RRAS: need explanation from a question for 70-291 exam MS Press bo

Hello,

First of all, I apologize to post this on this subsection of the forum but
when I see the idiots who are in the Learning > MCSE Exam subsection, I'm
pretty sure that I won't get any answer from there. (read the answers for the
post called "Need MCSE Book" and you'll understand what I am talking about).
Anyway...

Can anyone please explain me the answer from the MSPress Book 70-291 (page
9-84 for those of you who have this book) for the following question:

"You have deployed a Windows Server 2003 computer running the Routing And
Remote Access Service router to function as a simple firewall. How many
packet filters do you need to create to support remote access to a VPN server
through L2TP/IPSec? Assume that you want to provide the strictest security
standards."

Answer:

Twelve


Hmmmm... why 12 ?

Thanks a lot for your answers

In news:71B49853-94E3-41A7-A429-(E-Mail Removed),
Yann <(E-Mail Removed)> typed:
> Hello,
>
> First of all, I apologize to post this on this subsection of the
> forum but when I see the idiots who are in the Learning > MCSE Exam
> subsection, I'm pretty sure that I won't get any answer from there.
> (read the answers for the post called "Need MCSE Book" and you'll
> understand what I am talking about). Anyway...
>
> Can anyone please explain me the answer from the MSPress Book 70-291
> (page 9-84 for those of you who have this book) for the following
> question:
>
> "You have deployed a Windows Server 2003 computer running the Routing
> And Remote Access Service router to function as a simple firewall.
> How many packet filters do you need to create to support remote
> access to a VPN server through L2TP/IPSec? Assume that you want to
> provide the strictest security standards."
>
> Answer:
>
> Twelve
>
>
> Hmmmm... why 12 ?
>
> Thanks a lot for your answers

I would assume 4, which is what I would open up, because L2TP/IPSec uses the
following ports:

L2TP = TCP 1701
ESP = Protocol ID 50
AH = Protocol ID 51
SA = UDP 500

If you were to allow PPTP, then you would need these ports in additon:

GRE TCP 1723
Protocol ID 47

Of course we also would assume to have opened appropriate ports if there are
services being published, such as OWA, web services, DNS services, etc

I would like to hear the explanation for the twelve ports to see what I am
missing.

Ace

Innovative IT Concepts, Inc (IITCI)
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

Having difficulty reading or finding responses to your post?
Instead of the website you're using, try using OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. Anonymous access. It's free - no username or password
required nor do you need a Newsgroup Usenet account with your ISP. It
connects directly to the Microsoft Public Newsgroups. OEx allows you
o easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject. It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

"Quitting smoking is easy. I've done it a thousand times." - Mark TwainAce

I think Ace is pretty much correct on the port numbers. I found the
following reference:

