Windows Firewall, PPTP & RDP Problem

  • Thread starter Thread starter gp
  • Start date Start date
G

gp

I have setup a router to forward incoming packets from the internet on
port 1723 to a Windows XP pro machine (192.168.1.20) that is
configured with and Incoming Connection. The pptp connection works
fine.

The machine is also running the RDP server which works fine until I
enable Windows Firewall. Windows Firewall is configured to allow RDP
(port 3389) and PPTP (port 1723). Here is the pFirewall log:

2007-02-23 00:00:03 DROP TCP 192.168.1.20 192.168.1.103 3389 2968 48
SA 2655595264 2411208717 9520 - - - SEND
2007-02-23 00:00:06 DROP TCP 192.168.1.20 192.168.1.103 3389 2968 40 A
2655595265 2411208717 9520 - - - SEND
2007-02-23 00:00:06 DROP TCP 192.168.1.20 192.168.1.103 3389 2968 48
SA 2655595264 2411208717 9520 - - - SEND
2007-02-23 00:00:12 DROP TCP 192.168.1.20 192.168.1.103 3389 2968 40 A
2655595265 2411208717 9520 - - - SEND
2007-02-23 00:00:12 DROP TCP 192.168.1.20 192.168.1.103 3389 2968 48
SA 2655595264 2411208717 9520 - - - SEND

I'm thinking that the PPTP server sets up a virtual PPTP adapter and
the problem is that the firewall is blocking traffic between the
virtual PPTP adapter and the LAN adapter (Just a wild guess)

Any help in solving this would be greatly appreciated.

Mike
 
I have setup a router to forward incoming packets from the internet on
port 1723 to a Windows XP pro machine (192.168.1.20) that is
configured with and Incoming Connection. The pptp connection works
fine.

The machine is also running the RDP server which works fine until I
enable Windows Firewall. Windows Firewall is configured to allow RDP
(port 3389) and PPTP (port 1723). Here is the pFirewall log:

2007-02-23 00:00:03 DROP TCP 192.168.1.20 192.168.1.103 3389 2968 48
SA 2655595264 2411208717 9520 - - - SEND
2007-02-23 00:00:06 DROP TCP 192.168.1.20 192.168.1.103 3389 2968 40 A
2655595265 2411208717 9520 - - - SEND
2007-02-23 00:00:06 DROP TCP 192.168.1.20 192.168.1.103 3389 2968 48
SA 2655595264 2411208717 9520 - - - SEND
2007-02-23 00:00:12 DROP TCP 192.168.1.20 192.168.1.103 3389 2968 40 A
2655595265 2411208717 9520 - - - SEND
2007-02-23 00:00:12 DROP TCP 192.168.1.20 192.168.1.103 3389 2968 48
SA 2655595264 2411208717 9520 - - - SEND

I'm thinking that the PPTP server sets up a virtual PPTP adapter and
the problem is that the firewall is blocking traffic between the
virtual PPTP adapter and the LAN adapter (Just a wild guess)

Any help in solving this would be greatly appreciated.

Mike

Make sure the firewall is configured so it will accept incoming RDP requests
from any IP on the internet not just the local subnet or customize the scope
for the specific assigned IP the VPN client gets. Here is an example for
File & Print Sharing...

http://theillustratednetwork.mvps.org/ScreenShots/SP2WindowsFirewall/FirewallCustomScope.JPG

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
 
Thanks,

I already have the scope set to "Internet" for both RDP and PPTP
exceptions (1723 and 3389)

The Incoming Connection (PPTP server) is the same machine that I am
trying to connect to via RDP.
Examing the log posted above, it appears that the firewall is blocking
the reply from Terminal server(192.168.1.20:3389) to the client
(192.168.1.103:2968).

It seems like the firewall is blocking responses to the client on port
2968. The firewall should be opening up this port when it sees it is
paired with the incoming 3389 request. I'm wondering if it is because
the client routes through the VPN connection which migh be on a
virtual adapter that is setup for the VPN connection. The firewall
could be blocking traffic between the LAN adaper and the VPN virtual
adapter.
 
OK, I figured this out and I am posting my findings in order to help
others with the same problem.

The XP Pro box has a static IP of 192.168.1.20
The PPTP server (Incoming Connection) obtains 2 IP address fromthe
DHCP server.
One for the server's virtual PPTP adapter and the other for the
connected client.
Let's say the server is 192.168.1.101 and the client is 192.168.1.102

When Windows Firewall is DISABLED, the client (192.168.1.102) can
access the server by it's LAN adapter's IP address (192.168.1.20) as
packets are allowed to freely traverse between the 2 adapters on the
same machine.

When Windows Firewall is ENABLED, the firewall prevents packets from
traversing accross both adapters, even though both adapters are on the
same network. The machine is multi-homed but the firewall blocks the
traffic and there is no way to tell it to allow traffic to flow
accross both adapters. The Incoming adapter is not configurable from
within the firewall, just the LAN adapter.

A work around is to configure the Incoming Adapter to use static IP
addresses in the Advanced tab of TCP/IP properties. You must specify a
range, only a range of 2 is needed. One address for the server side
and one address for the client. I used 192.168.1.90 and 192.168.1.91
as these addresses are below the DHCP pool range.

Whenever a client connects, it always gets the 192.168.1.91 address
and the server always gets the 192.168.1.90 address. Now you can
connect to the server using RDP and the 192.168.1.91 IP address.

I have seen several other posts where others have had this same
problem but it was never resolved. I hope this helps.

Keywords: PPTP Incoming Connection Windows Firewall VPN server
 
Back
Top