RRAS: need explanation from a question for 70-291 exam MS Press bo

Discussion in 'Server Networking' started by Yann, Apr 18, 2007.

  1. Yann

    Yann Guest

    Hello,

    First of all, I apologize to post this on this subsection of the forum but
    when I see the idiots who are in the Learning > MCSE Exam subsection, I'm
    pretty sure that I won't get any answer from there. (read the answers for the
    post called "Need MCSE Book" and you'll understand what I am talking about).
    Anyway...

    Can anyone please explain me the answer from the MSPress Book 70-291 (page
    9-84 for those of you who have this book) for the following question:

    "You have deployed a Windows Server 2003 computer running the Routing And
    Remote Access Service router to function as a simple firewall. How many
    packet filters do you need to create to support remote access to a VPN server
    through L2TP/IPSec? Assume that you want to provide the strictest security
    standards."

    Answer:

    Twelve


    Hmmmm... why 12 ?

    Thanks a lot for your answers
     
    Yann, Apr 18, 2007
    #1
    1. Advertisements

  2. In
    I would assume 4, which is what I would open up, because L2TP/IPSec uses the
    following ports:

    L2TP = TCP 1701
    ESP = Protocol ID 50
    AH = Protocol ID 51
    SA = UDP 500

    If you were to allow PPTP, then you would need these ports in additon:

    GRE TCP 1723
    Protocol ID 47

    Of course we also would assume to have opened appropriate ports if there are
    services being published, such as OWA, web services, DNS services, etc

    I would like to hear the explanation for the twelve ports to see what I am
    missing.

    Ace

    Innovative IT Concepts, Inc (IITCI)
    Willow Grove, PA

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft MVP - Directory Services
    Microsoft Certified Trainer

    Infinite Diversities in Infinite Combinations

    Having difficulty reading or finding responses to your post?
    Instead of the website you're using, try using OEx (Outlook Express
    or any other newsreader), and configure a news account, pointing to
    news.microsoft.com. Anonymous access. It's free - no username or password
    required nor do you need a Newsgroup Usenet account with your ISP. It
    connects directly to the Microsoft Public Newsgroups. OEx allows you
    o easily find, track threads, cross-post, sort by date, poster's name,
    watched threads or subject. It's easy:

    How to Configure OEx for Internet News
    http://support.microsoft.com/?id=171164

    "Quitting smoking is easy. I've done it a thousand times." - Mark TwainAce
     
    Ace Fekay [MVP], Apr 19, 2007
    #2
    1. Advertisements

  3. Yann

    Guest Guest

    I think Ace is pretty much correct on the port numbers. I found the
    following reference:

    http://technet2.microsoft.com/Windo...48d3-9191-8864fd91a6fd1033.mspx?mfr=trueinput filters for PPTP- destination 1723- protocol ID 47- source 1723 (used only when VPN server initiates the connection)output filters for PPTP- source 1723- protocol ID 47- destination 1723 (used only when VPN server initiates the connection)input filters for L2TP/IPsec- destination 500- destination 1701- destination 4500output filters for L2TP/IPsec- source 500- source 1701- source 4500"Ace Fekay [MVP]" <> wrote in messageIn Yann <> typed:>> Hello,>>>> First of all, I apologize to post this on this subsection of the>> forum but when I see the idiots who are in the Learning > MCSE Exam>> subsection, I'm pretty sure that I won't get any answer from there.>> (read the answers for the post called "Need MCSE Book" and you'll>> understand what I am talking about). Anyway...>>>> Can anyone please explain me the answer from the MSPress Book 70-291>> (page 9-84 for those of you who have this book) for the following>> question:>>>> "You have deployed a Windows Server 2003 computer running the Routing>> And Remote Access Service router to function as a simple firewall.>> How many packet filters do you need to create to support remote>> access to a VPN server through L2TP/IPSec? Assume that you want to>> provide the strictest security standards.">>>> Answer:>>>> Twelve>>>>>> Hmmmm... why 12 ?>>>> Thanks a lot for your answers>> I would assume 4, which is what I would open up, because L2TP/IPSec usesthe following ports:>> L2TP = TCP 1701> ESP = Protocol ID 50> AH = Protocol ID 51> SA = UDP 500>> If you were to allow PPTP, then you would need these ports in additon:>> GRE TCP 1723> Protocol ID 47>> Of course we also would assume to have opened appropriate ports if thereare services being published, such as OWA, web services, DNS services, etc>> I would like to hear the explanation for the twelve ports to see what I ammissing.>> Ace>> Innovative IT Concepts, Inc (IITCI)> Willow Grove, PA>> This posting is provided "AS-IS" with no warranties or guarantees and> confers no rights.>> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP> Microsoft MVP - Directory Services> Microsoft Certified Trainer>> Infinite Diversities in Infinite Combinations>> Having difficulty reading or finding responses to your post?> Instead of the website you're using, try using OEx (Outlook Express> or any other newsreader), and configure a news account, pointing to> news.microsoft.com. Anonymous access. It's free - no username or password> required nor do you need a Newsgroup Usenet account with your ISP. It> connects directly to the Microsoft Public Newsgroups. OEx allows you> o easily find, track threads, cross-post, sort by date, poster's name,> watched threads or subject. It's easy:>> How to Configure OEx for Internet News> http://support.microsoft.com/?id=171164>> "Quitting smoking is easy. I've done it a thousand times." - Mark TwainAce>
     
    Guest, Apr 20, 2007
    #3
  4. Yann

    Guest Guest

    Guest, Apr 20, 2007
    #4
  5. Yann

    Yann Guest

    I don't like that; when I don't have the same answer from something I should
    trust...

    According to the Book, the ports and protocols required are:
    UDP ports 500 and 4500 to create and maintain the connection
    IP protocol 50 to send data.

    The way in the book they proceed is they open only ports and protocols
    incoming and outgoing. So if we use the information above, we need 3 packets
    filters for the incoming and 3 for the outgoing = 6 packet filters.
    If we repeat the same configuration on a the VPN server, then we get 6+6=12
    packet filters, but I am not sure to understand the question this way.

    If we use this webpage
    (http://technet2.microsoft.com/windo...2ceb-4f76-a1ef-0219982eca101033.mspx?mfr=true)
    and by adding all the packet filters, we get the 12 packet filters (firewall
    in front of VPN server w/ L2TP). I will use this explanation to answer this
    question.

    Thanks a lot for your help.
    Yann
     
    Yann, Apr 24, 2007
    #5
  6. Yann

    Yann Guest

    Exactly what I was looking for. And I think that I can by this way explain
    why 12 packet filters are needed by using the VPN server behind the firewall
    explanations.

    Thanks a lot.
    Yann
     
    Yann, Apr 24, 2007
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.