A question that occasionally arises when I’m conducting an Always On VPN planning and design workshop for a customer is static IP address assignment options for VPN connections. Typically, the use case is a specific user that requires special access to a sensitive system internally. Assigning a static IP address to the user allows administrators to create firewall rules restricting access to this connection.
Static IP Assignment
Assigning a static IP address to a user is accomplished by editing the properties of their user account in Active Directory. Open the Active Directory Users and Computers console (dsa.msc), navigate to the Dial-in tab on the target individual’s Active Directory user account, and check the box next to Assign Static IP Addresses.
Next, click the Static IP Addresses button, check the box next to Assign a Static IPv4 address, and enter an IP address. Optionally, check the box next to Assign a static IPv6 address and enter a prefix and Interface ID, if required.
NPS Configuration
Once the user account in Active Directory is configured with a static IP address assignment, each NPS server in the organization must be registered in Active Directory. More details on Active Directory registration for NPS servers can be found here.
Caveats
Assigning static IP addresses to VPN users has many drawbacks and limitations. Consider the following.
Device IP
Assigning a static IP address to a device is not supported. You can only assign a static IP address to a user in Active Directory.
Address Assignment
The IP address you assign to the user must be from the same subnet as the VPN server’s internal network interface. If there is more than one VPN server, all VPN servers must be on the same subnet.
Multisite
Assigning static IP addresses to users is not supported when VPN servers are deployed in multiple locations.
Concurrent Sessions
Users with a static IP address assignment must only log on to one device at a time. If a user attempts to log in to multiple devices simultaneously, subsequent connections will fail due to the duplicate IP address assignment.
NPS
Always On VPN administrators may have discovered the option to assign a static IP address using NPS policy. Unfortunately, this option is severely limited. A separate NPS policy is needed for each user that requires a static IP address. However, NPS does not support assigning NPS policies to users, only groups. Technically speaking, you could create a separate group for each user needing a static IP address, but that’s not scalable. Also, it offers no real advantage over using the Active Directory method described above.
Summary
Although it’s possible to assign a static IP address to a user, there is currently no option to assign a static IP address to a device. In addition, static IP address assignment imposes other limitations that make the option challenging. Also, the inability to connect to geographically dispersed VPN servers is severely limiting.
Additional Information
Always On VPN and NPS Active Directory Registration