Appendix B: VPN Servers and Firewall Configuration

Applies To: Windows Server 2008, Windows Server 2008 R2

In deciding where to place remote access servers on your network, consider firewall placement and the placement of other network resources. Place remote access servers close to the network resources that remote access clients need. These resources might include a certification authority (CA), a Remote Authentication Dial-In User Service (RADIUS) server, a domain controller, or file and application servers.

In a dial-up remote access design where servers do not need a direct Internet connection, servers usually are placed behind the firewall. Because a VPN design involves Internet connectivity, server placement relative to the firewall is a greater issue.

If you are designing a VPN remote access solution, there are two approaches to using a firewall with a VPN:

  • VPN server in front of the firewall. The VPN server is attached directly to the Internet, and the firewall is between the VPN server and the intranet.

  • VPN server behind the firewall. The firewall is attached to the Internet, with the VPN server between the firewall and the intranet. This is the placement used in a typical perimeter network configuration, in which one firewall is positioned between the VPN server and the organizational intranet, and another firewall is positioned between the VPN server and the Internet.

VPN server in front of the firewall

When the VPN server is in front of the firewall and attached directly to the Internet, you need to add packet filters to the Internet interface that allow only VPN traffic to and from the IP address of the VPN server's Internet interface.

For inbound traffic, when the tunneled data is decrypted by the VPN server, it is forwarded to the firewall. Through the use of its filters, the firewall allows the traffic to be forwarded to intranet resources. Because the only traffic that crosses the VPN server is generated by authenticated VPN clients, in this scenario, firewall filtering can be used to prevent VPN users from accessing specific intranet resources. Because the only Internet traffic allowed on the intranet must pass through the VPN server, this approach also prevents the sharing of File Transfer Protocol (FTP) or Web intranet resources with non-VPN Internet users.

The following illustration shows the VPN server in front of the firewall.

Because the VPN server does not have the protection of the firewall, configure the Internet interface on the VPN server to use the following input and output filters by using RRAS MMC snap-in.

Packet filters for Internet Key Exchange version 2 (IKEv2)

Configure the following input filters with the filter action set to Drop all packets except those that meet the criteria below:

  • Destination IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and UDP destination port of 500. This filter allows Internet Key Exchange (IKE) traffic from VPN clients to the VPN server.

  • Destination IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and UDP destination port of 4500. This filter allows IPsec network address translation traversal (NAT-T) traffic.

Configure the following output filters with the filter action set to Drop all packets except those that meet the criteria below:

  • Source IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and UDP source port of 500. This filter allows IKE traffic from the VPN server.

  • Source IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and UDP source port of 4500. This filter allows IPsec NAT-T traffic.

There are no filters required for Encapsulating Security Payload (ESP) traffic at the IP protocol of 50. The ESP header is removed by the IPsec components before the IKEv2 packet is passed to Routing and Remote Access.

Important

An IPsec NAT-T deployment for Windows that includes VPN servers that are located behind a NAT device is not recommended. When a server is behind a NAT device, and the server uses IPsec NAT-T, unintended behavior might occur.

Packet filters for Point-to-Point Tunneling Protocol (PPTP)

Configure the following input filters, and set the filter action set to Drop all packets except those that meet the criteria below:

  • Destination IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and TCP destination port of 1723. This filter allows PPTP tunnel maintenance traffic from PPTP clients to the PPTP server.

  • Destination IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and IP Protocol ID of 47 (GRE). This filter allows PPTP tunneled data from PPTP clients to the PPTP server.

  • Destination IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and TCP [established] source port of 1723. This filter is required only when the VPN server is acting as a VPN client (a calling router) in a router-to-router VPN connection. TCP [established] traffic is accepted only when the VPN server initiated the TCP connection.

Configure the following output filters with the filter action set to Drop all packets except those that meet the criteria below:

  • Source IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and TCP source port of 1723. This filter allows PPTP tunnel maintenance traffic from the VPN server to VPN clients.

  • Source IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and IP Protocol ID of 47 (GRE). This filter allows PPTP tunneled data from the VPN server to VPN clients.

