How to permit PPTP clients to access the external network through ISA Server 2006 or through ISA Server 2004 (838245)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2004, Standard Edition
  • Microsoft Internet Security and Acceleration Server 2004, Enterprise Edition
  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
  • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
For a Microsoft Internet Security and Acceleration Server 2000 version of this article, see 283628.

INTRODUCTION

This article describes how to permit Point-to-Point Tunneling Protocol (PPTP) clients to connect to an external VPN server through Microsoft Internet Security and Acceleration (ISA) Server 2006 or through ISA Server 2004.

MORE INFORMATION

To permit PPTP connections through ISA Server, you must create a rule to permit PPTP protocol traffic to access the external network. To do this, follow these steps:
  1. Start the ISA Server Management tool.
  2. Expand ServerName where ServerName is the name of your ISA Server computer.
  3. Click Firewall Policy, click the Tasks tab, and then click Create New Access Rule.

    Note In ISA Server 2006, click Create Access Rule.
  4. In the Access rule name box, type a descriptive name for the firewall rule, and then click Next.
  5. Click Allow, and then click Next.
  6. In the This rule applies to list, click Selected protocols, and then click Add.
  7. Expand VPN and IPSec, click PPTP, click Add, click Close, and then click Next.
  8. Click Add, expand Networks, click Internal, click Add, click Close, and then click Next.
  9. Click Add, and then do one of the following:
    • To permit PPTP traffic to all external destinations, expand Networks, click External, click Add, and then click Close.
    • To permit PPTP traffic to a particular VPN server:
      1. Click New, and then click Computer.
      2. In the Name box, type a descriptive name for this computer, type the computer's IP address in the Computer IP Address box, and then click OK.
      3. Click the new computer that you created, click Add, and then click Close.
  10. Click Next, and then do one of the following:
    • To permit all users access to the remote VPN server, leave the All Users user set in the This rule applies to requests from the following user sets box, and then click Next.
    • To permit only certain users to access the remote VPN server:
      1. Click All Users, and then click Remove.
      2. Click Add, and then click New.
      3. Follow the steps in the New User Set Wizard to create a user set that contains the users who you want to permit access to the VPN server.
      4. In the Add Users dialog box, click the user set that you want to permit access to the VPN server, click Add, click Close, and then click Next.
  11. Review the access rule configuration, and then click Finish.
  12. Click Apply to update the firewall policy, and then click OK.
Note Sometimes, a rule might be configured so that it blocks certain traffic before your rule permits that traffic. In this scenario, you must modify the rule hierarchy. To move a rule up in the rule hierarchy, right-click that rule, and then click Move Up. When you are finished modifying the rule hierarchy, click Apply to update the firewall policy, and then click OK.

If you have configured a firewall rule that permits all protocols to access the external network, PPTP traffic is also permitted. This is different from ISA Server 2000 where you must explicitly configure the PPTP pass through option in the ISA Management tool. In this scenario, to block outgoing PPTP traffic in ISA Server 2006 or in ISA Server 2004, create an access rule to deny PPTP traffic to the external destination or destinations.
Modification Type:MinorLast Reviewed:9/20/2006
Keywords:kbISA2006Swept kbFirewall kbhowto kbinfo KB838245 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.