http://technet2.microsoft.com/Window...?mfr=trueinput filters for PPTP- destination 1723- protocol ID 47- source 1723 (used only when VPN server initiates the connection)output filters for PPTP- source 1723- protocol ID 47- destination 1723 (used only when VPN server initiates the connection)input filters for L2TP/IPsec- destination 500- destination 1701- destination 4500output filters for L2TP/IPsec- source 500- source 1701- source 4500"Ace Fekay [MVP]" <(E-Mail Removed)> wrote in messagenews:(E-Mail Removed). ..> In news:71B49853-94E3-41A7-A429-(E-Mail Removed),> Yann <(E-Mail Removed)> typed:>> Hello,>>>> First of all, I apologize to post this on this subsection of the>> forum but when I see the idiots who are in the Learning > MCSE Exam>> subsection, I'm pretty sure that I won't get any answer from there.>> (read the answers for the post called "Need MCSE Book" and you'll>> understand what I am talking about). Anyway...>>>> Can anyone please explain me the answer from the MSPress Book 70-291>> (page 9-84 for those of you who have this book) for the following>> question:>>>> "You have deployed a Windows Server 2003 computer running the Routing>> And Remote Access Service router to function as a simple firewall.>> How many packet filters do you need to create to support remote>> access to a VPN server through L2TP/IPSec? Assume that you want to>> provide the strictest security standards.">>>> Answer:>>>> Twelve>>>>>> Hmmmm... why 12 ?>>>> Thanks a lot for your answers>> I would assume 4, which is what I would open up, because L2TP/IPSec usesthe following ports:>> L2TP = TCP 1701> ESP = Protocol ID 50> AH = Protocol ID 51> SA = UDP 500>> If you were to allow PPTP, then you would need these ports in additon:>> GRE TCP 1723> Protocol ID 47>> Of course we also would assume to have opened appropriate ports if thereare services being published, such as OWA, web services, DNS services, etc>> I would like to hear the explanation for the twelve ports to see what I ammissing.>> Ace>> Innovative IT Concepts, Inc (IITCI)> Willow Grove, PA>> This posting is provided "AS-IS" with no warranties or guarantees and> confers no rights.>> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP> Microsoft MVP - Directory Services> Microsoft Certified Trainer>> Infinite Diversities in Infinite Combinations>> Having difficulty reading or finding responses to your post?> Instead of the website you're using, try using OEx (Outlook Express> or any other newsreader), and configure a news account, pointing to> news.microsoft.com. Anonymous access. It's free - no username or password> required nor do you need a Newsgroup Usenet account with your ISP. It> connects directly to the Microsoft Public Newsgroups. OEx allows you> o easily find, track threads, cross-post, sort by date, poster's name,> watched threads or subject. It's easy:>> How to Configure OEx for Internet News> http://support.microsoft.com/?id=171164>> "Quitting smoking is easy. I've done it a thousand times." - Mark TwainAce>

Sorry, I'm not sure why all the breaks are getting removed in my message,
and I appear to have the wrong link.

Try this:
http://technet2.microsoft.com/Window...eca101033.mspx

<.> wrote in message news:(E-Mail Removed). ..
>I think Ace is pretty much correct on the port numbers. I found the
>following reference:
>
> http://technet2.microsoft.com/Window...?mfr=trueinput
> filters for PPTP- destination 1723- protocol ID 47- source 1723 (used only
> when VPN server initiates the connection)output filters for PPTP- source
> 1723- protocol ID 47- destination 1723 (used only when VPN server
> initiates the connection)input filters for L2TP/IPsec- destination 500-
> destination 1701- destination 4500output filters for L2TP/IPsec- source
> 500- source 1701- source 4500"Ace Fekay [MVP]"
> <(E-Mail Removed)> wrote in
> messagenews:(E-Mail Removed). ..> In
> news:71B49853-94E3-41A7-A429-(E-Mail Removed),> Yann
> <(E-Mail Removed)> typed:>> Hello,>>>> First of all, I
> apologize to post this on this subsection of the>> forum but when I see
> the idiots who are in the Learning > MCSE Exam>> subsection, I'm pretty
> sure that I won't get any answer from there.>> (read the answers for the
> post called "Need MCSE Book" and you'll>> understand what I am talking
> about). Anyway...>>>> Can anyone please explain me the answer from the
> MSPress Book 70-291>> (page 9-84 for those of you who have this book) for
> the following>> question:>>>> "You have deployed a Windows Server 2003
> computer running the Routing>> And Remote Access Service router to
> function as a simple firewall.>> How many packet filters do you need to
> create to support remote>> access to a VPN server through L2TP/IPSec?
> Assume that you want to>> provide the strictest security standards.">>>>
> Answer:>>>> Twelve>>>>>> Hmmmm... why 12 ?>>>> Thanks a lot for your
> answers>> I would assume 4, which is what I would open up, because
> L2TP/IPSec usesthe following ports:>> L2TP = TCP 1701> ESP = Protocol ID
> 50> AH = Protocol ID 51> SA = UDP 500>> If you were to allow PPTP, then
> you would need these ports in additon:>> GRE TCP 1723> Protocol ID 47>> Of
> course we also would assume to have opened appropriate ports if thereare
> services being published, such as OWA, web services, DNS services, etc>> I
> would like to hear the explanation for the twelve ports to see what I
> ammissing.>> Ace>> Innovative IT Concepts, Inc (IITCI)> Willow Grove, PA>>
> This posting is provided "AS-IS" with no warranties or guarantees and>
> confers no rights.>> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000,
> MCSE+I, MCT, MVP> Microsoft MVP - Directory Services> Microsoft Certified
> Trainer>> Infinite Diversities in Infinite Combinations>> Having
> difficulty reading or finding responses to your post?> Instead of the
> website you're using, try using OEx (Outlook Express> or any other
> newsreader), and configure a news account, pointing to>
> news.microsoft.com. Anonymous access. It's free - no username or password>
> required nor do you need a Newsgroup Usenet account with your ISP. It>
> connects directly to the Microsoft Public Newsgroups. OEx allows you> o
> easily find, track threads, cross-post, sort by date, poster's name,>
> watched threads or subject. It's easy:>> How to Configure OEx for Internet
> News> http://support.microsoft.com/?id=171164>> "Quitting smoking is easy.
> I've done it a thousand times." - Mark TwainAce>
>