  • Source IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and TCP destination port of 1723. This filter is required only when the VPN server is acting as a VPN client (a calling router) in a router-to-router VPN connection. TCP [established] traffic is sent only when the VPN server initiated the TCP connection.

Packet filters for Layer Two Tunneling Protocol over Internet Protocol security (L2TP/IPsec)

Configure the following input filters with the filter action set to Drop all packets except those that meet the criteria below:

  • Destination IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and UDP destination port of 500. This filter allows Internet Key Exchange (IKE) traffic from VPN clients to the VPN server.

  • Destination IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and UDP destination port of 1701. This filter allows L2TP traffic from VPN clients to the VPN server.

  • Destination IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and UDP destination port of 4500. This filter allows IPsec network address translation traversal (NAT-T) traffic.

Configure the following output filters with the filter action set to Drop all packets except those that meet the criteria below:

  • Source IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and UDP source port of 500. This filter allows IKE traffic from the VPN server.

  • Source IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and UDP source port of 1701. This filter allows L2TP traffic from the VPN server to the VPN client.

  • Source IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and UDP source port of 4500. This filter allows IPsec NAT-T traffic.

There are no filters required for Encapsulating Security Payload (ESP) traffic at the IP protocol of 50. The ESP header is removed by the IPsec components before the L2TP packet is passed to Routing and Remote Access.

Important

An IPsec NAT-T deployment for Windows that includes VPN servers that are located behind a NAT device is not recommended. When a server is behind a NAT device, and the server uses IPsec NAT-T, unintended behavior might occur.

Packet filters for Secure Socket Tunneling Protocol (SSTP)

Configure the following input filters with the filter action set to Drop all packets except those that meet the criteria below:

  • Destination IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and TCP destination port of 443. This filter allows SSTP tunneled data from VPN clients to the VPN server and allows SSTP tunnel maintenance.

  • Destination IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and TCP [established] source port of 443. This filter is required only when the VPN server is acting as a VPN client (a calling router) in a router-to-router VPN connection. TCP [established] traffic is accepted only when the VPN server initiated the TCP connection.

Configure the following output filters with the filter action set to Drop all packets except those that meet the criteria below:

  • Source IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and TCP destination port of 443. This filter allows SSTP tunneled data from the VPN server to VPN clients and allows SSTP tunnel maintenance.

  • Source IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and TCP [established] destination port of 443. This filter is required only when the VPN server is acting as a VPN client (a calling router) in a router-to-router VPN connection. TCP [established] traffic is sent only when the VPN server initiated the TCP connection.

VPN server behind the firewall

In a more common configuration, the firewall is attached to the Internet, and the VPN server is an intranet resource that is attached to the perimeter network. The VPN server has an interface on both the perimeter network and the intranet. In this scenario, the firewall must be configured with input and output filters on its Internet interface that allow tunnel maintenance traffic and tunneled data to pass to the VPN server. Additional filters can allow traffic to pass to Web, FTP, and other types of servers on the perimeter network. For an additional layer of security, the VPN server can also be configured with PPTP, L2TP/IPsec, or SSTP packet filters on its perimeter network interface.

Because the firewall does not have the encryption keys for each VPN connection, it can filter only on the plaintext headers of the tunneled data. In other words, all tunneled data passes through the firewall. This is not a security concern, however, because the VPN connection requires an authentication process that prevents unauthorized access beyond the VPN server.

The following illustration shows the VPN server behind the firewall on the perimeter network.

For both the Internet and perimeter network interfaces on the firewall, configure the following input and output filters by using the firewall's configuration software.

Firewall packet filters for IKEv2

Separate input and output packet filters can be configured on the Internet interface and the perimeter network interface of the firewall.

Filters on the Internet interface

Configure the following input packet filters on the Internet interface of the firewall to allow the following types of traffic:

  • Destination IP address of the VPN server's perimeter network interface and UDP destination port of 500. This filter allows IKEv2 traffic to the VPN server.

  • Destination IP address of the VPN server's perimeter network interface and UDP destination port of 4500. This filter allows IPsec NAT-T traffic to the VPN server.

