VPN - filtering PPTP traffic to LAN

I have set up the Routing and Remote Access for VPN
connections. I am able to connect via PPTP and L2tp
w/ipsec. What I want to do is have remote clients connect
to the VPN server with a PPTP connection in order to
obtain the certificates from the Certificate Authority via
the IIS to establish a L2tp connection. I have Routing and
Remote Access, IIS, and the Certificate Authority all
running on a member server running windows 2003 standard
server. I will be putting this box in my DMZ behind a
firewall. Once the client has obtained the certificates to
establish a L2tp connection, I want them to be able to
access the LAN. But I do not want them to be able to
access the LAN with only a PPTP connection. The PPTP
connection is only for them to access the VPN server and
get the certificates. I have set up PPTP inbound and
outbound filters on the RRAS in IPRouting\Geneeral for the
LAN nic on the VPN Server, but this does not seem to
prevent the pass thru of PPTP traffic. When I enable a
Remote Access Policy, it seems to effect both PPTP and
L2tp traffic. Is it possible to have a client connect with
a PPTP connection to get the L2tp certificates without
giving them LAN access? If so, how do I configure the
server to do that?

You need to do the following:

1. Create a custom remote access policy that is specific for PPTP
connections (on the Policy Conditions page of the wizard, specify that the
Tunnel-Type condition must be equal to the Point-to-Point Tunneling
Protocol) that contains remote access packet filters that only allow inbound
traffic to the internal IP address of the RRAS/IAS/CA computer (Profile
page, Edit Profile, IP tab, click Input Filters)

2. Create a custom remote access policy that is specific for L2TP/IPSec
connections (on the Policy Conditions page of the wizard, specify that the
Tunnel-Type condition must be equal to the Layer Two Tunneling Protocol)

PPTP connections will only have access to the RRAS/IAS/CA computer.
L2TP/IPSec connections will have access to the entire network.


"Philip Meyer" <(E-Mail Removed)> wrote in message
news:0a6c01c3cee9$57b509d0$(E-Mail Removed)...
> I have set up the Routing and Remote Access for VPN
> connections. I am able to connect via PPTP and L2tp
> w/ipsec. What I want to do is have remote clients connect
> to the VPN server with a PPTP connection in order to
> obtain the certificates from the Certificate Authority via
> the IIS to establish a L2tp connection. I have Routing and
> Remote Access, IIS, and the Certificate Authority all
> running on a member server running windows 2003 standard
> server. I will be putting this box in my DMZ behind a
> firewall. Once the client has obtained the certificates to
> establish a L2tp connection, I want them to be able to
> access the LAN. But I do not want them to be able to
> access the LAN with only a PPTP connection. The PPTP
> connection is only for them to access the VPN server and
> get the certificates. I have set up PPTP inbound and
> outbound filters on the RRAS in IPRouting\Geneeral for the
> LAN nic on the VPN Server, but this does not seem to
> prevent the pass thru of PPTP traffic. When I enable a
> Remote Access Policy, it seems to effect both PPTP and
> L2tp traffic. Is it possible to have a client connect with
> a PPTP connection to get the L2tp certificates without
> giving them LAN access? If so, how do I configure the
> server to do that?