Appendix B: Alternate Configurations -- Virtual Private Networking

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

This section provides information about common alternate configurations for a Windows Server 2003 VPN router. The most common configuration is described in the "Deploying an L2TP-based Site-to-Site VPN Connection " and "Deploying an L2TP-based Site-to-Site VPN Connection " sections of this paper and whose principal characteristics are the following:

  • The VPN router has multiple network adaptersat least one connected to the site and at least one connected to the Internet.

  • The VPN router has static public IP addresses assigned to its Internet interfaces.

  • The VPN router is only acting as a security gateway providing a routed connection to the site. The VPN router is not hosting any other Internet services such as NAT or Web services.

The two other most common configurations are the following:

  1. The VPN router computer is performing other functions such as network address translation or Web hosting.

  2. The VPN router computer has a single network adapter and its public IP address is published by a firewall.

The following sections detail the changes to make in the deployment of a VPN router to accommodate these additional common configurations.

Multiple Internet Function VPN Router

In this configuration, the VPN router's principal characteristics are the following:

  • The VPN router has multiple network adaptersat least one connected to the site and at least one connected to the Internet.

  • The VPN router has static public IP addresses assigned to its Internet interfaces.

  • The VPN router is acting as a security gateway providing remote access to the site and is hosting any other Internet services such as NAT or Web hosting.

In this configuration, you can follow the procedures as described in the "Deploying a PPTP-based Site-to-Site VPN Connection" and "Deploying a PPTP-based Site-to-Site VPN Connection" sections of this paper except that when you run the Routing and Remote Access Server Setup Wizard, clear the Enable security on the selected interface by setting up static packet filters check box on the VPN Connection page of the Wizard.

When you clear the Enable security on the selected interface by setting up static packet filters check box, PPTP and L2TP/IPSec packet filters are not configured on the Internet interface of the VPN router computer. Whether you have to manually configure these filters depends on whether the VPN router computer is also hosting NAT.

  • If NAT is needed on the VPN router computer, do not configure PPTP and L2TP/IPSec packet filters or packet filters for other types of traffic. If you configure PPTP and L2TP/IPSec packet filters on the Internet interface, NAT cannot function. Even though you do not configure any packet filters on the Internet interface of the VPN router computer, the function of the NAT discards any traffic from the Internet that does not correspond to traffic requested by site clients.

  • If NAT is not needed on the VPN router computer, you can configure PPTP and L2TP/IPSec packet filters and other types of filters for additional services hosted by the VPN router computer. For example, if the VPN router computer is also hosting a Web site, then filters should be added to allow traffic to and from the public IP address of the VPN router computer and TCP port 80.

Single-Adapter VPN Router

In this configuration, the VPN router computer has only a single network adapter and nodes on the site of the calling router are accessing services hosted on the VPN router computer. If the VPN router computer has only a single network adapter and is configured with a public IP address, all traffic to and from the services running on the VPN router computer are sent as clear text outside the VPN tunnel. For more information about why this happens, see "Routing and multi-use VPN routers" in this paper.

The only way a single adapter VPN router can work properly is if it is behind a firewall that is providing a publishing and translation service for the VPN router. The firewall publishes or makes known on the Internet a static public IP address for the VPN router. When VPN packets are sent to this published IP address, the firewall translates the address of the packet to a private or other public address by which the VPN router is known on the site.

Figure 6 shows an example of the published and actual addresses of a VPN router in this configuration.

Art Image

Figure 6: The single-adapter VPN router configuration

The VPN router is configured according to "Deploying a PPTP-based Site-to-Site VPN Connection" in this paper with its site interface acting as an Internet interface. The firewall is configured to:

  • Publish the name and public IP address of the VPN router on the Internet.

  • Translate PPTP traffic sent to the public IP address of the VPN router to the site interface of the VPN router computer.

  • Discard all traffic except PPTP traffic going to and from the VPN router computer.