PPTP architecures implementations (comments/suggestions invited)

Sandy Green sand232 at YAHOO.COM
Thu Mar 30 16:35:02 EST 2000 

I do know of a similar post in this list. so i hope it
is not
repititive. however please do send me your opinions
and comments etc
on the variuos architecures that one can have with
PPTP server in an
network.


Architecture of PPTP and firewall.


The first is by placing the PPTP server in the dmz.

INTERNAL-----FIREWALL-----dial-in-client
LAN             |
                |
             PPTP server

rules in the firewall would be allow dial-in-clients
to through the
firewall to the PPTP server, allow the traffic for the
range of IP
addresses between the PPTP server and the INTERnal
LAN. (the range
of IP addresses being the ones that are allotted by
the PPTP server to
the clients. actually in practice it would be hard to
make such a rule
via a fireawall....)




The second is having a PPTP server behind a firewall
and hiding its IP
address via the NAT

INTERNAL -----PPTP-----FIREWALL------dial-in-client
LAN           server

here the routing would be easy to implement as the
PPTP server is
physicall in the same LAN as the Internal LAN. hence
the routing
between dial-in-client and Internal LAN would not be
ok (i mean for
the tunnelled IPs) as the tunnel ends at the PPTP
server and the
inside (tunnelled IPs which are bared when the tunnel
ends find
themselves in the same subnet, hence no routing
issues)

however when the PPTP server is in the DMZ, it is no
more physically
on the same LAN as INTernal LAN. how do we route the
tunnelled IPs
through the firewall, specially when the tunnel ends
at the PPTP server.

I am sure many of you would have implemented this way.
please do send
me your opinions and suggestions etc. specially in the
light of the
fact that checkpoint firewall-1 does not support
static NAT for PPTP.
which basically means that one cannot hide the PPTP
server behind the
firewall.

any other architecture please do let me know. also
what about the
reports and logging for the two architectures ?

thanks all




your comments, please email me

__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list