Using packet filtering

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Packet filtering

To secure the VPN server from sending or receiving any traffic on its Internet interface except VPN traffic, you need to use PPTP or L2TP/IPSec input and output filters on the interface that corresponds to the connection to the Internet. For router-to-router VPN connections, you must also configure the calling router (the VPN client) with PPTP or L2TP/IPSec packet filters, a step that is done automatically when you configure your remote access server using the Routing and Remote Access Setup Wizard.

Because, by default, IP routing is enabled on intranet interfaces and the interface that corresponds to the connection to the Internet, the computer running a Windows Server 2003 operating system forwards IP packets between the Internet and your intranet. This provides a direct, routed connection between your intranet and possible attackers on the Internet. To protect your intranet so that the only traffic that is forwarded to the intranet is the traffic that is sent and received over secure VPN connections, you must use PPTP or L2TP/IPSec filters on the Internet interface.

If you have a firewall, you must configure packet filters on the firewall to allow traffic between the VPN router and the routers on the Internet. For more information, see VPN servers and firewall configuration.

For more information about PPTP filters, see Add PPTP Filters. For more information about L2TP/IPSec filters, see Add L2TP over IPSec Filters.