10).aspx I also found an article maybe helpful for you to understand it: Network Access Protection Using 802.1x VLAN’s or Port ACLs – Which is right for you? http://blogs.technet.com/b/wincat/archive/2008/08/19/network-access-protection-using-802-1x-vlan-s-or-port-acls-which-is-right-for-you.aspx Please understand that In theory, that should worked ,but in my experience ,I am not test for it yet, so can’t guarantee if it would achieve your goal. Meanwhile, I suggest You may like to consult with Microsoft Customer Support Service (CSS) for get a rather solution . To obtain the phone numbers for specific technology request please take a look at the web site listed below: http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS If you are outside the US please see http://support.microsoft.com for regional support phone numbers. Thanks. Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thank you for your detailed information. I'm afraid the documentation you linked is not so helpful in my scenario because none of these documents regard using NAP & VLANs in VPN scenario, they are about 802.1x port security. In the meantime, however, I've come up with a solution on my own that seems to do the trick: IP filtering. I created multiple network policies in NAP, one policy for intranet and one for extranet AD user group, and configured IP filters respectively. For extranet I explicitly allow some traffic based on destination networks and/or ports. For intranet I allow all traffic. Regards, Wojciech