Configure a Firewall for VPN Traffic

 07/02/2012
 12 minutes to read

Applies To: Windows 7, Windows Server 2008 R2

When designing a virtual private network (VPN) remote access solution that involves network
firewalls, you typically choose between the following two options for server placement. Each
option has different design requirements.

 VPN server behind a firewall. The firewall is attached to the Internet, with the VPN
server between the firewall and the intranet. This is the placement used in a typical
perimeter network configuration, in which one firewall is positioned between the VPN
server and the intranet and another firewall is positioned between the VPN server and
the Internet.
 VPN server in front of a firewall. The VPN server is connected directly to the Internet,
with the firewall between the VPN server and the intranet.

VPN server behind a firewall

In the configuration shown in the following figure, the firewall is connected to the Internet
and the VPN server is an intranet resource on the perimeter network. The perimeter network
is an IP network segment that typically contains resources available to Internet users, such as
Web servers and FTP servers. The VPN server has an interface on both the perimeter network
and on the private intranet.

In this approach, the firewall must be configured with input and output filters on its Internet
and perimeter network interfaces to allow the passing of tunnel maintenance traffic and
tunneled data to the VPN server. Additional filters can allow the passing of traffic to Web
servers, FTP servers, and other types of servers on the perimeter network. As an added layer
of security, the VPN server should also be configured with Point-to-Point Tunneling Protocol
(PPTP), Secure Socket Tunneling Protocol (SSTP), or Layer Two Tunneling Protocol
(L2TP)/Internet Protocol security (IPsec) packet filters on its perimeter network interface as
described in “VPN server in front of a firewall” in this topic.

Because the firewall does not have the encryption keys for each VPN connection, it can only
filter on the plaintext headers of the tunneled data, meaning that all tunneled data passes
through the firewall. However, this is not a security concern because the VPN connection
requires an authentication process that prevents unauthorized access beyond the VPN server.

VPN server behind the firewall

Packet filters for a VPN server behind a firewall
If the VPN server is behind a firewall, packet filters must be configured for both an Internet
interface and a perimeter network interface. In this scenario, the firewall is connected to the
Internet and the VPN server is an intranet resource that is connected to the perimeter network.
The VPN server has an interface on both the perimeter network and the Internet.

PPTP connections for the Internet interface of the firewall

The following table shows the inbound and outbound PPTP firewall rules that are applied to
the firewall’s network adapter that connects to the Internet.

Filter
Filter Description
Type
Destination IP
address = Perimeter
network interface of
VPN server Allows PPTP tunnel maintenance traffic from the PPTP client
Inbound
to the PPTP server.
TCP destination
port = 1723
(0x6BB)
Destination IP
address = Perimeter
network interface of
Allows tunneled PPTP data from the PPTP client to the PPTP
Inbound VPN server
server.
IP Protocol ID = 47
(0x2F)
Destination IP Required only when the VPN server is acting as a VPN client
address = Perimeter
(a calling router) in a site-to-site VPN connection. If all
network interface of
traffic from TCP port 1723 is allowed to reach the VPN
Inbound VPN server server, network attacks can originate from sources on the
Internet that use this port. Administrators should only use this
TCP source port = filter in conjunction with the PPTP filters that are also
1723 (0x6BB) configured on the VPN server.
Outbound Source IP address Allows PPTP tunnel maintenance traffic from the PPTP
 Filter
Filter Description
Type
= Perimeter network server to the PPTP client.
interface of VPN
server

TCP source port =

1723 (0x6BB)
Source IP address
= Perimeter network
interface of VPN
Allows tunneled PPTP data from the PPTP server to the
Outbound server
PPTP client.
IP Protocol ID = 47
(0x2F)
Source IP address
Required only when the VPN server is acting as a VPN client
= Perimeter network
(a calling router) in a site-to-site VPN connection. If all
interface of VPN
traffic from the VPN server is allowed to reach TCP port
server
Outbound 1723, network attacks can originate from sources on the
Internet using this port. Administrators should only use this
TCP destination
filter in conjunction with the PPTP filters that are also
port = 1723
configured on the VPN server.
(0x6BB)

PPTP connections for the perimeter network interface of

the firewall
The following table shows the inbound and outbound PPTP firewall rules that are applied to
the firewall’s network adapter that connects to the organization’s perimeter network.

