Windows Server 2003 VPN Setup

August 19, 2012 at 11:58:52
Specs: Windows Server 2003
I am trying to setup a VPN on windows server 2003. When trying to configure Routing and Remote Access, an error message comes up that says I must disable the Windows Firewall service.

What are the implications of disabling the windows software based firewall? I don't understand why I must disable it to setup a VPN. My firewall has alot of exception rules and etc and I don't want it disabled. Plus its hosting a small database which I don't want to potentially compromise. What are your suggestions?


See More: Windows Server 2003 VPN Setup

Report •

#1
August 20, 2012 at 07:47:20
What are the implications of disabling the windows software based firewall?

That depends, is this server behind another firewall or is the builtin Windows firewall the only one it's using? If it's the only one you have between your computer and the public then the implications are pretty self explanatory.

If however your server is behind a firewall device, then you should be safe from public intrusion.

I don't understand why I must disable it to setup a VPN.

I don't either. But then I've never tried to setup a VPN directly to a Windows server, I prefer to use VPN endpoint devices at each end of my VPN. This allows for better security overall.

My firewall has alot of exception rules and etc and I don't want it disabled.

If you have to have this firewall up and running, I think you're going to need to look at VPN endpoint devices instead of using the server itself as a VPN endpoint.

I confess I am curious why you're running a firewall on that server. Is it exposed directly to the public and not behind a firewall device?

Plus its hosting a small database which I don't want to potentially compromise

I would never consider running any other services on a database server. DB's tend to require a lot of resources and anything you put on that same server will degrade DB performance to clients.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#2
August 20, 2012 at 11:50:04
I never disable the Windows firewall. I leave it on and add exceptions and rules to allow things through if needed. Defense in depth is always a better solution in my opinion.

Here is a guide that may help you. Link.

I am with Curt R here about separating the VPN concentrator from your Windows server. A good, cheap, simple choice is Untangle.

Tony


Report •

#3
August 22, 2012 at 05:48:01
The reason you have to disable Windows Firewall is because RRAS provides firewall functionality itself, so it would be redundant if you had both in operation. I don't know of any production network that uses Windows Server for VPN connectivity, and if you were going to use it, then the server should do nothing else but be a VPN server. I have to agree with both of the previous responses, it would better serve you to look into another solution for a VPN. I usually recommend SonicWALL routers to my clients for this.

--
Andrew Leonard
BL Technical Services
Emergency IT Support


Report •
Related Solutions


Ask Question