  • Destination IP address of the VPN server's perimeter network interface and IP Protocol ID of 50. This filter allows IPsec ESP traffic from the VPN client to the VPN server.

Configure the following output packet filters on the Internet interface of the firewall to allow the following types of traffic:

  • Source IP address of the VPN server's perimeter network interface and UDP source port of 500. This filter allows IKEv2 traffic from the VPN server.

  • Source IP address of the VPN server's perimeter network interface and UDP source port of 4500. This filter allows IPsec NAT-T traffic from the VPN server.

  • Source IP address of the VPN server's perimeter network interface and IP Protocol ID of 50. This filter allows IPsec ESP traffic from the VPN server to the VPN client.

Important

An IPsec NAT-T deployment for Windows that includes VPN servers that are located behind a NAT device is not recommended. When a VPN server is behind a NAT device, and the VPN server uses IPsec NAT-T, unintended behavior might occur.

Filters on the perimeter network interface

Configure the following input packet filters on the perimeter network interface of the firewall to allow the following types of traffic:

  • Source IP address of the VPN server's perimeter network interface and UDP source port of 500. This filter allows IKEv2 traffic from the VPN server.

  • Source IP address of the VPN server's perimeter network interface and UDP source port of 4500. This filter allows IPsec NAT-T traffic from the VPN server.

  • Source IP address of the VPN server's perimeter network interface and IP Protocol ID of 50. This filter allows IPsec ESP traffic from the VPN server to the VPN client.

Configure the following output packet filters on the perimeter network interface of the firewall to allow the following types of traffic:

  • Destination IP address of the VPN server's perimeter network interface and UDP destination port of 500. This filter allows IKE traffic to the VPN server.

  • Destination IP address of the VPN server's perimeter network interface and UDP destination port of 4500. This filter allows IPsec NAT-T traffic to the VPN server.

  • Destination IP address of the VPN server's perimeter network interface and IP Protocol ID of 50. This filter allows IPsec ESP traffic from the VPN client to the VPN server.

Important

An IPsec NAT-T deployment for Windows that includes VPN servers that are located behind a NAT device is not recommended. When a VPN server is behind a NAT device, and the server uses IPsec NAT-T, unintended behavior might occur.

Firewall packet filters for PPTP

Separate input and output packet filters can be configured on the Internet interface and the perimeter network interface of the firewall.

Filters on the Internet interface

Configure the following input packet filters on the Internet interface of the firewall to allow the following types of traffic:

  • Destination IP address of the VPN server's perimeter network interface and TCP destination port of 1723. This filter allows PPTP tunnel maintenance traffic from the PPTP client to the PPTP server.

  • Destination IP address of the VPN server's perimeter network interface and IP Protocol ID of 47 (GRE). This filter allows PPTP tunneled data from the PPTP client to the PPTP server.

  • Destination IP address of the VPN server's perimeter network interface and TCP source port of 1723. This filter is required only when the VPN server is acting as a VPN client (a calling router) in a router-to-router VPN connection. Use this filter only in conjunction with the PPTP packet filters configured on the VPN server's perimeter network interface as described in the “VPN server in front of the firewall” section earlier in this topic. By allowing all traffic to the VPN server from TCP port 1723, network attacks can be sent from sources on the Internet that use this port.

Configure the following output filters on the Internet interface of the firewall to allow the following types of traffic:

  • Source IP address of the VPN server's perimeter network interface and TCP source port of 1723. This filter allows PPTP tunnel maintenance traffic from the VPN server to the VPN client.

  • Source IP address of the VPN server's perimeter network interface and IP Protocol ID of 47 (GRE). This filter allows PPTP tunneled data from the VPN server to the VPN client.

  • Source IP address of the VPN server's perimeter network interface and TCP destination port of 1723. This filter is required only when the VPN server is acting as a VPN client (a calling router) in a router-to-router VPN connection. Use this filter only in conjunction with the PPTP packet filters configured on the VPN server's perimeter network interface as described in the “VPN server in front of the firewall” section earlier in this topic. By allowing all traffic to the VPN server from TCP port 1723, network attacks can be sent from sources on the Internet that use this port.

