G
Guest
I work at a university whose central computing network doles out live IP address to all the campus buildings. To top it off we cannot utilize true firewall or NAT boxes to secure the buildings, as the central comput network support needs to manage each port. So what we have to do is install parallel firewalls or utilize filters like IPSEC to protect our servers (we use client firewalls for the desktops).
With that being the case, our Windows 2003 and 2000 servers have IPSEC with rules restricting access to just our subnet, access to the port 80, 443, our campus DNS servers, and campus time servers. Everything else is blocked. As it stands, we haven't had any major problems, and it is the best (and cheapest route). I want to add RRAS to one of our Windows 2003 servers for VPN access and followed the knowledge base article 323381 that shows how to do so. Just to be sure, I added permission filters in IPSEC that allows access to/from port 1723 and 47.
After doing so, I tested the vpn connection. I dialed up from a laptop to our campus dialup service then dialed the vpn connection to the new RRAS server. after a fashion, I get "connecting" dialing box, then " verifying username/password" dialog box, then error dialog box indicating that the remote computer did not respond (and will redial in xx seconds). Just as a test, I un-assigned the IPSEC filters, dialup the RRAS server again, and am connected no problem. So I'm assuming my IPSEC filters are blocking, but I am allowing ports 1723 and 47 (to/from). Is there other ports I'm missing, and if so, are they dynamic ( ie, will they be different each time)? Or is there another solution?
thanks!
With that being the case, our Windows 2003 and 2000 servers have IPSEC with rules restricting access to just our subnet, access to the port 80, 443, our campus DNS servers, and campus time servers. Everything else is blocked. As it stands, we haven't had any major problems, and it is the best (and cheapest route). I want to add RRAS to one of our Windows 2003 servers for VPN access and followed the knowledge base article 323381 that shows how to do so. Just to be sure, I added permission filters in IPSEC that allows access to/from port 1723 and 47.
After doing so, I tested the vpn connection. I dialed up from a laptop to our campus dialup service then dialed the vpn connection to the new RRAS server. after a fashion, I get "connecting" dialing box, then " verifying username/password" dialog box, then error dialog box indicating that the remote computer did not respond (and will redial in xx seconds). Just as a test, I un-assigned the IPSEC filters, dialup the RRAS server again, and am connected no problem. So I'm assuming my IPSEC filters are blocking, but I am allowing ports 1723 and 47 (to/from). Is there other ports I'm missing, and if so, are they dynamic ( ie, will they be different each time)? Or is there another solution?
thanks!