Configure a Firewall for VPN Traffic

Applies To: Windows 7, Windows Server 2008 R2

When designing a virtual private network (VPN) remote access solution that involves network firewalls, you typically choose between the following two options for server placement. Each option has different design requirements.

  • VPN server behind a firewall. The firewall is attached to the Internet, with the VPN server between the firewall and the intranet. This is the placement used in a typical perimeter network configuration, in which one firewall is positioned between the VPN server and the intranet and another firewall is positioned between the VPN server and the Internet.

  • VPN server in front of a firewall. The VPN server is connected directly to the Internet, with the firewall between the VPN server and the intranet.

VPN server behind a firewall

In the configuration shown in the following figure, the firewall is connected to the Internet and the VPN server is an intranet resource on the perimeter network. The perimeter network is an IP network segment that typically contains resources available to Internet users, such as Web servers and FTP servers. The VPN server has an interface on both the perimeter network and on the private intranet.

In this approach, the firewall must be configured with input and output filters on its Internet and perimeter network interfaces to allow the passing of tunnel maintenance traffic and tunneled data to the VPN server. Additional filters can allow the passing of traffic to Web servers, FTP servers, and other types of servers on the perimeter network. As an added layer of security, the VPN server should also be configured with Point-to-Point Tunneling Protocol (PPTP), Secure Socket Tunneling Protocol (SSTP), or Layer Two Tunneling Protocol (L2TP)/Internet Protocol security (IPsec) packet filters on its perimeter network interface as described in “VPN server in front of a firewall” in this topic.

Because the firewall does not have the encryption keys for each VPN connection, it can only filter on the plaintext headers of the tunneled data, meaning that all tunneled data passes through the firewall. However, this is not a security concern because the VPN connection requires an authentication process that prevents unauthorized access beyond the VPN server.

VPN server behind the firewall

Packet filters for a VPN server behind a firewall

If the VPN server is behind a firewall, packet filters must be configured for both an Internet interface and a perimeter network interface. In this scenario, the firewall is connected to the Internet and the VPN server is an intranet resource that is connected to the perimeter network. The VPN server has an interface on both the perimeter network and the Internet.

PPTP connections for the Internet interface of the firewall

The following table shows the inbound and outbound PPTP firewall rules that are applied to the firewall’s network adapter that connects to the Internet.

Filter Type Filter Description

Inbound

Destination IP address = Perimeter network interface of VPN server

TCP destination port = 1723 (0x6BB)

Allows PPTP tunnel maintenance traffic from the PPTP client to the PPTP server.

Inbound

Destination IP address = Perimeter network interface of VPN server

IP Protocol ID = 47 (0x2F)

Allows tunneled PPTP data from the PPTP client to the PPTP server.

Inbound

Destination IP address = Perimeter network interface of VPN server

TCP source port = 1723 (0x6BB)

Required only when the VPN server is acting as a VPN client (a calling router) in a site-to-site VPN connection. If all traffic from TCP port 1723 is allowed to reach the VPN server, network attacks can originate from sources on the Internet that use this port. Administrators should only use this filter in conjunction with the PPTP filters that are also configured on the VPN server.

Outbound

Source IP address = Perimeter network interface of VPN server

TCP source port = 1723 (0x6BB)

Allows PPTP tunnel maintenance traffic from the PPTP server to the PPTP client.

Outbound

Source IP address = Perimeter network interface of VPN server

IP Protocol ID = 47 (0x2F)

Allows tunneled PPTP data from the PPTP server to the PPTP client.

Outbound

Source IP address = Perimeter network interface of VPN server

TCP destination port = 1723 (0x6BB)

Required only when the VPN server is acting as a VPN client (a calling router) in a site-to-site VPN connection. If all traffic from the VPN server is allowed to reach TCP port 1723, network attacks can originate from sources on the Internet using this port. Administrators should only use this filter in conjunction with the PPTP filters that are also configured on the VPN server.

PPTP connections for the perimeter network interface of the firewall

The following table shows the inbound and outbound PPTP firewall rules that are applied to the firewall’s network adapter that connects to the organization’s perimeter network.

Filter Type Filter Description

Inbound

Source IP address = Perimeter network interface of VPN server

TCP source port = 1723 (0x6BB)

Allows PPTP tunnel maintenance traffic from the VPN server to the VPN client.

Inbound

Source IP address = Perimeter network interface of VPN server

IP Protocol ID = 47 (0x2F)

Allows tunneled PPTP data from the VPN server to the VPN client.