I don't like that; when I don't have the same answer from something I should
trust...

According to the Book, the ports and protocols required are:
UDP ports 500 and 4500 to create and maintain the connection
IP protocol 50 to send data.

The way in the book they proceed is they open only ports and protocols
incoming and outgoing. So if we use the information above, we need 3 packets
filters for the incoming and 3 for the outgoing = 6 packet filters.
If we repeat the same configuration on a the VPN server, then we get 6+6=12
packet filters, but I am not sure to understand the question this way.

If we use this webpage
(http://technet2.microsoft.com/window....mspx?mfr=true)
and by adding all the packet filters, we get the 12 packet filters (firewall
in front of VPN server w/ L2TP). I will use this explanation to answer this
question.

Thanks a lot for your help.
Yann

"Ace Fekay [MVP]" wrote:

> In news:71B49853-94E3-41A7-A429-(E-Mail Removed),
> Yann <(E-Mail Removed)> typed:
> > Hello,
> >
> > First of all, I apologize to post this on this subsection of the
> > forum but when I see the idiots who are in the Learning > MCSE Exam
> > subsection, I'm pretty sure that I won't get any answer from there.
> > (read the answers for the post called "Need MCSE Book" and you'll
> > understand what I am talking about). Anyway...
> >
> > Can anyone please explain me the answer from the MSPress Book 70-291
> > (page 9-84 for those of you who have this book) for the following
> > question:
> >
> > "You have deployed a Windows Server 2003 computer running the Routing
> > And Remote Access Service router to function as a simple firewall.
> > How many packet filters do you need to create to support remote
> > access to a VPN server through L2TP/IPSec? Assume that you want to
> > provide the strictest security standards."
> >
> > Answer:
> >
> > Twelve
> >
> >
> > Hmmmm... why 12 ?
> >
> > Thanks a lot for your answers
>
> I would assume 4, which is what I would open up, because L2TP/IPSec uses the
> following ports:
>
> L2TP = TCP 1701
> ESP = Protocol ID 50
> AH = Protocol ID 51
> SA = UDP 500
>
> If you were to allow PPTP, then you would need these ports in additon:
>
> GRE TCP 1723
> Protocol ID 47
>
> Of course we also would assume to have opened appropriate ports if there are
> services being published, such as OWA, web services, DNS services, etc
>
> I would like to hear the explanation for the twelve ports to see what I am
> missing.
>
> Ace
>
> Innovative IT Concepts, Inc (IITCI)
> Willow Grove, PA
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> Infinite Diversities in Infinite Combinations
>
> Having difficulty reading or finding responses to your post?
> Instead of the website you're using, try using OEx (Outlook Express
> or any other newsreader), and configure a news account, pointing to
> news.microsoft.com. Anonymous access. It's free - no username or password
> required nor do you need a Newsgroup Usenet account with your ISP. It
> connects directly to the Microsoft Public Newsgroups. OEx allows you
> o easily find, track threads, cross-post, sort by date, poster's name,
> watched threads or subject. It's easy:
>
> How to Configure OEx for Internet News
> http://support.microsoft.com/?id=171164
>
> "Quitting smoking is easy. I've done it a thousand times." - Mark TwainAce
>
>
>

Exactly what I was looking for. And I think that I can by this way explain
why 12 packet filters are needed by using the VPN server behind the firewall
explanations.

