Microsoft KB Archive/324262

= HOW TO: Configure Packet Filter Support for PPTP VPN Clients in Windows Server 2003 =

Article ID: 324262

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition

-



This article was previously published under Q324262



For a Microsoft Windows 2000 version of this article, see 310111.

IN THIS TASK
SUMMARY How to Configure PPTP Filters to Permit Traffic for PPTP VPN Clients
 * How to Configure PPTP Input Filters to Permit Inbound Traffic from PPTP VPN Clients
 * How to Configure PPTP Output Filters to Permit Outbound Traffic to PPTP VPN Clients



SUMMARY
This article describes how to configure packet filter support for PPTP VPN clients.

The Windows Server 2003 Routing and Remote Access service supports virtual private networking (VPN). A VPN client can use Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP) and IP Security (IPSec) to create a secure tunnel to a Windows Server 2003-based Routing and Remote Access service VPN server. By this method, the client becomes a remote node on the private network.

A multihomed Routing and Remote Access service VPN server with an external interface that is connected directly to the Internet can take advantage of packet filtering to secure the internal network from external attacks. The best approach to configuring packet filters in a secure environment is to use the least privilege principal, in which all packets are dropped except for those that are explicitly permitted.

back to the top

How to Configure PPTP Filters to Permit Traffic for PPTP VPN Clients
PPTP is a popular VPN protocol because it is very secure and easy to set up. You can easily deploy PPTP in both Microsoft-only and mixed environments. You can configure your Windows Server 2003-based Routing and Remote Access service VPN server to drop non-PPTP packets by using packet filters.

back to the top

How to Configure PPTP Input Filters to Permit Inbound Traffic from PPTP VPN Clients

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
 * 2) In the left pane of the Routing and Remote Access console, expand your server, and then expand IP Routing.
 * 3) Click General, right-click the external interface, and then click Properties.
 * 4) Click the General tab, click Inbound Filters, and then click New.
 * 5) Click to select the Destination network check box, and then in the IP address box, type the IP address of the external interface. In the Subnet mask box, type 255.255.255.255.
 * 6) In the Protocol box, click TCP. In the Destination port box, type 1723, and then click OK.
 * 7) Click Drop all packets except those that meet the criteria below.
 * 8) Click New.
 * 9) Click to select the Destination network check box. In the IP address box, type the IP address of the external interface. In the Subnet mask box, type 255.255.255.255.
 * 10) In the Protocol box, click Other. In the Protocol Number box, type 47, and then click OK two times.

back to the top

How to Configure PPTP Output Filters to Permit Outbound Traffic to PPTP VPN Clients

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
 * 2) In the left pane of the Routing and Remote Access console, expand your server, and then expand IP Routing.
 * 3) Click General, right-click the external interface, and then click Properties.
 * 4) Click the General tab, click Outbound Filters, and then click New.
 * 5) Click to select the Source network check box. In the IP address box, type the IP address of the external interface. In the Subnet mask box, type 255.255.255.255 . In the Protocol box, click TCP. In the Source port box, type 1723, and then click OK.
 * 6) Click Drop all packets except those that meet the criteria below option.
 * 7) Click New.
 * 8) Click to select the Source network check box. In the IP address box, type the IP address of the external interface.
 * 9) In the Protocol box, click Other. In the Protocol Number box, type 47, and then click OK two times.

NOTE: After you make these changes, only PPTP traffic is permitted into and out of the external interface of the Routing and Remote Access service VPN server. These filters support communications with a PPTP VPN client that initiates an inbound call to the Routing and Remote Access service VPN server.

back to the top

Additional query words: kbnetwork

Keywords: kbnetwork kbhowtomaster KB324262

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.