Windows 2003 Server RRAS & IPSEC

G

Guest

I work at a university whose central computing network doles out live IP address to all the campus buildings. To top it off we cannot utilize true firewall or NAT boxes to secure the buildings, as the central comput network support needs to manage each port. So what we have to do is install parallel firewalls or utilize filters like IPSEC to protect our servers (we use client firewalls for the desktops).

With that being the case, our Windows 2003 and 2000 servers have IPSEC with rules restricting access to just our subnet, access to the port 80, 443, our campus DNS servers, and campus time servers. Everything else is blocked. As it stands, we haven't had any major problems, and it is the best (and cheapest route). I want to add RRAS to one of our Windows 2003 servers for VPN access and followed the knowledge base article 323381 that shows how to do so. Just to be sure, I added permission filters in IPSEC that allows access to/from port 1723 and 47.

After doing so, I tested the vpn connection. I dialed up from a laptop to our campus dialup service then dialed the vpn connection to the new RRAS server. after a fashion, I get "connecting" dialing box, then " verifying username/password" dialog box, then error dialog box indicating that the remote computer did not respond (and will redial in xx seconds). Just as a test, I un-assigned the IPSEC filters, dialup the RRAS server again, and am connected no problem. So I'm assuming my IPSEC filters are blocking, but I am allowing ports 1723 and 47 (to/from). Is there other ports I'm missing, and if so, are they dynamic ( ie, will they be different each time)? Or is there another solution?

thanks!
 
B

Bill Grant

Before you try it from a dialup connection, test it from a local
workstation. See what filters you need to set to get it to work. I doubt
that you need any at all. (By the way, port 47 has nothing to do with VPN.
Port 1723 is PPTP and is required for a pptp VPN connection.)

When you dial up to campus, you receive a University public IP address,
so you are effectively inside the campus network. Making a VPN connection to
a server on that network is essentially the same as making a VPN connection
from a local workstation. You are not tunnelling through the Internet - you
are only tunnelling through the campus LAN. For a VPN connection through the
Internet, you would connect directly to the server's public IP.

It is not clear why you want to do this. What do you hope to do over the
VPN connection that can't be done over the dialup? VPN stands for Virtual
Pricate Network. It is normally used to connect to a private network. Your
University is a public network using registered IP addresses.

huskyphan said:
I work at a university whose central computing network doles out live IP
address to all the campus buildings. To top it off we cannot utilize true
firewall or NAT boxes to secure the buildings, as the central comput network
support needs to manage each port. So what we have to do is install
parallel firewalls or utilize filters like IPSEC to protect our servers (we
use client firewalls for the desktops).
With that being the case, our Windows 2003 and 2000 servers have IPSEC
with rules restricting access to just our subnet, access to the port 80,
443, our campus DNS servers, and campus time servers. Everything else is
blocked. As it stands, we haven't had any major problems, and it is the
best (and cheapest route). I want to add RRAS to one of our Windows 2003
servers for VPN access and followed the knowledge base article 323381 that
shows how to do so. Just to be sure, I added permission filters in IPSEC
that allows access to/from port 1723 and 47.
After doing so, I tested the vpn connection. I dialed up from a laptop to
our campus dialup service then dialed the vpn connection to the new RRAS
server. after a fashion, I get "connecting" dialing box, then " verifying
username/password" dialog box, then error dialog box indicating that the
remote computer did not respond (and will redial in xx seconds). Just as a
test, I un-assigned the IPSEC filters, dialup the RRAS server again, and am
connected no problem. So I'm assuming my IPSEC filters are blocking, but I
am allowing ports 1723 and 47 (to/from). Is there other ports I'm missing,
and if so, are they dynamic ( ie, will they be different each time)? Or is
there another solution?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top