Ports affecting the VPN connectivity

  • Article

If you are running firewall infront of your RRAS server (i.e. between internet and RRAS) , then following are the relevant ports which needs to be opened on the firewall for VPN connectivity to be successful:

a) PPTP tunnel based VPN uses TCP Port number 1723 and IP Protocol number 47 (GRE). Please note: The 47 is IP protocol number of GRE and not a port number inside TCP or UDP header.

b) L2TP tunnel based VPN uses IPSec: UDP Port 500 (IKE) and 4500 (NAT-T), and IP protocol 50 number (ESP) . Note: Same comment as above - it is IP protocol 50 and not port number inside TCP or UDP.

c) SSTP tunnel uses TCP port 443 (SSL)

On the RRAS server, if you are running Windows firewall (which is not interface specific), then following ports need to be opened: -

a)  VPN tunnel ports as given above. In addition in this scenario when firewall is running on RRAS server - UDP port 1701 need to be enabled for L2TP packets. 

b) If you are running DHCPv4 relay agent on RRAS, to have proper relay of DHCPv4 inform packets,  UDP port number 67 and 68 need to be opened..

c) If you are running DHCPv6 relay agent on RRAS, to have proper relay of DHCPv6  inform packets,  UDP port number 547 need to be opened..

d) If you are using RQS based quarantine service on RRAS, the default port is 7250 (not a standard port) which needs to be opened. If the port number is changed during runtime, the service would take care of opening the appropriate port on the firewall.

e) If you are using Radius server based authentication, UDP port 1812 need to be opened.

On the RRAS server, if you are running RRAS static inbound/outbound filters (which are interface specific), then following ports need to be opened: -

a)  VPN tunnel ports as given above "for the internet facing interface on both inbound/outbound direction". In addition in this scenario when static filters is running on RRAS server - UDP port 1701 need to be enabled for L2TP packets on RRAS Internet facing interface in both inbound/outbound direction. 

b) If you are running DHCPv4 relay agent on RRAS, to have proper relay of DHCPv4 inform packets,  UDP port number 67 and 68 need to be opened on RRAS internal interface and LAN interface (towards DHCPv4 server) in inbound/outbound direction.

c) If you are running DHCPv6 relay agent on RRAS, to have proper relay of DHCPv6  inform packets,  UDP port number 547 need to be opened on RRAS internal interface and LAN interface (towards DHCPv6 server) in inbound/outbound direction.

d) If you are using RQS based quarantine service on RRAS, the default port is 7250 (not a standard port) which needs to be opened on RRAS internal interface in inbound direction. If the port number is changed during runtime, the service would take care of opening the appropriate port on the firewall.

e) If you are using Radius server based authentication, UDP port 1812 need to be opened on LAN interface (towards Radius server) in inbound/outbound direction.

f)  If you are running IPv6 on top of VPN tunnel, then you need to enable ICMPv6 (i.e. IPv6 next header type = 58) on RRAS internal interface and LAN interface in inbound/outbound direction to ensure ICMPv6 packets are relayed correctly. ICMPv6 are required for neighbor discovery.

Note: To enable inbound/outbound ports on RRAS internal interface - you need to change the filter settings inside the remote access policies (and not on RRAS MMC snap-in).

Note: On security perspective, you should be to allow only specific packets (i.e. deny rest) coming in from the internet interface (i.e. allow only tunnel packets). On the RRAS internal interface, you need can enable everything (i.e. all packets from/to the remote access clients over the VPN tunnel) or you can restrict (like based upon client health state or user-id etc).  This can be done by changing the filter settings inside remote access  policy. On the LAN adapter (towards intranet) - assuming two NIC scenario, you can allow all traffic or again can be restrictive based upon your deployment needs.

References:

Which ports to unblock for VPN traffic to pass-through?

Mahesh Narayanan
Program Manager
RRAS, Windows Enterprise Networking
[This posting is provided "AS IS" with no warranties, and confers no rights.]