Filters on the perimeter network interface

Configure the following input filters on the perimeter network interface of the firewall to allow the following types of traffic:

  • Source IP address of the VPN server's perimeter network interface and TCP source port of 1723. This filter allows PPTP tunnel maintenance traffic from the VPN server to the VPN client.

  • Source IP address of the VPN server's perimeter network interface and IP Protocol ID of 47 (GRE). This filter allows PPTP tunneled data from the VPN server to the VPN client.

  • Source IP address of the VPN server's perimeter network interface and TCP destination port of 1723. This filter is required only when the VPN server is acting as a VPN client (a calling router) in a router-to-router VPN connection. Use this filter only in conjunction with the PPTP packet filters configured on the VPN server's perimeter network interface as described in the “VPN server in front of the firewall” section earlier in this topic. By allowing all traffic to the VPN server from TCP port 1723, network attacks can be sent from sources on the Internet that use this port.

Configure the following output packet filters on the perimeter network interface of the firewall to allow the following types of traffic:

  • Destination IP address of the VPN server's perimeter network interface and TCP destination port of 1723. This filter allows PPTP tunnel maintenance traffic from the PPTP client to the PPTP server.

  • Destination IP address of the VPN server's perimeter network interface and IP Protocol ID of 47 (GRE). This filter allows PPTP tunneled data from the PPTP client to the PPTP server.

  • Destination IP address of the VPN server's perimeter network interface and TCP source port of 1723. This filter is required only when the VPN server is acting as a VPN client (a calling router) in a router-to-router VPN connection. Use this filter only in conjunction with the PPTP packet filters configured on the VPN server's perimeter network interface as described in the “VPN server in front of the firewall” section earlier in this topic. By allowing all traffic to the VPN server from TCP port 1723, network attacks can be sent from sources on the Internet that use this port.

Firewall packet filters for L2TP/IPsec

Separate input and output packet filters can be configured on the Internet interface and the perimeter network interface of the firewall.

Filters on the Internet interface

Configure the following input packet filters on the Internet interface of the firewall to allow the following types of traffic:

  • Destination IP address of the VPN server's perimeter network interface and UDP destination port of 500. This filter allows IKE traffic to the VPN server.

  • Destination IP address of the VPN server's perimeter network interface and UDP destination port of 4500. This filter allows IPsec NAT-T traffic to the VPN server.

  • Destination IP address of the VPN server's perimeter network interface and IP Protocol ID of 50. This filter allows IPsec ESP traffic from the VPN client to the VPN server.

Configure the following output packet filters on the Internet interface of the firewall to allow the following types of traffic:

  • Source IP address of the VPN server's perimeter network interface and UDP source port of 500. This filter allows IKE traffic from the VPN server.

  • Source IP address of the VPN server's perimeter network interface and UDP source port of 4500. This filter allows IPsec NAT-T traffic from the VPN server.

  • Source IP address of the VPN server's perimeter network interface and IP Protocol ID of 50. This filter allows IPsec ESP traffic from the VPN server to the VPN client.

There are no filters required for L2TP traffic at the UDP port of 1701. All L2TP traffic at the firewall, including tunnel maintenance and tunneled data, is encrypted as an IPsec ESP payload.

Important

An IPsec NAT-T deployment for Windows that includes VPN servers that are located behind a NAT device is not recommended. When a VPN server is behind a NAT device, and the VPN server uses IPsec NAT-T, unintended behavior might occur.

Filters on the perimeter network interface

Configure the following input packet filters on the perimeter network interface of the firewall to allow the following types of traffic:

  • Source IP address of the VPN server's perimeter network interface and UDP source port of 500. This filter allows IKE traffic from the VPN server.

  • Source IP address of the VPN server's perimeter network interface and UDP source port of 4500. This filter allows IPsec NAT-T traffic from the VPN server.

  • Source IP address of the VPN server's perimeter network interface and IP Protocol ID of 50. This filter allows IPsec ESP traffic from the VPN server to the VPN client.

Configure the following output packet filters on the perimeter network interface of the firewall to allow the following types of traffic:

  • Destination IP address of the VPN server's perimeter network interface and UDP destination port of 500. This filter allows IKE traffic to the VPN server.

  • Destination IP address of the VPN server's perimeter network interface and UDP destination port of 4500. This filter allows IPsec NAT-T traffic to the VPN server.

  • Destination IP address of the VPN server's perimeter network interface and IP Protocol ID of 50. This filter allows IPsec ESP traffic from the VPN client to the VPN server.

There are no filters required for L2TP traffic at the UDP port of 1701. All L2TP traffic at the firewall, including tunnel maintenance and tunneled data, is encrypted as an IPsec ESP payload.

Important

An IPsec NAT-T deployment for Windows that includes VPN servers that are located behind a NAT device is not recommended. When a VPN server is behind a NAT device, and the server uses IPsec NAT-T, unintended behavior might occur.

Firewall packet filters for SSTP

Separate input and output packet filters can be configured on the Internet interface and the perimeter network interface.

Filters on the Internet interface

Configure the following input packet filters on the Internet interface of the firewall to allow the following types of traffic:

  • Destination IP address of the VPN server's perimeter network interface and TCP destination port of 443. This filter allows SSTP tunnel maintenance and tunneled data from the SSTP client to the SSTP server .

  • Destination IP address of the VPN server's perimeter network interface and TCP source port of 443. This filter is required only when the VPN server is acting as a VPN client (a calling router) in a router-to-router VPN connection. Use this filter only in conjunction with the PPTP packet filters configured on the VPN server's perimeter network interface as described in the “VPN server in front of the firewall” section earlier in this topic. By allowing all traffic to the VPN server from TCP port 1723, network attacks can be sent from sources on the Internet that use this port.

Configure the following output filters on the Internet interface of the firewall to allow the following types of traffic:

  • Source IP address of the VPN server's perimeter network interface and TCP source port of 443. This filter allows SSTP tunneled data from the VPN server to the VPN client and tunnel maintenance.

  • Source IP address of the VPN server's perimeter network interface and TCP destination port of 443. This filter is required only when the VPN server is acting as a VPN client (a calling router) in a router-to-router VPN connection. Use this filter only in conjunction with the PPTP packet filters configured on the VPN server's perimeter network interface as described in the “VPN server in front of the firewall” section earlier in this topic. By allowing all traffic to the VPN server from TCP port 1723, network attacks can be sent from sources on the Internet that use this port.

Filters on the perimeter network interface

Configure the following input filters on the perimeter network interface of the firewall to allow the following types of traffic:

  • Source IP address of the VPN server's perimeter network interface and TCP source port of 443. This filter allows SSTP tunneled data from the VPN server to the VPN client and tunnel maintenance.

  • Source IP address of the VPN server's perimeter network interface and TCP destination port of 443. This filter is required only when the VPN server is acting as a VPN client (a calling router) in a router-to-router VPN connection. Use this filter only in conjunction with the PPTP packet filters configured on the VPN server's perimeter network interface as described in the “VPN server in front of the firewall” section earlier in this topic. By allowing all traffic to the VPN server from TCP port 1723, network attacks can be sent from sources on the Internet that use this port.

Configure the following output packet filters on the perimeter network interface of the firewall to allow the following types of traffic:

  • Destination IP address of the VPN server's perimeter network interface and TCP destination port of 443. This filter allows SSTP tunnel maintenance andtunneled data from the SSTP client to the SSTP server.

  • Destination IP address of the VPN server's perimeter network interface and TCP source port of 443. This filter is required only when the VPN server is acting as a VPN client (a calling router) in a router-to-router VPN connection. Use this filter only in conjunction with the PPTP packet filters configured on the VPN server's perimeter network interface as described in the “VPN server in front of the firewall” section earlier in this topic. By allowing all traffic to the VPN server from TCP port 1723, network attacks can be sent from sources on the Internet that use this port.