Filter
Filter Description
Type
Source IP address =
Perimeter network
interface of VPN
Allows PPTP tunnel maintenance traffic from the VPN
Inbound server
server to the VPN client.
TCP source port =
1723 (0x6BB)
Source IP address =
Perimeter network
interface of VPN
Allows tunneled PPTP data from the VPN server to the
Inbound server
VPN client.
IP Protocol ID = 47
(0x2F)
Inbound Source IP address = Required only when the VPN server is acting as a VPN
 Filter
Filter Description
Type
Perimeter network client (a calling router) in a site-to-site VPN connection. If
interface of VPN all traffic from TCP port 1723 is allowed to reach the VPN
server server, network attacks can originate from sources on the
Internet using this port.
TCP destination port
= 1723 (0x6BB)
Destination IP
address = Perimeter
network interface of
Allows PPTP tunnel maintenance traffic from the PPTP
Outbound VPN server
client to the PPTP server.
TCP source port =
1723 (0x6BB)
Destination IP
address = Perimeter
network interface of
Allows tunneled PPTP data from the PPTP client to the
Outbound VPN server
PPTP server.
IP Protocol ID = 47
(0x2F)
Destination IP
address = Perimeter Required only when the VPN server is acting as a VPN
network interface of client (a calling router) in a site-to-site VPN connection. If
Outbound VPN server all traffic from the VPN server is allowed to reach TCP
port 1723, network attacks can originate from sources on
TCP source port = the Internet using this port.
1723 (0x6BB)

SSTP connections for the Internet interface of the firewall

The following table shows the inbound and outbound SSTP filters on the Internet interface of
the firewall.

Filter
Filter Action
Type
Destination IP address = Perimeter network
interface of VPN server Allows SSTP traffic to the
Inbound
VPN server.
TCP destination port = 443 (0x1BB)
Source IP address = Perimeter network interface
of VPN server Allows SSTP traffic from the
Outbound
VPN server.
TCP source port = 443 (0x1BB)
SSTP connections for the perimeter network interface of
the firewall
The following table shows the inbound and outbound SSTP filters on the perimeter network
interface of the firewall.

Filter
Filter Action
Type
Source IP address = Perimeter network
interface of VPN server Allows SSTP traffic from the VPN
Inbound
server to the VPN client.
TCP source port = 443 (0x1BB)
Destination IP address = Perimeter
network interface of VPN server Allows SSTP traffic from the SSTP
Outbound
client to the SSTP server.
TCP source port = 443 (0x1BB)

L2TP/IPsec connections for the Internet interface of the

firewall
The following table shows the inbound and outbound L2TP/IPsec filters on the Internet
interface of the firewall.

Filter
Filter Action
Type
Destination IP address = Perimeter
network interface of VPN server Allows Internet Key Exchange (IKE)
Inbound
traffic to the VPN server.
UDP destination port = 500 (0x1F4)
Destination IP address = Perimeter
network interface of VPN server
Allows IPsec NAT Traversal (NAT-T)
Inbound
traffic to the VPN server.
UDP destination port = 4500
(0x1194)
Destination IP address = Perimeter
network interface of VPN server Allows IPsec Encapsulating Security
Inbound
Payload (ESP) traffic to the VPN server.
IP Protocol ID = 50 (0x32)
Source IP address = Perimeter
network interface of VPN server
Outbound Allows IKE traffic from the VPN server.
UDP source port = 500 (0x1F4)
Source IP address = Perimeter
network interface of VPN server Allows IPsec NAT-T traffic from the VPN
Outbound
server.
UDP source port = 4500 (0x1194)
 Filter
Filter Action
Type
Source IP address = Perimeter
network interface of VPN server Allows IPsec ESP traffic from the VPN
Outbound
server.
IP Protocol ID = 50 (0x32)

No filters are required for L2TP traffic at UDP port 1701. All L2TP traffic at the firewall,
including tunnel maintenance and tunneled data, is encrypted with IPsec ESP.

L2TP/IPsec connections for the perimeter network

interface of the firewall
The following table shows the inbound and outbound L2TP/IPsec filters on the perimeter
network interface of the firewall.

Filter
Filter Action
Type
Source IP address = Perimeter network
interface of VPN server Allows IKE traffic from the VPN
Inbound
server.
UDP source port = 500 (0x1F4)
Source IP address = Perimeter network
interface of VPN server Allows IPsec NAT-T traffic from
Inbound
the VPN server.
UDP source port = 4500 (0x1194)
Source IP address = Perimeter network
interface of VPN server Allows IPsec ESP traffic from
Inbound
the VPN server.
IP Protocol ID = 50 (0x32)
Destination IP address = Perimeter network
interface of VPN server Allows IKE traffic to the VPN
Outbound
server.
UDP destination port = 500 (0x1F4)
Destination IP address = Perimeter network
interface of VPN server Allows IPsec NAT-T traffic to
Outbound
the VPN server.
UDP destination port = 4500 (0x1194)
Destination IP address = Perimeter network
interface of VPN server Allows IPsec ESP traffic to the
Outbound
VPN server.
IP Protocol ID = 50 (0x32)

VPN server in front of a firewall

With the VPN server in front of the firewall and connected to the Internet, as shown in the
following figure, administrators need to add packet filters to the Internet interface that allow
only VPN traffic to and from the IP address of the VPN server’s interface on the Internet.

