Integrate the VPN Server into a Perimeter Network

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Windows Server 2003 supports VPN functionality without the use of a firewall. However, many organizations use firewalls to implement a perimeter network (also known as a DMZ, demilitarized zone, and screened subnet) to increase security by protecting their internal network from intrusion through the Internet.

Only servers that provide resources to users over the Internet, such as Proxy, Web, and FTP servers, are located in the perimeter network. Traffic between dial-up routers does not cross the Internet. Therefore, you do not need to locate dial-up routers in a perimeter network. However, placing VPN routers in a perimeter network helps ensure that communications between sites are protected.

VPN Router Placement in Relation to Firewall

If your organization already uses a perimeter network, you can add your VPN router to the existing set of servers on the perimeter network. If not, consider adding a perimeter network to your infrastructure when you deploy a VPN site-to-site connection.

How you configure firewall filters and the filters on the VPN router depends on the position of the VPN router relative to the firewall. Although it is possible to place the VPN router in front of the firewall (with the VPN router attached to the Internet), the more common — and recommended — configuration for a site-to-site connection is to place the VPN router behind the firewall (attaching the firewall to the Internet). When you place the VPN router behind the firewall, you configure the firewall with input and output filters on the firewall’s Internet and perimeter network interfaces to restrict traffic to the VPN server. These filters are configured the same for a site-to-site VPN server as for a remote access VPN server. For a description of these filters and how they function, see the instructions for configuring packet filters for a VPN server in "Deploying Dial-up and VPN Remote Access Servers" in this book.

For more information about VPN servers and firewalls, including configuration of PPTP and L2TP/IPSec packet filters both for VPN servers behind the firewall and for VPN servers in front of the firewall, see "VPN servers and firewall configuration" in Help and Support Center for Windows Server 2003.

Match IP Packet Filters to Demand-Dial Filters

At the same time that you plan where to place your VPN router in relation to a firewall and how to configure PPTP and L2TP/IPSec IP packet filters on the firewall, also plan how to configure demand-dial filters in conjunction with the IP packet filters configured on the demand-dial interfaces. Although IP packet filters and demand-dial filters serve different purposes, Microsoft recommends that you configure them together.

You use demand-dial filters, which are applied before a connection is made, to specify which types of traffic are allowed to create a connection in the first place. You use IP packet filters, which are applied after a connection is made, to specify what traffic is allowed into and out of an interface after a connection is established. To prevent the demand-dial connection for traffic that will be discarded by the IP packet filters, you need to match your demand-dial and IP packet filters.

For more information about configuring IP packet filters to match your demand-dial filters, see Demand-dial routing design considerations in Help and Support Center for Windows Server 2003.