Deploying Virtual Private Networks with Microsoft Windows Server 2003 (Technical Reference)

To secure the VPN server from sending or receiving any traffic on its Internet interface except VPN traffic, you need to configure Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol with Internet Protocol Security (L2TP/ IPSec) input and output filters on the interface that corresponds to the connection to the Internet. Because IP routing is enabled on the Internet interface, if PPTP or L2TP/IPSec filters are not configured on the Internet interface, any traffic received on the Internet interface is routed, which might result in unwanted Internet traffic being forwarded to your intranet.

When the VPN server is attached to the Internet, in front of the firewall, you need to add packet filters to the Internet interface that allow only VPN traffic to and from the IP address of the VPN server’s Internet interface.

For inbound traffic, when the VPN server decrypts the tunneled data, it is forwarded to the firewall. The firewall in this configuration is acting as a filter for intranet traffic and can prevent specific resources from being accessed, scan data for viruses, perform intrusion detection, and perform other functions.

Because the only Internet traffic allowed on the intranet must pass through the VPN server, this approach also prevents the sharing of File Transfer Protocol (FTP) or Web intranet resources with non-VPN Internet users.

Figure B-1 shows the VPN server in front of the firewall.

Figure B-1: The VPN server in front of the firewall.

The firewall is configured for the appropriate rules for intranet traffic to and from VPN clients according to your network security policies.

For the Internet interface on the VPN server, configure the following input and output filters using the Routing And Remote Access snap-in. These filters are automatically configured when you run the Routing And Remote Access Server Setup Wizard and choose the Remote Access (Dial-up Or VPN) option, select the correct interface, and select the Enable Security On The Selected Interface By Setting Up Static Packet Filters option on the VPN Connection page (enabled by default).

Packet Filters for PPTP

Configure the following input filters with the filter action set to Drop All Packets Except Those That Meet The Criteria Below:

• Destination IP address of the VPN server’s Internet interface, subnet mask of 255.255.255.255, and Transmission Control Protocol (TCP) destination port of 1723.

  This filter allows PPTP tunnel management traffic to the VPN server.

• Destination IP address of the VPN server’s Internet interface, subnet mask of 255.255.255.255, and IP Protocol ID of 47.

  This filter allows PPTP tunneled data to the VPN server.

• Destination IP address of the VPN server’s Internet interface, subnet mask of 255.255.255.255, and TCP [Established] source port of 1723.

  This filter is required only when the VPN server is acting as a VPN client (a calling router) in a site-to-site (also known as router-to-router) VPN connection. TCP [Established] traffic is accepted only when the VPN server initiated the TCP connection.

Configure the following output filters with the filter action set to Drop All Packets Except Those That Meet The Criteria Below:

• Source IP address of the VPN server’s Internet interface, subnet mask of 255.255.255.255, and TCP source port of 1723.

  This filter allows PPTP tunnel management traffic from the VPN server.

• Source IP address of the VPN server’s Internet interface, subnet mask of 255.255.255.255, and IP Protocol ID of 47.

  This filter allows PPTP tunneled data from the VPN server.

• Source IP address of the VPN server’s Internet interface, subnet mask of 255.255.255.255, and TCP [Established] destination port of 1723.

  This filter is required only when the VPN server is acting as a VPN client (a calling router) in a site-to-site VPN connection. TCP [Established] traffic is sent only when the VPN server initiated the TCP connection.

Packet Filters for L2TP/IPSec

Configure the following input filters with the filter action set to Drop All Packets Except Those That Meet The Criteria Below:

• Destination IP address of the VPN server’s Internet interface, subnet mask of 255.255.255.255, and User Datagram Protocol (UDP) destination port of 500.

  This filter allows Internet Key Exchange (IKE) traffic to the VPN server.

• Destination IP address of the VPN server’s Internet interface, subnet mask of 255.255.255.255, and UDP destination port of 4500.

  This filter allows IPSec Network Address Translation-Traversal (NAT-T) traffic to the VPN server.

• Destination IP address of the VPN server’s Internet interface, subnet mask of 255.255.255.255, and UDP destination port of 1701.

  This filter allows L2TP traffic to the VPN server.

Configure the following output filters with the filter action set to Drop All Packets Except Those That Meet The Criteria Below:

• Source IP address of the VPN server’s Internet interface, subnet mask of 255.255.255.255, and UDP source port of 500.

  This filter allows IKE traffic from the VPN server.

• Source IP address of the VPN server’s Internet interface, subnet mask of 255.255.255.255, and UDP source port of 4500.

  This filter allows IPSec NAT-T traffic from the VPN server.

• Source IP address of the VPN server’s Internet interface, subnet mask of 255.255.255.255, and UDP source port of 1701.

  This filter allows L2TP traffic from the VPN server.

There are no filters required for IPSec Encapsulating Security Protocol (ESP) traffic for the IP protocol of 50. The Routing And Remote Access service filters are applied after the IPSec components remove the ESP header.