IPSEC VPN clients behind Windows Server 2003 SBS with basic firewa

Discussion in 'Windows Small Business Server' started by chrishopper, Oct 24, 2008.

  1. chrishopper

    chrishopper Guest

    IPSEC VPN clients behind Windows Server 2003 SBS with basic firewall do not
    connect to external networks. Can Windows Server 2003 SBS with basic firewall
    be configured to support VPN client pass through?

    I manage a small network with Windows Server 2003 SBS running basic
    firewall. The Server 2003 SBS system has 2 NICs and is the router between the
    private LAN and Internet.

    A Windows XP Pro user on the private LAN side has occasional need to connect
    out to another network using an IPSEC VPN client. The basic firewall in
    Windows Server 2003 SBS does not appear to be VPN client friendly. The
    connections never complete.

    Before we upgraded to the Windows Server 2003 SBS system as the router, we
    had a simple Linksys BEFSR41 firewall/router that would always allow the
    outbound VPN client connection to complete. In fact the management interface
    had explicit options to turn on/off the VPN client passthru capability. Is
    there any way to make Windows Server 2003 SBS with basic firewall behave in
    the same way and pass through the VPN client connections?

    Again, to be clear we are talking about IPSEC VPN client connection pass
    through. The topology:

    Win XP Pro desktop with SafeNet IPSEC VPN client --> Windows Server 2003 SBS
    w/2 NICs and basic firewall --> public internet --> destination VPN router
    chrishopper, Oct 24, 2008
    1. Advertisements

  2. chrishopper

    Joe Guest

    IPSec encryption is based on the IP addresses of the endpoint NICs,
    which is the whole point of the exercise. Getting it to work through one
    layer of NAT is problematic, and requires close cooperation between NAT
    router and endpoint, which I'd suspect is unlikely to happen through an
    additional NAT level and firewall. IPSec is typically used between two
    public IP addresses, or private addresses on the same network, and is
    probably not the best choice from a well-protected workstation to
    somewhere across the Net.

    Maybe it's possible, but the answers I've seen here about IPSec in the
    past have not been encouraging. The SBS basic firewall is not all that
    sophisticated, and the bottom line is that if there isn't an 'IPSec
    passthrough' tick box, it probably doesn't do it. I have a feeling you
    need more functionality than just opening ports.

    Google for ipsec nat for more information than you really want, but
    possibly the information that you need. Here's the most promising
    article I found quickly, but it mentions connecting into the SBS LAN
    rather than 'out from':


    and doesn't contain any practical details. Google will show you that
    Microsoft isn't keen on NAT-T, and it's turned off by default in XP. If
    you've already been using this client, it's probably been enabled.
    Joe, Oct 24, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.