Inbound

Source IP address = Perimeter network interface of VPN server

TCP destination port = 1723 (0x6BB)

Required only when the VPN server is acting as a VPN client (a calling router) in a site-to-site VPN connection. If all traffic from TCP port 1723 is allowed to reach the VPN server, network attacks can originate from sources on the Internet using this port.

Outbound

Destination IP address = Perimeter network interface of VPN server

TCP source port = 1723 (0x6BB)

Allows PPTP tunnel maintenance traffic from the PPTP client to the PPTP server.

Outbound

Destination IP address = Perimeter network interface of VPN server

IP Protocol ID = 47 (0x2F)

Allows tunneled PPTP data from the PPTP client to the PPTP server.

Outbound

Destination IP address = Perimeter network interface of VPN server

TCP source port = 1723 (0x6BB)

Required only when the VPN server is acting as a VPN client (a calling router) in a site-to-site VPN connection. If all traffic from the VPN server is allowed to reach TCP port 1723, network attacks can originate from sources on the Internet using this port.

SSTP connections for the Internet interface of the firewall

The following table shows the inbound and outbound SSTP filters on the Internet interface of the firewall.

Filter Type Filter Action

Inbound

Destination IP address = Perimeter network interface of VPN server

TCP destination port = 443 (0x1BB)

Allows SSTP traffic to the VPN server.

Outbound

Source IP address = Perimeter network interface of VPN server

TCP source port = 443 (0x1BB)

Allows SSTP traffic from the VPN server.

SSTP connections for the perimeter network interface of the firewall

The following table shows the inbound and outbound SSTP filters on the perimeter network interface of the firewall.

Filter Type Filter Action

Inbound

Source IP address = Perimeter network interface of VPN server

TCP source port = 443 (0x1BB)

Allows SSTP traffic from the VPN server to the VPN client.

Outbound

Destination IP address = Perimeter network interface of VPN server

TCP source port = 443 (0x1BB)

Allows SSTP traffic from the SSTP client to the SSTP server.

L2TP/IPsec connections for the Internet interface of the firewall

The following table shows the inbound and outbound L2TP/IPsec filters on the Internet interface of the firewall.

Filter Type Filter Action

Inbound

Destination IP address = Perimeter network interface of VPN server

UDP destination port = 500 (0x1F4)

Allows Internet Key Exchange (IKE) traffic to the VPN server.

Inbound

Destination IP address = Perimeter network interface of VPN server

UDP destination port = 4500 (0x1194)

Allows IPsec NAT Traversal (NAT-T) traffic to the VPN server.

Inbound

Destination IP address = Perimeter network interface of VPN server

IP Protocol ID = 50 (0x32)

Allows IPsec Encapsulating Security Payload (ESP) traffic to the VPN server.

Outbound

Source IP address = Perimeter network interface of VPN server

UDP source port = 500 (0x1F4)

Allows IKE traffic from the VPN server.

Outbound

Source IP address = Perimeter network interface of VPN server

UDP source port = 4500 (0x1194)

Allows IPsec NAT-T traffic from the VPN server.

Outbound

Source IP address = Perimeter network interface of VPN server

IP Protocol ID = 50 (0x32)

Allows IPsec ESP traffic from the VPN server.

No filters are required for L2TP traffic at UDP port 1701. All L2TP traffic at the firewall, including tunnel maintenance and tunneled data, is encrypted with IPsec ESP.

L2TP/IPsec connections for the perimeter network interface of the firewall

The following table shows the inbound and outbound L2TP/IPsec filters on the perimeter network interface of the firewall.

Filter Type Filter Action

Inbound

Source IP address = Perimeter network interface of VPN server

UDP source port = 500 (0x1F4)

Allows IKE traffic from the VPN server.

Inbound

Source IP address = Perimeter network interface of VPN server

UDP source port = 4500 (0x1194)

Allows IPsec NAT-T traffic from the VPN server.

Inbound

Source IP address = Perimeter network interface of VPN server

IP Protocol ID = 50 (0x32)

Allows IPsec ESP traffic from the VPN server.

Outbound

Destination IP address = Perimeter network interface of VPN server

UDP destination port = 500 (0x1F4)

Allows IKE traffic to the VPN server.

Outbound

Destination IP address = Perimeter network interface of VPN server

UDP destination port = 4500 (0x1194)

Allows IPsec NAT-T traffic to the VPN server.

Outbound

Destination IP address = Perimeter network interface of VPN server

IP Protocol ID = 50 (0x32)

Allows IPsec ESP traffic to the VPN server.

