Securing a RAS Proxy Server

Coax RAS, Proxy Server, and PPTP to work together

If you install Microsoft Proxy Server on a RAS server or RAS on a Proxy Server system, you might run into an interesting catch-22. The problematic situation occurs when you attempt to mix RAS, PPTP (which you use for RAS VPN connections), and Proxy Server. This month, I shed light on the challenges of this arrangement and show you how to work around them.

To set up the scenario, assume that your Proxy Server system is running in the default Microsoft-recommended configuration and is using two network adapters. In addition, assume that you include PPTP as one of your server's available RAS connections. This setup is fairly common because the Proxy Server system is usually one of the only systems (if not the only system) directly exposed to the Internet and you can leverage this connection for PPTP-based RAS connections to the Internet. Taking advantage of this connection is especially desirable if the Internet connection is fast (e.g., a T1, xDSL, or ISDN line) because this setup provides faster RAS connections to the internal network using PPTP (assuming your remote clients also have fast connections). However, when you attempt to make this setup work, you'll encounter a major problem: The RAS clients can connect to the Proxy Server system, but they can't ping or make connections to machines on the internal network.

Before you attempt to solve this problem, let's review Proxy Server's basics. Proxy Server typically uses two network adapters&$151;one adapter that has a routable, Internet-exposed IP address and another adapter that has a private, internal LAN address (e.g., 192.168.x.x). Rather than routing traffic between the two interfaces, Proxy Server uses the Network Address Translation (NAT) standard to translate outgoing client Internet traffic to its routable IP address. In addition, Proxy Server automatically disables IP forwarding (i.e., routing) on the server that you install it on. Therein lies the rub: Your RAS clients connect to the external interface (i.e., the interface that is exposed to the Internet), and Proxy Server disables routing on the server; thus, the server doesn't forward packets between the RAS client and the internal LAN. Although RAS clients might be able to ping the RAS server's internal LAN address and establish connections to that server, they can't get much further into the network.

Why don't you solve this problem by reenabling IP routing on the server? Doing so defeats Proxy Server's security setup and exposes the network to an undesirable level of risk.

Alternatively, you can enable PPTP filtering to discard all network traffic except PPTP packets on the external RAS interface. This solution works as long as your Internet-based users don't want to run external services such as Microsoft Internet Information Server (IIS), FTP, Outlook Web Access (OWA), and DNS. PPTP filtering causes the server to ignore all non-PPTP traffic, so external services can't receive packets from incoming clients. However, Microsoft included a new Registry entry in Windows NT 4.0 with Service Pack 2 (SP2) and later that lets you enable IP forwarding on the RAS and Proxy Server system, enable PPTP filtering to ensure security, and run services on the server's external NIC. After you enable PPTP filtering on the external (i.e., routable) interface, use regedit or regedt32 to create the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\ Services\RASPPTPF\Parameters\ AllowPacketsForLocalMachine Registry key (type REG_DWORD) and assign it a data value of 1. After you reboot, your server will continue to filter non-PPTP traffic for the internal LAN, but the server will let Internet-accessible services on the RAS and Proxy Server system respond to Internet clients. For more information about this Registry modification, check out the Microsoft article "PPTP and Interoperability with Other Local Machine Services" (http://support. articles/q164/0/52.asp).

After you create and enable the AllowPacketsForLocalMachine Registry key, you still might be unable to route packets past the Proxy Server after you connect via PPTP. I recently discovered this undocumented bug that occurs when you list the Internet-exposed adapter second, rather than first, in the Adapters tab found in the Network applet in Control Panel. To solve this problem, remove and reorder the adapters so that the Internet-exposed adapter is first and the internal LAN-connected adapter is second.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.