Can you change the default VPN port on server 2003 and XP clients?

Discussion in 'Windows Networking' started by Just Guessing, Oct 4, 2007.

  1. I would like to be able to VPN directly to multiple servers using the same
    router and network, but belonging to separate organizations. The only way I
    can think of doing this is if I can use a different VPN port for each server.
    Although I don't see any way to change port 1723. I don't want to upgrade
    the router, either. Thanks!
     
    Just Guessing, Oct 4, 2007
    #1
    1. Advertisements

  2. There's no way to change the PPTP port.

    Normally, when your computer makes a VPN connection, your computer's default
    gateway is changed to the IP address of the VPN server. This is a security
    feature, as it prevents your computer from being misused as a kind of router
    between the remote network and the Internet.

    The only way to do what you want would be to disable this functionality.
    Then you could make multiple PPTP connections from your computer (PPTP is
    NATable, so your router should be able to handle this just fine). However,
    now your computer would be set up for "split-tunneling," which is not
    recommended at all. If an attacker got control of your computer, he could
    jump from the Internet to any of the networks you VPNed to.

    Short answer: connect to only one VPN at a time.
     
    Steve Riley [MSFT], Oct 4, 2007
    #2
    1. Advertisements

  3. Because the port can't be changed, this is neither here nor there - but
    because each server is owned by a different organization, no one person would
    establish more than one VPN connection.

    You wouldn't by any chance have a recommendation on how to do this? Router,
    software, or some other network wizardry?
     
    Just Guessing, Oct 4, 2007
    #3
  4. I was assuming that you were wanting to make multiple VPN connections from a
    single computer.

    Instead, I think you're describing a situation where multiple computers
    behind your router will be making VPN connections, each computer connecting
    to a different VPN server. Correct?

    Is your router a NAT router? Most NAT routers can properly handle this
    because they'll use different remapped source ports for the outgoing
    connections. Try it. If it doesn't work, then you'll need to look at either
    updating or replacing the router.

    --
    Steve Riley

    http://blogs.technet.com/steriley
    http://www.protectyourwindowsnetwork.com
     
    Steve Riley [MSFT], Oct 4, 2007
    #4
  5. Each organization has it's own server. Each organization has remote workers
    wanting to VPN INTO their organization's server. The only issue is that all
    the servers are on one network with one router. Each server represents a
    different organization with different users AND A SEPARATE VPN SERVER. No
    one remote user will need to VPN into more than one server.

    Another way to word it: how do you connect from a remote location to a
    network that contains multiple VPN servers, but only one "average" router?
    How does the router distinguish between VPN server A and VPN server B?
     
    Just Guessing, Oct 5, 2007
    #5
  6. Just Guessing

    Bill Grant Guest

    You would need a pool of public IP addresses (at least one public IP for
    each VPN server). You would then map one public IP to the private IP address
    of each VPN server on the LAN. In other words, you use one to one address
    mapping rather than port mapping from one IP.
     
    Bill Grant, Oct 5, 2007
    #6
  7. Heh. Finally the architecture design is clear :)

    Bill's suggestion is correct. I'd also add each public address to a DNS
    server someplace, so that the client connections can use DNS names rather
    than IP addresses.

    So it would look like this:

    vpn.org1.com -> 1.0.0.1 (public) -> NAT router -> 10.0.0.1 (private) ->
    VPNserver1
    vpn.org2.com -> 2.0.0.2 (public) -> NAT router -> 10.0.0.2 (private) ->
    VPNserver2

    and so on.


    --
    Steve Riley

    http://blogs.technet.com/steriley
    http://www.protectyourwindowsnetwork.com
     
    Steve Riley [MSFT], Oct 5, 2007
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.