Routing and Remote Access Blog

VPN articles - straight from Windows development team

Ports affecting the VPN connectivity

Ports affecting the VPN connectivity

  • Comments 4
  • Likes

If you are running firewall infront of your RRAS server (i.e. between internet and RRAS), then following are the relevant ports which needs to be opened on the firewall for VPN connectivity to be successful:

a) PPTP tunnel based VPN uses TCP Port number 1723 and IP Protocol number 47 (GRE). Please note: The 47 is IP protocol number of GRE and not a port number inside TCP or UDP header.

b) L2TP tunnel based VPN uses IPSec: UDP Port 500 (IKE) and 4500 (NAT-T), and IP protocol 50 number (ESP) . Note: Same comment as above - it is IP protocol 50 and not port number inside TCP or UDP.

c) SSTP tunnel uses TCP port 443 (SSL)

On the RRAS server, if you are running Windows firewall (which is not interface specific), then following ports need to be opened: -

a)  VPN tunnel ports as given above. In addition in this scenario when firewall is running on RRAS server - UDP port 1701 need to be enabled for L2TP packets. 

b) If you are running DHCPv4 relay agent on RRAS, to have proper relay of DHCPv4 inform packets,  UDP port number 67 and 68 need to be opened..

c) If you are running DHCPv6 relay agent on RRAS, to have proper relay of DHCPv6  inform packets,  UDP port number 547 need to be opened..

d) If you are using RQS based quarantine service on RRAS, the default port is 7250 (not a standard port) which needs to be opened. If the port number is changed during runtime, the service would take care of opening the appropriate port on the firewall.

e) If you are using Radius server based authentication, UDP port 1812 need to be opened.

On the RRAS server, if you are running RRAS static inbound/outbound filters (which are interface specific), then following ports need to be opened: -

a)  VPN tunnel ports as given above "for the internet facing interface on both inbound/outbound direction". In addition in this scenario when static filters is running on RRAS server - UDP port 1701 need to be enabled for L2TP packets on RRAS Internet facing interface in both inbound/outbound direction. 

b) If you are running DHCPv4 relay agent on RRAS, to have proper relay of DHCPv4 inform packets,  UDP port number 67 and 68 need to be opened on RRAS internal interface and LAN interface (towards DHCPv4 server) in inbound/outbound direction.

c) If you are running DHCPv6 relay agent on RRAS, to have proper relay of DHCPv6  inform packets,  UDP port number 547 need to be opened on RRAS internal interface and LAN interface (towards DHCPv6 server) in inbound/outbound direction.

d) If you are using RQS based quarantine service on RRAS, the default port is 7250 (not a standard port) which needs to be opened on RRAS internal interface in inbound direction. If the port number is changed during runtime, the service would take care of opening the appropriate port on the firewall.

e) If you are using Radius server based authentication, UDP port 1812 need to be opened on LAN interface (towards Radius server) in inbound/outbound direction.

f)  If you are running IPv6 on top of VPN tunnel, then you need to enable ICMPv6 (i.e. IPv6 next header type = 58) on RRAS internal interface and LAN interface in inbound/outbound direction to ensure ICMPv6 packets are relayed correctly. ICMPv6 are required for neighbor discovery.

Note: To enable inbound/outbound ports on RRAS internal interface - you need to change the filter settings inside the remote access policies (and not on RRAS MMC snap-in).

Note: On security perspective, you should be to allow only specific packets (i.e. deny rest) coming in from the internet interface (i.e. allow only tunnel packets). On the RRAS internal interface, you need can enable everything (i.e. all packets from/to the remote access clients over the VPN tunnel) or you can restrict (like based upon client health state or user-id etc).  This can be done by changing the filter settings inside remote access  policy. On the LAN adapter (towards intranet) - assuming two NIC scenario, you can allow all traffic or again can be restrictive based upon your deployment needs.

References:

Which ports to unblock for VPN traffic to pass-through?

Mahesh Narayanan
Program Manager
RRAS, Windows Enterprise Networking
[This posting is provided "AS IS" with no warranties, and confers no rights.]

Comments
  • What about IPsec NAT-T on 4500/udp? We currently rely on this functionality for Windows 2000 clients connecting to a Windows 2003 Server. If this functionality is changing because of TCP encapsulation solutions like SSTP, then it would be great to know.

    Thanks

  • Users can run the test detailed in the PPTP Ping and VPN Traffic sections in this Cable Guy article to troubleshoot PPTP VPN connection problems.

    http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx

    These tools, ie. pptpsrv and pptpclnt, also run on Vista machines for home users setting up a PPTP VPN server on a Vista PC at home and/or use a remote Vista client.

    http://theillustratednetwork.mvps.org/Vista/PPTP/PPTPVPN.html

    Many consumer grade routers have issues passing GRE Protocol 47 traffic.

  • For L2TP/IPsec based VPN's, a firewall will only see IPsec traffic. In other words, the L2TP traffic (UDP Port 1701) is hidden. Thus, only UDP 500 (IKE), UDP 4500 (NAT-T) and IP protocol 50 (ESP) is needed.

  • Hello, As you know in Windows server 2008 (WS08) we have removed “Basic Firewall” functionality in RRAS

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment