Integrate the VPN Server into a Perimeter Network

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2

Windows Server 2008 R2 and Windows Server 2008 support VPN functionality without the use of a firewall. However, many organizations use firewalls to implement a perimeter network that helps to protect their internal network from intrusion from the Internet.

In a perimeter network configuration, only servers that provide resources to external users over the Internet, such as proxy, Web, and FTP servers, are located in the perimeter network. Traffic between dial-up routers does not cross the Internet. Therefore, you do not need to locate routers that use only dial-up connections in a perimeter network. However, if your organization does use a perimeter network VPN routers should be placed in the perimeter network because they must accept direct communication from the Internet.

VPN router placement in relation to firewall

If your organization already uses a perimeter network, you can add your VPN router to the existing set of servers on the perimeter network. If not, you can consider adding a perimeter network to your infrastructure when you deploy a VPN site-to-site connection.

How you configure firewall filters and the filters on the VPN router depends on the position of the VPN router relative to any firewall devices. Although it is possible to place the VPN router in front of the firewall (with the VPN router attached directly to the Internet), the more common and recommended configuration for a site-to-site connection is to place the VPN router behind the firewall (attaching the firewall to the Internet). When you place the VPN router behind the firewall, you configure the firewall with input and output filters on the firewall’s Internet and perimeter network interfaces to restrict traffic to the VPN server. These filters are configured the same for a site-to-site VPN server as for a remote access VPN server.

For more information about VPN servers and firewalls, including configuration of PPTP and L2TP/IPsec packet filters both for VPN servers behind the firewall and for VPN servers in front of the firewall, see Appendix B: VPN Servers and Firewall Configuration.

Match IP packet filters to demand-dial filters

At the same time that you plan where to place your VPN router in relation to a firewall and how to configure IP packet filters on the firewall, also plan how to configure demand-dial filters in conjunction with the IP packet filters configured on the demand-dial interfaces. Although IP packet filters and demand-dial filters serve different purposes, configure them together.

  • You use demand-dial filters, which are applied before a connection is made, to specify which types of traffic are allowed to create a connection in the first place.

  • You use IP packet filters, which are applied after a connection is made, to specify what traffic is allowed into and out of an interface through the established connection. To prevent the demand-dial connection for traffic that will be discarded by the IP packet filters, you need to match your demand-dial and IP packet filters.

For more information about configuring IP packet filters to match your demand-dial filters, see Configure IP Packet Filters and Demand-Dial Filters in the RRAS Deployment Guide.