Microsoft KB Archive/169548
Article ID: 169548
Article Last Modified on 10/12/2007
- Microsoft Windows NT Server 4.0 Standard Edition
- Microsoft Proxy Server 2.0 Standard Edition
- Microsoft Routing and Remote Access Service Update for Windows NT Server 4.0
This article was previously published under Q169548
You can use the Routing and Remote Access Server (RRAS) add-on for Microsoft Windows NT to create virtual private network (VPN) connections across the Internet. VPN connections use the Point-to-Point Tunneling Protocol (PPTP) protocol for encrypted communication across the Internet.
Microsoft Proxy Server is a network program that does not require routing. Operationally, this means that every packet that is transmitted to or from the proxy server is either sourced or destined with the proxy server's IP address.
For security reasons, the Proxy Server printed documentation recommends turning off IP forwarding on the computer on which Proxy Server is installed. However, when you install the Routing and Remote Access Update on a server that is running Microsoft Proxy Server, IP forwarding is now turned on. With IP forwarding on, a computer that is running Windows NT Server can forward packets correctly from the Internet connection to the internal network. If IP forwarding is enabled on a proxy server, all security features can be bypassed unless local host filters are configured. However, the PPTP client (the Microsoft Proxy Server) can make calls to the Internet because it is making a direct connection to the Internet and is the source of the PPTP connection. Any proxy clients that are behind the proxy server can also use the PPTP session that has been established. This is because after the PPTP connection is up, the Proxy server treats the PPTP connection like another network interface.
For Microsoft Proxy Server or any other application service, to work securely with Routing and Remote Access Services you must configure input and output filters for local host traffic. These filters are configured by using the Routing and Remote Access Administrator tool.
Before any filters you set up will work, you must enable packet filtering on a global level.
To globally enable packet filtering, follow these steps:
- In the IP Routing folder, right-click Summary, and then click Configure IP parameters.
- On the General tab, click to select the Enable packet-filtering check box.
Note If Proxy Server packet filtering is enabled, the predefined filter PPTP RECEIVE and PPTP CALL must be enabled.
For additional information about how to enable the PPTP RECEIVE and PPTP CALL predefined packet filters, click the following article number to view the article in the Microsoft Knowledge Base:
259605 How to Enable PPTP Packet Filtering, RAS, and Proxy Server 2.0
Adding local host filters
A local host filter makes it possible for your computer to receive only the traffic that is destined for the computer. A local host filter works by making it possible for users to access your computer, but not to route through your computer. After this filter is set, only traffic that is destined for this host is allowed in the interface.
In this example, your Proxy server is configured with an Internet IP address of 192.168.1.1, with a subnet mask of 255.255.255.0. To add local host filters, follow these steps:
- In the IP Routing folder, click Summary.
- Right-click the interface over which you want to set the filter, and then click Configure Interface. This should be the external interface that is connected to the Internet.
- In the IP Configuration dialog box, click Input Filters.
- In the IP Packet Filters Configuration dialog box, click Add. To allow packets with a destination address of your Proxy server, add a filter with the destination IP address of 192.168.1.1 and the destination subnet mask of 255.255.255.0. Click Any as the type of protocol. Click OK, click Drop All Except Listed Below under Filter Action, and then click OK.
- In the IP Configuration dialog box, click Output Filters.
- In the IP Packet Filters Configuration dialog box, click Add. To allow packets that are leaving directly from your Proxy server, add a filter with the source IP address of 192.168.1.1 and the source subnet mask of 255.255.255.0. Click Any as the type of protocol. Click OK, click Drop All Except Listed Below under Filter Action, and then click OK.
You now have configured RRAS to only allow packets that are leaving directly from your Proxy server or packets that are coming directly to your Proxy server. This keeps someone on the Internet from getting into your internal network, and it keeps someone on your internal network from going to the Internet without using the Proxy Server.
Configuring your Proxy Server/RRAS like this also makes it possible for your server to act as a PPTP server so that PPTP clients on the Internet can access your internal LAN.
For additional information about a related topic, click the following article number to view the article in the Microsoft Knowledge Base:
161410 How to set up a private network over the Internet using PPTP
Adding Advanced Filters
If you would like to make your Proxy Server Internet connection more secure, you can remove the Input filter that allows any packets address directly to your Proxy server and add individual input filters for each type of packet you would like to allow.
For example, you may want your Proxy server to only service WWW requests from Proxy clients on the LAN. To do this, you would remove the Input filter you added earlier with the Destination IP address of 192.168.1.1. Then you would add an Input filter allowing packets with the Destination IP address of 192.168.1.1, Protocol TCP, Source port 80, and Destination port 0. You would also have to add a second Input filter allowing packets with the Destination IP address of 192.168.1.1, Protocol UDP, Source port 53, and Destination port 0. This will allow the Proxy Server to resolve Internet names using DNS.
If you want Proxy clients to be able to use additional Proxy services, you would have to add Input filters allowing the correct protocol and port number that each service uses. If you want PPTP clients to be able to connect to your internal LAN, then you would need to add PPTP filters.
For additional information, please see the following article(s) in the Microsoft Knowledge Base:
169890 Enable PPTP Filtering Option No Longer Works
A PPTP client that is located behind Microsoft Proxy Server cannot call a PPTP server that is located on the Internet by using the "Winsock Proxy client" connection to the Proxy server. The Winsock Proxy client that is included with Microsoft Proxy Server versions 1.0 and 2.0 does not have the capability to make "remote" PPTP calls. PPTP calls can only originate from or be received on the proxy server computer itself. We do support clients from behind the Proxy Server to set up a PPTP session in ISA Server.
However, with RRAS on the same server, a client could pass its PPTP packets underneath the Proxy service. This only works if the destination address is configured in the Local Address Table (LAT) indicating that the destination is considered local. If the destination is local, the packets are not sent to the Proxy server by using the Winsock Proxy client. Instead, the packets are sent on the network as normal, routeable packets that RRAS can route to the destination based on its routing table.
Because the PPTP Proxy filters are predefined for the local server in terms of source and destination addresses, it will block any PPTP packets it did not create. To implement PPTP filters in this scenario, you have to use RRAS filters instead. For additional information about how to setup RRAS PPTP filters, please click the article number below to view the article in the Microsoft Knowledge Base:
169890 Enable PPTP Filtering Option No Longer Works
For more information about Routing and Remote Access Service, please click the following link:
Additional query words: rras
Keywords: kbhowto kbnetwork KB169548