Export (0) Print
Expand All
Expand Minimize
This topic has not yet been rated - Rate this topic

Appendix B: Alternate Configurations

Published: October 31, 2001
On This Page

Multiple Internet Function VPN Router
Single-Adapter VPN Router

This section provides information about common alternate configurations for a Windows 2000 VPN router. The most common configuration is described in the "Deploying an L2TP-based Router-to-Router VPN Connection " and "Deploying an L2TP-based Router-to-Router VPN Connection " sections of this paper and whose principal characteristics are the following:

  • The VPN router has multiple network adapters at least one connected to the site and at least one connected to the Internet.

  • The VPN router has static public IP addresses assigned to its Internet interfaces.

  • The VPN router is only acting as a security gateway providing a routed connection to the site. The VPN router is not hosting any other Internet services such as NAT or Web services.

The two other most common configurations are the following:

  1. The VPN router computer is performing other functions such as network address translation or Web hosting.

  2. The VPN router computer has a single network adapter and its public IP address is published by a firewall.

The following sections detail the changes to make in the deployment of a VPN router to accommodate these additional common configurations.

Multiple Internet Function VPN Router

In this configuration, the VPN router's principal characteristics are the following:

  • The VPN router has multiple network adapters at least one connected to the site and at least one connected to the Internet.

  • The VPN router has static public IP addresses assigned to its Internet interfaces.

  • The VPN router is acting as a security gateway providing remote access to the site and is hosting any other Internet services such as NAT or Web hosting.

In this configuration, you can follow the procedures as described in the "Deploying PPTP-based Remote Access" and "Deploying L2TP-based Remote Access" sections of this paper except that when you run the Routing and Remote Access Server Setup Wizard, you select from the list of Common Configurations, do not choose Virtual Private Network (VPN) server. Instead, select Network router. You are prompted to select an interface over which DHCP, DNS, and WINS configuration is obtained, to determine how you want to assign IP addresses to remote access clients, and to configure RADIUS.

When you select Network router, only five PPTP and L2TP ports are configured. For additional ports, configure the properties of the WAN Miniport (PPTP) and WAN Miniport (L2TP) devices from the properties of the Ports object in the Routing and Remote Access snap-in.

By selecting Network router in the wizard, PPTP and L2TP packet filters are not configured on the Internet interface of the VPN router computer. Whether you have to manually configure these filters depends on whether the VPN router computer is also hosting NAT.

  • If NAT is needed on the VPN router computer, do not configure PPTP and L2TP packet filters or packet filters for other types of traffic. If you configure PPTP and L2TP packet filters on the Internet interface, NAT cannot function. Even though you do not configure any packet filters on the Internet interface of the VPN router computer, the function of the NAT discards any traffic from the Internet that does not correspond to traffic requested by site clients.

  • If NAT is not needed on the VPN router computer, you can configure PPTP and L2TP packet filters and other types of filters for additional services hosted by the VPN router computer. For example, if the VPN router computer is also hosting a Web site, then filters should be added to allow traffic to and from the public IP address of the VPN router computer and TCP port 80.

Single-Adapter VPN Router

In this configuration, the VPN router computer has only a single network adapter and nodes on the site of the calling router are accessing services hosted on the VPN router computer. If the VPN router computer has only a single network adapter and is configured with a public IP address, all traffic to and from the services running on the VPN router computer are sent as clear text outside the VPN tunnel. For more information about why this happens, see "Routing and multi-use VPN routers" in this paper.

The only way a single adapter VPN router can work properly is if it is behind a firewall that is providing a publishing and translation service for the VPN router. The firewall publishes or makes known on the Internet a static public IP address for the VPN router. When VPN packets are sent to this published IP address, the firewall translates the address of the packet to a private or other public address by which the VPN router is known on the site.

Figure 6 shows an example of the published and actual addresses of a VPN router in this configuration.

Bb727145.bug28137-fig6-sm(en-us,TechNet.10).gif

Figure 1: The single-adapter VPN router configuration

The VPN router is configured according to "Deploying a PPTP-based Router-to-Router VPN Connection" in this paper with its site interface acting as an Internet interface. The firewall is configured to:

  • Publish the name and public IP address of the VPN router on the Internet.

  • Translate PPTP traffic sent to the public IP address of the VPN router to the site interface of the VPN router computer.

  • Discard all traffic except PPTP traffic going to and from the VPN router computer.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.