Making DSL, ICF and VPN Play Nice

By Ronald Pacchiano | Posted June 11, 2004

We use a DSL line in our office for Internet connectivity. The DSL line connects to a Windows XP PC running Internet Connection Firewall (ICF) Recently, we decided that we needed access to the network from outside the office, so we setup a Virtual Private Network (VPN) connection using a Point-to-Point Tunneling Protocol (PPTP) server.

The VPN appears to be configured correctly, but we couldn't access the network. I disabled ICF and — to my surprise — I could access the VPN server. This leads me to believe that there's an incompatibility between our PPTP server and Windows XP. I don't feel comfortable having an open Internet connection without a firewall, but it's important that we have access to the VPN. Do you have any suggestions as to what I should do next? Thanks!

I agree that having an open Internet connection to your network is just asking for trouble. As you correctly assessed, the Internet Connection Firewall (ICF) is causing the problem. However, the problem isn't an incompatibility with the PPTP server, it's because ICF is configured to block the traffic over the PPTP ports.

A firewall protects your network from unauthorized access by monitoring the traffic coming into your network. All Internet traffic is based on the TCP/IP protocol, and that traffic travels through various ports on your network. For example, standard Internet traffic or HTTP uses port 80, FTP uses port 21 and Telnet uses port 23. These ports have been predefined in ICF to allow this traffic to safely pass into the network. This type of configuration is typically referred to as a Rule.

If you have a PPTP server on your internal network that you want to access from outside of your network, you have to open the ports in ICF to allow VPN traffic onto the PPTP server. You do this by adding a Service to the ICS Services List. The Services List contains information on the service type, the related TCP or UCP ports and the IP address of the host system.

To configure ICS to accept PPTP traffic, you first need to know the ports over which the traffic will travel. A typical PPTP connection consists of two types of traffic: PPTP traffic (TCP port 1723) establishes and maintains the connection, while Generic Route Encapsulation (GRE ) (port 47) encapsulates the actual data that passes between the two endpoints. (If you were using IPSec instead of PPTP, the port numbers would change to 500, 50 and 51.) You'll find detailed, step-by-step instructions on configuring Windows XP ICS for an internal PPTP server in the Microsoft Knowledge Base.

Adapted from PracticalyNetworked.com, part of the EarthWeb.com Network.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!

Comment and Contribute


     

    Get free tips, news and advice on how to make technology work harder for your business.

    Submit
    Learn more
     
    You have successfuly registered to
    Enterprise Apps Daily Newsletter
    Thanks for your registration, follow us on our social networks to keep up-to-date