This article describes how to configure packet filter support for PPTP VPN clients.
The Windows Server 2003 Routing and Remote Access service supports virtual private networks (VPNs). VPN clients can use Point-to-Point Tunneling Protocol (PPTP), second-tier Tunneling Protocol (L2TP), and IP Security (IPSEC) to create a secure tunnel to the Windows Server 2003-based Routing and Remote Access Service VPN server. In this way, the client becomes a remote node on the private network.
A multihomed Routing and Remote Access Service VPN server with an external interface directly connected to the Internet can use packet filtering to protect the internal network from external attacks. The best way to configure packet filters in a secure environment is to use the principle of least privilege: discard all packets except those that are explicitly allowed.
How to configure PPTP filters to allow communication PPTP for PPTP VPN clients is a common VPN protocol because it is safe and easy to set up. In a pure Microsoft environment and a mixed environment, you can easily deploy PPTP. You can configure the Windows Server 2003-based Routing and Remote Access Service VPN server to discard non-PPTP packets by using packet filters.
How to configure PPTP input filters to allow inbound traffic from a PPTP VPN client Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
In the left pane of the Routing and Remote Access console, expand the server, and then expand IP routing.
Click General, right-click the external interface, and then click Properties.
Click the General tab, click the Inbound filter, and then click New.
Click the Target Network check box, select it, and then in the IP Address box, type the IP address of the external interface. In the Subnet mask box, type 255.255.255.255.
In the Protocol box, click TCP. In the Destination port box, type 1723, and then click OK.
Click Discard all packages except those that meet the criteria below.
Click New.
Click the Target Network check box to select it. In the IP Address box, type the IP address of the external interface.
In the Subnet mask box, type 255.255.255.255.
In the Protocol box, click More. In the Protocol number box, type 47, and then click two times to determine.
How to configure the PPTP output filter to allow outbound traffic to a PPTP VPN client
Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
In the left pane of the Routing and Remote Access console, expand your server, and then expand IP routing.
Click General, right-click the external interface, and then click Properties.
Click the General tab, click Outbound Filters, and then click New.
Click the Source Network check box to select it. In the IP Address box, type the IP address of the external interface. In the Subnet mask box, type 255.255.255.255. In the Protocol box, click TCP. In the Source port box, type 1723, and then click OK.
Click Discard all packages with the exception of the following criteria option.
Click the Source Network check box to select it. In the IP Address box, type the IP address of the external interface. In the Protocol box, click More. In the Protocol number box, type 47, and then click two times to determine.
Note: After these changes are made, only PPTP traffic can enter and leave the external interface of the Routing and Remote Access Service VPN server. These filters support communication with PPTP VPN clients that emit inbound calls to the Routing and Remote Access Service VPN server.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
