Configuring a Windows VPN and WWW/FTP server
Microsoft has made it so easy to configure a VPN between Windows servers that it has become quite popular for small to mid-sized businesses to use Windows 2000 Server to tunnel between sites across the Internet and RAS users, using Microsoft's Point to Point Tunneling Protocol (PPTP).
To make these VPNs as secure as possible, many administrators make these servers dual-homed with one Network Interface Card on the inside network, and one facing the Internet. It is customary to configure PPTP filtering on the Internet-side so that the only traffic allowed to pass through the server belongs to the encrypted PPTP tunnel. In theory, this practice prevents any users on the Internet from accessing the server and it also prevents the users from accessing the Internet from this point. (This is often used when policy dictates using a proxy server located at the other end of the tunnel for Internet access.)
The problem comes when small businesses, usually cost-conscious, want to also host a web or FTP site on this server, but don't want to expose their internal network.
One solution to this, for PPTP users, is yet another registry hack. In
you can add an entry "AllowPacketsForLocalMachine" and give it a value of 1 and type REG_DWORD. You may not have the RASPPTPF key unless
NOTE: Consult your system administrator before editing your registry. Always make sure you have a current backup of your data and registry before making changes. Manually changing your registry is generally unforgiving and rarely recommended by Microsoft and can void your support.
As you've probably gathered from the name, this entry lets your server receive and respond to traffic without allowing the potential for traffic from the Internet into the internal network directly through the VPN server.
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.
This was first published in May 2002