How to configure packet filter support for PPTP VPN clients in Windows 2000 (310111)


The information in this article applies to:

  • Microsoft Windows 2000 Server
This article was previously published under Q310111

IN THIS TASK

SUMMARY

This article describes how to configure packet filter support for PPTP VPN clients.

The Windows 2000 Routing and Remote Access service supports virtual private networking (VPN). A VPN client can use Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP) and IP Security (IPSec) to create a secure tunnel to a Windows 2000-based Routing and Remote Access service VPN server and become a remote node on the private network.

A multihomed Routing and Remote Access service VPN server with an external interface that is connected directly to the Internet can take advantage of packet filtering to secure the internal network from external attacks. The best approach to configuring packet filters in a secure environment is to use the "least privilege" principal, in which all packets are dropped except for those that are explicitly allowed.

back to the top

How to Configure PPTP Filters to Allow Traffic for PPTP VPN Clients

PPTP is a popular VPN protocol because it is very secure and easy to set up. You can deploy PPTP easily in both Microsoft-only and mixed environments. You can configure your Windows 2000-based Routing and Remote Access service VPN server to drop non-PPTP packets by using packet filters.

back to the top

How to Configure PPTP Input Filters to Allow Inbound Traffic from PPTP VPN Clients

  1. Start the Routing and Remote Access console from the Administrative Tools menu.
  2. In the left pane of the Routing and Remote Access console, expand your server, and then expand the IP Routing node.
  3. Click the General node. Right-click the external interface, and then click Properties.
  4. On the General tab, click Input Filters.
  5. Click Add.
  6. Select the Destination network check box. In the IP address box, type the IP address of the external interface. In the Subnet mask box, type 255.255.255.255.
  7. In the Protocol box, click TCP. In the Protocol Number box, type 1723. Click OK.
  8. Click Drop all packets except those that meet the criteria below.
  9. Click Add.
  10. Select the Destination network check box. In the IP address box, type the IP address of the external interface. In the Subnet mask box, type 255.255.255.255. In the Protocol box, click Other. In the Protocol Number box, type 47. Click OK.
  11. Click OK.

back to the top

How to Configure PPTP Output Filters to Allow Outbound Traffic to PPTP VPN Clients

  1. On the General tab in the External_interface Properties dialog box, click Output Filters.
  2. Click Add.
  3. Select the Source network check box. In the IP address box, type the IP address of the external interface. In the Subnet mask box, type 255.255.255.255. In the Protocol box, click TCP. In the Source port box, type 1723. Click OK.
  4. Click Drop all packets except those that meet the criteria below option.
  5. Click Add.
  6. Select the Source network check box. In the IP address box, type the IP address of the external interface. In the Subnet mask box, type 255.255.255.255. In the Protocol box, click Other. In the Protocol Number box, type 47. Click OK.
  7. Click OK.
  8. Click OK.
NOTE After you make these changes, only PPTP traffic is allowed into and out of the external interface of the Routing and Remote Access service VPN server. These filters support communications with a PPTP VPN client that initiates an inbound call to the Routing and Remote Access service VPN server.

back to the top
Modification Type:MinorLast Reviewed:2/7/2006
Keywords:kbhowto kbHOWTOmaster KB310111 kbAudITPro
©2004 Microsoft Corporation. All rights reserved.