Академический Документы
Профессиональный Документы
Культура Документы
07/02/2012
12 minutes to read
When designing a virtual private network (VPN) remote access solution that involves network
firewalls, you typically choose between the following two options for server placement. Each
option has different design requirements.
VPN server behind a firewall. The firewall is attached to the Internet, with the VPN
server between the firewall and the intranet. This is the placement used in a typical
perimeter network configuration, in which one firewall is positioned between the VPN
server and the intranet and another firewall is positioned between the VPN server and
the Internet.
VPN server in front of a firewall. The VPN server is connected directly to the Internet,
with the firewall between the VPN server and the intranet.
In this approach, the firewall must be configured with input and output filters on its Internet
and perimeter network interfaces to allow the passing of tunnel maintenance traffic and
tunneled data to the VPN server. Additional filters can allow the passing of traffic to Web
servers, FTP servers, and other types of servers on the perimeter network. As an added layer
of security, the VPN server should also be configured with Point-to-Point Tunneling Protocol
(PPTP), Secure Socket Tunneling Protocol (SSTP), or Layer Two Tunneling Protocol
(L2TP)/Internet Protocol security (IPsec) packet filters on its perimeter network interface as
described in “VPN server in front of a firewall” in this topic.
Because the firewall does not have the encryption keys for each VPN connection, it can only
filter on the plaintext headers of the tunneled data, meaning that all tunneled data passes
through the firewall. However, this is not a security concern because the VPN connection
requires an authentication process that prevents unauthorized access beyond the VPN server.
Filter
Filter Description
Type
Destination IP
address = Perimeter
network interface of
VPN server Allows PPTP tunnel maintenance traffic from the PPTP client
Inbound
to the PPTP server.
TCP destination
port = 1723
(0x6BB)
Destination IP
address = Perimeter
network interface of
Allows tunneled PPTP data from the PPTP client to the PPTP
Inbound VPN server
server.
IP Protocol ID = 47
(0x2F)
Destination IP Required only when the VPN server is acting as a VPN client
address = Perimeter
(a calling router) in a site-to-site VPN connection. If all
network interface of
traffic from TCP port 1723 is allowed to reach the VPN
Inbound VPN server server, network attacks can originate from sources on the
Internet that use this port. Administrators should only use this
TCP source port = filter in conjunction with the PPTP filters that are also
1723 (0x6BB) configured on the VPN server.
Outbound Source IP address Allows PPTP tunnel maintenance traffic from the PPTP
Filter
Filter Description
Type
= Perimeter network server to the PPTP client.
interface of VPN
server
Filter
Filter Description
Type
Source IP address =
Perimeter network
interface of VPN
Allows PPTP tunnel maintenance traffic from the VPN
Inbound server
server to the VPN client.
TCP source port =
1723 (0x6BB)
Source IP address =
Perimeter network
interface of VPN
Allows tunneled PPTP data from the VPN server to the
Inbound server
VPN client.
IP Protocol ID = 47
(0x2F)
Inbound Source IP address = Required only when the VPN server is acting as a VPN
Filter
Filter Description
Type
Perimeter network client (a calling router) in a site-to-site VPN connection. If
interface of VPN all traffic from TCP port 1723 is allowed to reach the VPN
server server, network attacks can originate from sources on the
Internet using this port.
TCP destination port
= 1723 (0x6BB)
Destination IP
address = Perimeter
network interface of
Allows PPTP tunnel maintenance traffic from the PPTP
Outbound VPN server
client to the PPTP server.
TCP source port =
1723 (0x6BB)
Destination IP
address = Perimeter
network interface of
Allows tunneled PPTP data from the PPTP client to the
Outbound VPN server
PPTP server.
IP Protocol ID = 47
(0x2F)
Destination IP
address = Perimeter Required only when the VPN server is acting as a VPN
network interface of client (a calling router) in a site-to-site VPN connection. If
Outbound VPN server all traffic from the VPN server is allowed to reach TCP
port 1723, network attacks can originate from sources on
TCP source port = the Internet using this port.
1723 (0x6BB)
Filter
Filter Action
Type
Destination IP address = Perimeter network
interface of VPN server Allows SSTP traffic to the
Inbound
VPN server.
TCP destination port = 443 (0x1BB)
Source IP address = Perimeter network interface
of VPN server Allows SSTP traffic from the
Outbound
VPN server.
TCP source port = 443 (0x1BB)
SSTP connections for the perimeter network interface of
the firewall
The following table shows the inbound and outbound SSTP filters on the perimeter network
interface of the firewall.
Filter
Filter Action
Type
Source IP address = Perimeter network
interface of VPN server Allows SSTP traffic from the VPN
Inbound
server to the VPN client.
TCP source port = 443 (0x1BB)
Destination IP address = Perimeter
network interface of VPN server Allows SSTP traffic from the SSTP
Outbound
client to the SSTP server.
TCP source port = 443 (0x1BB)
Filter
Filter Action
Type
Destination IP address = Perimeter
network interface of VPN server Allows Internet Key Exchange (IKE)
Inbound
traffic to the VPN server.
UDP destination port = 500 (0x1F4)
Destination IP address = Perimeter
network interface of VPN server
Allows IPsec NAT Traversal (NAT-T)
Inbound
traffic to the VPN server.
UDP destination port = 4500
(0x1194)
Destination IP address = Perimeter
network interface of VPN server Allows IPsec Encapsulating Security
Inbound
Payload (ESP) traffic to the VPN server.
IP Protocol ID = 50 (0x32)
Source IP address = Perimeter
network interface of VPN server
Outbound Allows IKE traffic from the VPN server.
UDP source port = 500 (0x1F4)
Source IP address = Perimeter
network interface of VPN server Allows IPsec NAT-T traffic from the VPN
Outbound
server.
UDP source port = 4500 (0x1194)
Filter
Filter Action
Type
Source IP address = Perimeter
network interface of VPN server Allows IPsec ESP traffic from the VPN
Outbound
server.
IP Protocol ID = 50 (0x32)
No filters are required for L2TP traffic at UDP port 1701. All L2TP traffic at the firewall,
including tunnel maintenance and tunneled data, is encrypted with IPsec ESP.
Filter
Filter Action
Type
Source IP address = Perimeter network
interface of VPN server Allows IKE traffic from the VPN
Inbound
server.
UDP source port = 500 (0x1F4)
Source IP address = Perimeter network
interface of VPN server Allows IPsec NAT-T traffic from
Inbound
the VPN server.
UDP source port = 4500 (0x1194)
Source IP address = Perimeter network
interface of VPN server Allows IPsec ESP traffic from
Inbound
the VPN server.
IP Protocol ID = 50 (0x32)
Destination IP address = Perimeter network
interface of VPN server Allows IKE traffic to the VPN
Outbound
server.
UDP destination port = 500 (0x1F4)
Destination IP address = Perimeter network
interface of VPN server Allows IPsec NAT-T traffic to
Outbound
the VPN server.
UDP destination port = 4500 (0x1194)
Destination IP address = Perimeter network
interface of VPN server Allows IPsec ESP traffic to the
Outbound
VPN server.
IP Protocol ID = 50 (0x32)
For inbound traffic, when the tunneled data is decrypted by the VPN server, it is forwarded to
the firewall, which uses its filters to allow the traffic to be forwarded to intranet resources.
Because the only traffic that is crossing the VPN server is traffic generated by authenticated
VPN clients, firewall filtering in this scenario can be used to prevent VPN users from
accessing specified intranet resources.
Because the only Internet traffic allowed on the intranet must go through the VPN server, this
approach also prevents the sharing of intranet resources with non-VPN Internet users.
All of the following packet filters are configured, using the Routing and Remote Access snap-
in, as IP packet filters on the Internet interface. Depending on the configuration decisions
made during the running of the Routing and Remote Access Server Setup Wizard, these
packet filters might already be configured.
Filter
Filter Action
Type
Destination IP address =
Internet interface of VPN
server
Inbound Allows PPTP tunnel maintenance to the VPN server.
Subnet mask =
255.255.255.255
Filter
Filter Action
Type
TCP destination port =
1723
Destination IP address =
Internet interface of VPN
server
Inbound Allows tunneled PPTP data to the VPN server.
Subnet mask =
255.255.255.255
IP Protocol ID = 47
Destination IP address =
Internet interface of VPN
server
Required only when the VPN server is acting as a VPN
client (a calling router) in a site-to-site VPN
Inbound Subnet mask =
connection. Accepts TCP traffic only when a VPN
255.255.255.255
server initiates the TCP connection.
TCP (established) source
port = 1723
Source IP address =
Internet interface of VPN
server
Allows PPTP tunnel maintenance traffic from the VPN
Outbound
Subnet mask = server.
255.255.255.255
IP Protocol ID = 47
Source IP address =
Internet interface of VPN
server
Required only when the VPN server is acting as a VPN
client (a calling router) in a site-to-site VPN
Outbound Subnet mask =
connection. Sends TCP traffic only when a VPN server
255.255.255.255
initiates the TCP connection.
TCP (established)
destination port = 1723
SSTP connections
The following table shows the VPN server’s inbound and outbound filters for SSTP.
Filter
Filter Action
Type
Destination IP address = Internet interface of
VPN server
Allows SSTP traffic to the VPN
Inbound
Subnet mask = 255.255.255.255 server.
L2TP/IPsec connections
The following table shows the VPN server’s inbound and outbound filters for L2TP/IPsec.
Filter
Filter Action
Type
Destination IP address = Internet
interface of VPN server
Inbound Allows IKE traffic to the VPN server.
Subnet mask = 255.255.255.255