Appendix B: Alternate Configurations

Applies To: Windows Server 2003 with SP1

This section provides information about common alternate configurations for a Windows Server 2003 VPN server. The most common configuration is described in the "Deploying PPTP-based Remote Access" and "Deploying L2TP-based Remote Access" sections of this paper and whose principal characteristics are the following:

  • The VPN server has multiple network adapters: at least one connected to the intranet and at least one connected to the Internet.

  • The VPN server has static public IP addresses assigned to its Internet interfaces.

  • The VPN server is only acting as a security gateway providing remote access to the intranet. The VPN server is not hosting any other Internet services such as NAT or Web services.

The two other most common configurations are the following:

  1. The VPN server computer is performing other functions such as network address translation or Web hosting.

  2. The VPN server computer has a single network adapter and its public IP address is published by a firewall.

The following sections detail the changes to make in the deployment of a VPN server to accommodate these additional common configurations.

Multiple Internet Function VPN Server

In this configuration, the VPN server's principal characteristics are the following:

  • The VPN server has multiple network adapters at least one connected to the intranet and at least one connected to the Internet.

  • The VPN server has static public IP addresses assigned to its Internet interfaces.

  • The VPN server is acting as a security gateway providing remote access to the intranet and is hosting any other Internet services such as NAT or Web hosting.

In this configuration, you can follow the procedures as described in the "Deploying PPTP-based Remote Access" and "Deploying L2TP-based Remote Access" sections of this paper except that when you run the Routing and Remote Access Server Setup Wizard, clear the Enable security on the selected interface by setting up static packet filters check box on the VPN Connection page of the Wizard.

When you clear the Enable security on the selected interface by setting up static packet filters check box, PPTP and L2TP packet filters are not configured on the Internet interface of the VPN server computer. Whether you have to manually configure these filters depends on whether the VPN server computer is also hosting NAT.

  • If NAT is needed on the VPN server computer, do not configure PPTP and L2TP packet filters or packet filters for other types of traffic. If you configure PPTP and L2TP packet filters on the Internet interface, NAT cannot function. Even though you do not configure any packet filters on the Internet interface of the VPN server computer, the function of the NAT discards any traffic from the Internet that does not correspond to traffic requested by intranet clients.

  • If NAT is not needed on the VPN server computer, you can configure PPTP and L2TP packet filters and other types of filters for additional services hosted by the VPN server computer. For example, if the VPN server computer is also hosting a Web site, then filters should be added to allow traffic to and from the public IP address of the VPN server computer and TCP port 80.

Single-Adapter VPN Server

In this configuration, the VPN server computer has only a single network adapter and VPN clients are accessing services hosted on the VPN server computer. If the VPN server computer has only a single network adapter and is configured with a public IP address, all traffic to and from the services running on the VPN server computer are sent as clear text outside the VPN tunnel.

The only way a single adapter VPN server can work properly is if it is behind a firewall that is providing a publishing and translation service for the VPN server. The firewall publishes or makes known on the Internet a static public IP address for the VPN server. When VPN packets are sent to this published IP address, the firewall translates the address of the packet to a private or other public address by which the VPN server is known on the intranet.

Figure 6 shows an example of the published and actual addresses of a VPN server in this configuration.

Art Image

Figure 6: The single-adapter VPN server configuration

A VPN client uses the Internet DNS to resolve the VPN server's name to its published public IP address. After the VPN connection is made, the intranet DNS and WINS infrastructures resolve the VPN server's name to its actual intranet address. One limitation to this configuration is that only PPTP is supported. Because the firewall is translating addresses, IPSec-protected L2TP traffic cannot traverse the firewall.

The VPN server is configured according to "Deploying PPTP-based Remote Access" in this paper with its intranet interface acting as an Internet interface. The firewall is configured to:

  • Publish the name and public IP address of the VPN server on the Internet.

  • Translate PPTP traffic sent to the public IP address of the VPN server to the intranet interface of the VPN server computer.

  • Discard all traffic except PPTP traffic going to and from the VPN server computer.