VPN server in front of a firewall

With the VPN server in front of the firewall and connected to the Internet, as shown in the following figure, administrators need to add packet filters to the Internet interface that allow only VPN traffic to and from the IP address of the VPN server’s interface on the Internet.

For inbound traffic, when the tunneled data is decrypted by the VPN server, it is forwarded to the firewall, which uses its filters to allow the traffic to be forwarded to intranet resources. Because the only traffic that is crossing the VPN server is traffic generated by authenticated VPN clients, firewall filtering in this scenario can be used to prevent VPN users from accessing specified intranet resources.

Because the only Internet traffic allowed on the intranet must go through the VPN server, this approach also prevents the sharing of intranet resources with non-VPN Internet users.

VPN server in front of the firewall

Packet filters for a VPN server in front of a firewall

When a VPN server is in front of a firewall and connected to the Internet, inbound and outbound packet filters on the VPN server must be configured to allow only VPN traffic to and from the IP address of the VPN server’s Internet interface. Use this configuration if the VPN server is in a perimeter network, with one firewall positioned between the VPN server and the intranet and another between the VPN server and the Internet.

All of the following packet filters are configured, using the Routing and Remote Access snap-in, as IP packet filters on the Internet interface. Depending on the configuration decisions made during the running of the Routing and Remote Access Server Setup Wizard, these packet filters might already be configured.

PPTP connections for the inbound and outbound filters

The following table shows the VPN server’s inbound and outbound filters for PPTP.

Filter Type Filter Action

Inbound

Destination IP address = Internet interface of VPN server

Subnet mask = 255.255.255.255

TCP destination port = 1723

Allows PPTP tunnel maintenance to the VPN server.

Inbound

Destination IP address = Internet interface of VPN server

Subnet mask = 255.255.255.255

IP Protocol ID = 47

Allows tunneled PPTP data to the VPN server.

Inbound

Destination IP address = Internet interface of VPN server

Subnet mask = 255.255.255.255

TCP (established) source port = 1723

Required only when the VPN server is acting as a VPN client (a calling router) in a site-to-site VPN connection. Accepts TCP traffic only when a VPN server initiates the TCP connection.

Outbound

Source IP address = Internet interface of VPN server

Subnet mask = 255.255.255.255

TCP source port = 1723

Allows PPTP tunnel maintenance traffic from the VPN server.

Outbound

Source IP address = Internet interface of VPN server

Subnet mask = 255.255.255.255

IP Protocol ID = 47

Allows tunneled PPTP data from the VPN server.

Outbound

Source IP address = Internet interface of VPN server

Subnet mask = 255.255.255.255

TCP (established) destination port = 1723

Required only when the VPN server is acting as a VPN client (a calling router) in a site-to-site VPN connection. Sends TCP traffic only when a VPN server initiates the TCP connection.

SSTP connections

The following table shows the VPN server’s inbound and outbound filters for SSTP.

Filter Type Filter Action

Inbound

Destination IP address = Internet interface of VPN server

Subnet mask = 255.255.255.255

TCP destination port = 443

Allows SSTP traffic to the VPN server.

Outbound

Source IP address = Internet interface of VPN server

Subnet mask = 255.255.255.255

TCP source port = 443

Allows SSTP traffic from the VPN server.

L2TP/IPsec connections

The following table shows the VPN server’s inbound and outbound filters for L2TP/IPsec.

Filter Type Filter Action

Inbound

Destination IP address = Internet interface of VPN server

Subnet mask = 255.255.255.255

UDP destination port = 500

Allows IKE traffic to the VPN server.

Inbound

Destination IP address = Internet interface of VPN server

Subnet mask = 255.255.255.255

UDP destination port = 1701

Allows L2TP traffic from the VPN client to the VPN server.

Inbound

Destination IP address = Internet interface of VPN server

Subnet mask = 255.255.255.255

UDP destination port = 4500

Allows IPsec NAT-T traffic from the VPN client to the VPN server.

Outbound

Source IP address = Internet interface of VPN server

Subnet mask = 255.255.255.255

UDP source port = 500

Allows IKE traffic from the VPN server.

Outbound

Source IP address = Internet interface of VPN server

Subnet mask = 255.255.255.255

UDP source port = 1701

Allows L2TP traffic from the VPN server to the VPN client.

Outbound

Source IP address = Internet interface of VPN server

Subnet mask = 255.255.255.255

UDP source port = 4500

Allows IPsec NAT-T traffic from the VPN server to the VPN client.

Additional references