Thanks a lot.
Yann

"." wrote:

> Sorry, I'm not sure why all the breaks are getting removed in my message,
> and I appear to have the wrong link.
>
> Try this:
> http://technet2.microsoft.com/Window...eca101033.mspx
>
> <.> wrote in message news:(E-Mail Removed). ..
> >I think Ace is pretty much correct on the port numbers. I found the
> >following reference:
> >
> > http://technet2.microsoft.com/Window...?mfr=trueinput
> > filters for PPTP- destination 1723- protocol ID 47- source 1723 (used only
> > when VPN server initiates the connection)output filters for PPTP- source
> > 1723- protocol ID 47- destination 1723 (used only when VPN server
> > initiates the connection)input filters for L2TP/IPsec- destination 500-
> > destination 1701- destination 4500output filters for L2TP/IPsec- source
> > 500- source 1701- source 4500"Ace Fekay [MVP]"
> > <(E-Mail Removed)> wrote in
> > messagenews:(E-Mail Removed). ..> In
> > news:71B49853-94E3-41A7-A429-(E-Mail Removed),> Yann
> > <(E-Mail Removed)> typed:>> Hello,>>>> First of all, I
> > apologize to post this on this subsection of the>> forum but when I see
> > the idiots who are in the Learning > MCSE Exam>> subsection, I'm pretty
> > sure that I won't get any answer from there.>> (read the answers for the
> > post called "Need MCSE Book" and you'll>> understand what I am talking
> > about). Anyway...>>>> Can anyone please explain me the answer from the
> > MSPress Book 70-291>> (page 9-84 for those of you who have this book) for
> > the following>> question:>>>> "You have deployed a Windows Server 2003
> > computer running the Routing>> And Remote Access Service router to
> > function as a simple firewall.>> How many packet filters do you need to
> > create to support remote>> access to a VPN server through L2TP/IPSec?
> > Assume that you want to>> provide the strictest security standards.">>>>
> > Answer:>>>> Twelve>>>>>> Hmmmm... why 12 ?>>>> Thanks a lot for your
> > answers>> I would assume 4, which is what I would open up, because
> > L2TP/IPSec usesthe following ports:>> L2TP = TCP 1701> ESP = Protocol ID
> > 50> AH = Protocol ID 51> SA = UDP 500>> If you were to allow PPTP, then
> > you would need these ports in additon:>> GRE TCP 1723> Protocol ID 47>> Of
> > course we also would assume to have opened appropriate ports if thereare
> > services being published, such as OWA, web services, DNS services, etc>> I
> > would like to hear the explanation for the twelve ports to see what I
> > ammissing.>> Ace>> Innovative IT Concepts, Inc (IITCI)> Willow Grove, PA>>
> > This posting is provided "AS-IS" with no warranties or guarantees and>
> > confers no rights.>> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000,
> > MCSE+I, MCT, MVP> Microsoft MVP - Directory Services> Microsoft Certified
> > Trainer>> Infinite Diversities in Infinite Combinations>> Having
> > difficulty reading or finding responses to your post?> Instead of the
> > website you're using, try using OEx (Outlook Express> or any other
> > newsreader), and configure a news account, pointing to>
> > news.microsoft.com. Anonymous access. It's free - no username or password>
> > required nor do you need a Newsgroup Usenet account with your ISP. It>
> > connects directly to the Microsoft Public Newsgroups. OEx allows you> o
> > easily find, track threads, cross-post, sort by date, poster's name,>
> > watched threads or subject. It's easy:>> How to Configure OEx for Internet
> > News> http://support.microsoft.com/?id=171164>> "Quitting smoking is easy.
> > I've done it a thousand times." - Mark TwainAce>
> >
>
>
>