Appendix B: Alternate Configurations

  • Article

This section provides information about common alternate configurations for a Windows 2000 VPN server. The most common configuration is described in the "Deploying PPTP-based Remote Access" and "Deploying L2TP-based Remote Access" sections of this paper and whose principal characteristics are the following:

  • The VPN server has multiple network adaptersĀ¾at least one connected to the intranet and at least one connected to the Internet.

  • The VPN server has static public IP addresses assigned to its Internet interfaces.

  • The VPN server is only acting as a security gateway providing remote access to the intranet. The VPN server is not hosting any other Internet services such as NAT or Web services.

The two other most common configurations are the following:

  1. The VPN server computer is performing other functions such as network address translation or Web hosting.

  2. The VPN server computer has a single network adapter and its public IP address is published by a firewall.

The following sections detail the changes to make in the deployment of a VPN server to accommodate these additional common configurations.

On This Page

Multiple Internet Function VPN Server
Single-Adapter VPN Server

Multiple Internet Function VPN Server

In this configuration, the VPN server's principal characteristics are the following:

  • The VPN server has multiple network adaptersĀ¾at least one connected to the intranet and at least one connected to the Internet.

  • The VPN server has static public IP addresses assigned to its Internet interfaces.

  • The VPN server is acting as a security gateway providing remote access to the intranet and is hosting any other Internet services such as NAT or Web hosting.

In this configuration, you can follow the procedures as described in the "Deploying PPTP-based Remote Access" and "Deploying L2TP-based Remote Access" sections of this paper except that when you run the Routing and Remote Access Server Setup Wizard, you select from the list of Common Configurations, do not choose Virtual Private Network (VPN) server. Instead, select Remote access server. You are prompted to select an interface over which DHCP, DNS, and WINS configuration is obtained, to determine how you want to assign IP addresses to remote access clients, and to configure RADIUS.

When you select Remote access server, only five PPTP and L2TP ports are configured. For additional ports, configure the properties of the WAN Miniport (PPTP) and WAN Miniport (L2TP) devices from the properties of the Ports object in the Routing and Remote Access snap-in.

By selecting Remote access server in the wizard, PPTP and L2TP packet filters are not configured on the Internet interface of the VPN server computer. Whether you have to manually configure these filters depends on whether the VPN server computer is also hosting NAT.

  • If NAT is needed on the VPN server computer, do not configure PPTP and L2TP packet filters or packet filters for other types of traffic. If you configure PPTP and L2TP packet filters on the Internet interface, NAT cannot function. Even though you do not configure any packet filters on the Internet interface of the VPN server computer, the function of the NAT discards any traffic from the Internet that does not correspond to traffic requested by intranet clients.

  • If NAT is not needed on the VPN server computer, you can configure PPTP and L2TP packet filters and other types of filters for additional services hosted by the VPN server computer. For example, if the VPN server computer is also hosting a Web site, then filters should be added to allow traffic to and from the public IP address of the VPN server computer and TCP port 80.

Single-Adapter VPN Server

In this configuration, the VPN server computer has only a single network adapter and VPN clients are accessing services hosted on the VPN server computer. If the VPN server computer has only a single network adapter and is configured with a public IP address, all traffic to and from the services running on the VPN server computer are sent as clear text outside the VPN tunnel. For more information about why this happens, see "Routing and multi-use VPN servers" in this paper.

The only way a single adapter VPN server can work properly is if it is behind a firewall that is providing a publishing and translation service for the VPN server. The firewall publishes or makes known on the Internet a static public IP address for the VPN server. When VPN packets are sent to this published IP address, the firewall translates the address of the packet to a private or other public address by which the VPN server is known on the intranet.

Figure 6 shows an example of the published and actual addresses of a VPN server in this configuration.

Figure 6

Figure 6  The single-adapter VPN server configuration

Just as in "Routing and multi-use VPN servers" in this paper, a VPN client uses the Internet DNS to resolve the VPN server's name to its published public IP address. After the VPN connection is made, the intranet DNS and WINS infrastructures resolve the VPN server's name to its actual intranet address. One limitation to this configuration is that only PPTP is supported. Because the firewall is translating addresses, IPSec-protected L2TP traffic cannot traverse the firewall.

The VPN server is configured according to "Deploying PPTP-based Remote Access" in this paper with its intranet interface acting as an Internet interface. The firewall is configured to:

  • Publish the name and public IP address of the VPN server on the Internet.

  • Translate PPTP traffic sent to the public IP address of the VPN server to the intranet interface of the VPN server computer.

  • Discard all traffic except PPTP traffic going to and from the VPN server computer.