1

Ok, so I have kind of a funky setup, let me see if I can describe it.

I have a single VMware host with a public IP address 74.xx.xx.x Inside that host, I have 3 VM's

  1. Web Server - 1 NIC - 192.168.199.20
  2. SQL Server - 1 NIC - 192.168.199.30
  3. RRAS/VPN Server - 2 NICs 192.168.199.40 & 192.168.199.45

Due to Limitations of my ISP, all of the VM's are connected to the host VIA NAT. I have NAT setup for the webserver so all incoming requests on 74.xx.xx.x via port 80 route to 192.168.199.20. This works fine.

Now I want to set up a Windows 2008 VPN server inside this NAT network and forward the correct traffic to it. My questions are as follows?

  1. What are the TCP/UDP ports that i have to forward?
  2. What special configuration is needed on the server and clients since this is behind a NAT
  3. Any other advice would be wonderful.
Mark Henderson
  • 68,823
  • 31
  • 180
  • 259
Chris Kooken
  • 301
  • 4
  • 16

1 Answers1

1

Your setup is no different than how many physical RRAS servers are set up including my own at a small office. If you're talking an RRAS VPN you're more than likely talking about a PPTP VPN... unless you have an internal CA and want to futz around with IPSec. (Hint: If you want to futz around with IPSec VPNs, don't. Get an SSL VPN appliance if security is on your mind.)

Simply forward TCP port 1723 and IP Protocol 47 (GRE) to your RRAS server and you're good to go. Also note that you need to edit / add a Remote Access Policy to allow incoming connections. If I recall correctly, by default no incoming connections are allowed. For instance, I created a group called "VPN Users" and then created a policy called "Corp VPN Policy" that has policy conditions set to allow connections if any incoming request is from a user account that is in that group (as well as making sure that only MS-CHAPv2 PWD is being used, but I digress...). You must elevate that policy higher than the default policy which will deny everything. All of this is done in the "Routing and Remote Access" portion of "Network Policy and Access Services" within Server Manager.

There is no special configuration needed on the clients. Windows's built in VPN client will work like a charm. I've even used Linux machines and pptpclient to connect to it with smashing success.

Now, after typing all of this I realized that this was all true for my Server 2003 RRAS box and you said you had a Server 2008 machine. Your mileage may vary. =)

Wesley
  • 32,690
  • 9
  • 82
  • 117
  • The NAT on VMWare can only forward UDP and TCP ports. Any idea how to forward IP protocol 47? – Chris Kooken Nov 21 '09 at 05:44
  • Are you using VMWare Server or a hypervisor? – Wesley Nov 21 '09 at 18:36
  • Server...I don't necessarily have to use the VMWare NAT. I could do a Host Only network, and Configure the route manually...i just don't know how... – Chris Kooken Nov 21 '09 at 18:38
  • From preliminary searches, it seems that GRE is not capable of being forwarded when using a VMWare NAT. Only a bridged connection will allow GRE to go through. =( I hadn't considered that VMWare NAT would have that limitation. – Wesley Nov 21 '09 at 18:40
  • Can i configure it to route somehow VIA a host-only connection? Somehow modify the route table? – Chris Kooken Nov 21 '09 at 19:00
  • That is beyond the scope of my experience. Sorry. =( – Wesley Nov 21 '09 at 21:26
  • No. F----d up, so to say, setup. YOu need to get rid of the VmWare NAT - and pout in a more capable router doing the NAT, then you can route GRE backwards. VmWare is not done for "real more compelx scenarios" for their NAT, sadly for you. – TomTom Dec 28 '10 at 15:58
  • @TomTom did you intend that to be a separate answer? It doesn't make sense as a comment to my post. Wow, posting in a year old thread. You're the zombie maker! =) – Wesley Dec 30 '10 at 07:17
  • It was revived by our friends at serverfault. – TomTom Dec 30 '10 at 09:31
  • @TomTom - I've edited your comment to remove the profanity. Personally it didn't offend me but we've had a few flags on it. – Mark Henderson Feb 21 '11 at 00:29