HOW TO: Configure Packet Filter Support for PPTP VPN Clients in Windows Server 2003 (324262)


The information in this article applies to:

  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition
  • Microsoft Windows Small Business Server 2003, Premium Edition
This article was previously published under Q324262
For a Microsoft Windows 2000 version of this article, see 310111.

IN THIS TASK

SUMMARY

This article describes how to configure packet filter support for PPTP VPN clients.

The Windows Server 2003 Routing and Remote Access service supports virtual private networking (VPN). A VPN client can use Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP) and IP Security (IPSec) to create a secure tunnel to a Windows Server 2003-based Routing and Remote Access service VPN server. By this method, the client becomes a remote node on the private network.

A multihomed Routing and Remote Access service VPN server with an external interface that is connected directly to the Internet can take advantage of packet filtering to secure the internal network from external attacks. The best approach to configuring packet filters in a secure environment is to use the least privilege principal, in which all packets are dropped except for those that are explicitly permitted.

back to the top

How to Configure PPTP Filters to Permit Traffic for PPTP VPN Clients

PPTP is a popular VPN protocol because it is very secure and easy to set up. You can easily deploy PPTP in both Microsoft-only and mixed environments. You can configure your Windows Server 2003-based Routing and Remote Access service VPN server to drop non-PPTP packets by using packet filters.

back to the top

How to Configure PPTP Input Filters to Permit Inbound Traffic from PPTP VPN Clients

  1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
  2. In the left pane of the Routing and Remote Access console, expand your server, and then expand IP Routing.
  3. Click General, right-click the external interface, and then click Properties.
  4. Click the General tab, click Inbound Filters, and then click New.
  5. Click to select the Destination network check box, and then in the IP address box, type the IP address of the external interface. In the Subnet mask box, type 255.255.255.255.
  6. In the Protocol box, click TCP. In the Destination port box, type 1723, and then click OK.
  7. Click Drop all packets except those that meet the criteria below.
  8. Click New.
  9. Click to select the Destination network check box. In the IP address box, type the IP address of the external interface. In the Subnet mask box, type 255.255.255.255.
  10. In the Protocol box, click Other. In the Protocol Number box, type 47, and then click OK two times.
back to the top

How to Configure PPTP Output Filters to Permit Outbound Traffic to PPTP VPN Clients

  1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
  2. In the left pane of the Routing and Remote Access console, expand your server, and then expand IP Routing.
  3. Click General, right-click the external interface, and then click Properties.
  4. Click the General tab, click Outbound Filters, and then click New.
  5. Click to select the Source network check box. In the IP address box, type the IP address of the external interface. In the Subnet mask box, type 255.255.255.255. In the Protocol box, click TCP. In the Source port box, type 1723, and then click OK.
  6. Click Drop all packets except those that meet the criteria below option.
  7. Click New.
  8. Click to select the Source network check box. In the IP address box, type the IP address of the external interface.
  9. In the Protocol box, click Other. In the Protocol Number box, type 47, and then click OK two times.
NOTE: After you make these changes, only PPTP traffic is permitted into and out of the external interface of the Routing and Remote Access service VPN server. These filters support communications with a PPTP VPN client that initiates an inbound call to the Routing and Remote Access service VPN server.

back to the top
Modification Type:MajorLast Reviewed:4/5/2004
Keywords:kbHOWTOmaster kbNetwork KB324262 kbAudITPro
©2004 Microsoft Corporation. All rights reserved.