For inbound traffic, when the tunneled data is decrypted by the VPN server, it is forwarded to
the firewall, which uses its filters to allow the traffic to be forwarded to intranet resources.
Because the only traffic that is crossing the VPN server is traffic generated by authenticated
VPN clients, firewall filtering in this scenario can be used to prevent VPN users from
accessing specified intranet resources.

Because the only Internet traffic allowed on the intranet must go through the VPN server, this
approach also prevents the sharing of intranet resources with non-VPN Internet users.

VPN server in front of the firewall

Packet filters for a VPN server in front of a firewall

When a VPN server is in front of a firewall and connected to the Internet, inbound and
outbound packet filters on the VPN server must be configured to allow only VPN traffic to
and from the IP address of the VPN server’s Internet interface. Use this configuration if the
VPN server is in a perimeter network, with one firewall positioned between the VPN server
and the intranet and another between the VPN server and the Internet.

All of the following packet filters are configured, using the Routing and Remote Access snap-
in, as IP packet filters on the Internet interface. Depending on the configuration decisions
made during the running of the Routing and Remote Access Server Setup Wizard, these
packet filters might already be configured.

PPTP connections for the inbound and outbound filters

The following table shows the VPN server’s inbound and outbound filters for PPTP.

Filter
Filter Action
Type
Destination IP address =
Internet interface of VPN
server
Inbound Allows PPTP tunnel maintenance to the VPN server.
Subnet mask =
255.255.255.255
 Filter
Filter Action
Type
TCP destination port =
1723
Destination IP address =
Internet interface of VPN
server
Inbound Allows tunneled PPTP data to the VPN server.
Subnet mask =
255.255.255.255

IP Protocol ID = 47
Destination IP address =
Internet interface of VPN
server
Required only when the VPN server is acting as a VPN
client (a calling router) in a site-to-site VPN
Inbound Subnet mask =
connection. Accepts TCP traffic only when a VPN
255.255.255.255
server initiates the TCP connection.
TCP (established) source
port = 1723
Source IP address =
Internet interface of VPN
server
Allows PPTP tunnel maintenance traffic from the VPN
Outbound
Subnet mask = server.
255.255.255.255

TCP source port = 1723

Source IP address =
Internet interface of VPN
server
Outbound Allows tunneled PPTP data from the VPN server.
Subnet mask =
255.255.255.255

IP Protocol ID = 47
Source IP address =
Internet interface of VPN
server
Required only when the VPN server is acting as a VPN
client (a calling router) in a site-to-site VPN
Outbound Subnet mask =
connection. Sends TCP traffic only when a VPN server
255.255.255.255
initiates the TCP connection.
TCP (established)
destination port = 1723

SSTP connections
The following table shows the VPN server’s inbound and outbound filters for SSTP.

Filter
Filter Action
Type
Destination IP address = Internet interface of
VPN server
Allows SSTP traffic to the VPN
Inbound
Subnet mask = 255.255.255.255 server.

TCP destination port = 443

Source IP address = Internet interface of VPN
server
Allows SSTP traffic from the
Outbound
Subnet mask = 255.255.255.255 VPN server.

TCP source port = 443

L2TP/IPsec connections
The following table shows the VPN server’s inbound and outbound filters for L2TP/IPsec.

Filter
Filter Action
Type
Destination IP address = Internet
interface of VPN server
Inbound Allows IKE traffic to the VPN server.
Subnet mask = 255.255.255.255

UDP destination port = 500

Destination IP address = Internet
interface of VPN server
Allows L2TP traffic from the VPN client
Inbound
Subnet mask = 255.255.255.255 to the VPN server.

UDP destination port = 1701

Destination IP address = Internet
interface of VPN server
Allows IPsec NAT-T traffic from the
Inbound
Subnet mask = 255.255.255.255 VPN client to the VPN server.

UDP destination port = 4500

Source IP address = Internet interface
of VPN server
Outbound Allows IKE traffic from the VPN server.
Subnet mask = 255.255.255.255

UDP source port = 500

 Filter
Filter Action
Type
Source IP address = Internet interface
of VPN server
Allows L2TP traffic from the VPN
Outbound
Subnet mask = 255.255.255.255 server to the VPN client.

UDP source port = 1701

Source IP address = Internet interface
of VPN server
Allows IPsec NAT-T traffic from the
Outbound
Subnet mask = 255.255.255.255 VPN server to the VPN client.

UDP source port = 4500