• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

PPTP slight of hand going on by MS?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> VPN >> PPTP slight of hand going on by MS? Page: [1]
Login
Message << Older Topic   Newer Topic >>
PPTP slight of hand going on by MS? - 29.Aug.2003 1:03:00 AM   
AmyC4

 

Posts: 1
Joined: 29.Aug.2003
Status: offline
Hello All:

I understand that a packet filter must be added to allow GRE (protocol 47) in/out of the external interface to allow internal users to VPN out, but where is the Protocol Rule or filter to allow TCP/1723 out, the control channel for PPTP? PPTP is not just GRE. Is Microsoft hiding an implicit Protocol Rule when you check the box to allow outbound PPTP?

Also, if I set my filter to allow GRE and manually create a Protocol Rule to allow outbound TCP/1723, why can't a firewall client then get out via PPTP?

Any thoughts appreciated-- Amy C.
Post #: 1
RE: PPTP slight of hand going on by MS? - 29.Aug.2003 1:29:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Amy,

There's a hidden application filter that handles the outbound non-TCP/UDP connection (GRE).

HTH,
Tom

(in reply to AmyC4)
Post #: 2
RE: PPTP slight of hand going on by MS? - 12.Sep.2003 7:36:00 AM   
Amy C2

 

Posts: 3
Joined: 27.Aug.2003
Status: offline
Thank you for the reply.

But does this "hidden GRE application filter" also NAT in-coming PPTP tunnels? What I'd like is to place an RRAS gateway inside the LAN (not on a perimeter network) behind the ISA Server and terminate the PPTP tunnels of Internet clients there. In other words, I don't want to install RRAS on the ISA Server itself, I want ISA to "publish" that internal RRAS gateway. Is this possible?

Client --> Internet --> ISA --> LAN --> RRAS

If so, how is the NATing of the in-coming GRE packets handled? I see how to define the TCP/1723 protocol for in-bound access, but not how to do it for GRE.

Thank You!

(in reply to AmyC4)
Post #: 3
RE: PPTP slight of hand going on by MS? - 12.Sep.2003 9:27:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Amy,

you can *not* publish a PPTP VPN server. If you want to publish a VPN server it must run on Win2003 and uses only L2TP/IPSec with NAT-T support as VPN protocol. Check out http://isaserver.org/articles/isa2000vpndeploymentkit.html for more info.

HTH,
Stefaan

(in reply to AmyC4)
Post #: 4
RE: PPTP slight of hand going on by MS? - 13.Sep.2003 4:04:00 PM   
AmyCarter

 

Posts: 6
Joined: 7.Aug.2003
Status: offline
OK, thanks. And, by the way, thanks in general for having such a good website and message boards on ISA Server. isaserver.org is better than any of MS's documentation or help.

(in reply to AmyC4)
Post #: 5
RE: PPTP slight of hand going on by MS? - 13.Sep.2003 4:28:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Amy,

glad we could help and thanks for the complements! [Smile]

Stefaan

(in reply to AmyC4)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> VPN >> PPTP slight of hand going on by MS? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts