Configure the Intranet and Internet Firewalls

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To support RADIUS traffic, you must take two steps. First, configure the Internet firewall to allow RADIUS traffic between the IAS proxies on the perimeter network and the RADIUS clients on the Internet. Then configure the intranet firewall to allow RADIUS traffic between the IAS proxies on the perimeter network and the IAS servers on the intranet.

Filters on the Internet Interface

Configure the following input packet filters on the Internet interface of the firewall to allow the following types of traffic:

  • Destination IP address of the IAS server’s perimeter network interface and UDP destination port of 1812 (0x714).

    This filter allows RADIUS authentication traffic from Internet-based RADIUS clients to the IAS server. This is the default UDP port used by IAS as defined in RFC 2856. If you are using a different port, substitute that port number for 1812, as used in this example.

  • Destination IP address of the IAS server’s perimeter network interface and UDP destination port of 1813 (0x715).

    This filter allows RADIUS accounting traffic from Internet-based RADIUS clients to the IAS server. This is the default UDP port used by IAS as defined in RFC 2857. If you are using a different port, substitute that port number for 1813, as used in this example.

Configure the following output filters on the Internet interface of the firewall to allow the following types of traffic:

  • Source IP address of the IAS server’s perimeter network interface and UDP source port of 1812 (0x714).

    This filter allows RADIUS authentication traffic from the IAS server to Internet-based RADIUS clients. This is the default UDP port used by IAS as defined in RFC 2856. If you are using a different port, substitute that port number for 1812, as used in this example.

  • Source IP address of the IAS server’s perimeter network interface and UDP source port of 1813 (0x715).

    This filter allows RADIUS accounting traffic from the IAS server to Internet-based RADIUS clients. This is the default UDP port used by IAS as defined in RFC 2857. If you are using a different port, substitute that port number for 1813, as used in this example.

Filters on the Perimeter Network Interface

Configure the following input filters on the perimeter network interface of the firewall to allow the following types of traffic:

  • Source IP address of the IAS server’s perimeter network interface and UDP source port of 1812 (0x714).

    This filter allows RADIUS authentication traffic from the IAS server to Internet-based RADIUS clients. This is the default UDP port used by IAS as defined in RFC 2856. If you are using a different port, substitute that port number for 1812, as used in this example.

  • Source IP address of the IAS server’s perimeter network interface and UDP source port of 1813 (0x715).

    This filter allows RADIUS accounting traffic from the IAS server to Internet-based RADIUS clients. This is the default UDP port used by IAS as defined in RFC 2857. If you are using a different port, substitute that port number for 1813, as used in this example.

Configure the following output packet filters on the perimeter network interface of the firewall to allow the following types of traffic:

  • Destination IP address of the IAS server’s perimeter network interface and UDP destination port of 1812 (0x714).

    This filter allows RADIUS authentication traffic from Internet-based RADIUS clients to the IAS server. This is the default UDP port used by IAS as defined in RFC 2856. If you are using a different port, substitute that port number for 1812, as used in this example.

  • Destination IP address of the IAS server’s perimeter network interface and UDP destination port of 1813 (0x715).

    This filter allows RADIUS accounting traffic from Internet-based RADIUS clients to the IAS server. This is the default UDP port used by IAS as defined in RFC 2857. If you are using a different port, substitute that port number for 1813, as used in this example.

For added security, if you know the IP address of each RADIUS client sending the packets through the firewall, you can configure more specific filters for traffic between the IP address of the RADIUS client and the IP address of the IAS server on the perimeter network.

For more information about configuring packet filters, see "Manage Packet Filters" and "Apply packet filters for business partner extranet" in Help and Support Center for Windows Server 2003.