Go Back   TechArena Community > Technical Support > Computer Help > Windows Server > Windows Server Help
Become a Member!
Forgot your username/password?
Tags Active Topics RSS Search Mark Forums Read

Sponsored Links



Can you change the default VPN port on server 2003 and XP clients?

Windows Server Help


Reply
 
Thread Tools Search this Thread
  #1  
Old 05-10-2007
Just Guessing
 
Posts: n/a
Can you change the default VPN port on server 2003 and XP clients?

I would like to be able to VPN directly to multiple servers using the same
router and network, but belonging to separate organizations. The only way I
can think of doing this is if I can use a different VPN port for each server.
Although I don't see any way to change port 1723. I don't want to upgrade
the router, either. Thanks!

Reply With Quote
  #2  
Old 05-10-2007
Steve Riley [MSFT]
 
Posts: n/a
Re: Can you change the default VPN port on server 2003 and XP clients?

There's no way to change the PPTP port.

Normally, when your computer makes a VPN connection, your computer's default
gateway is changed to the IP address of the VPN server. This is a security
feature, as it prevents your computer from being misused as a kind of router
between the remote network and the Internet.

The only way to do what you want would be to disable this functionality.
Then you could make multiple PPTP connections from your computer (PPTP is
NATable, so your router should be able to handle this just fine). However,
now your computer would be set up for "split-tunneling," which is not
recommended at all. If an attacker got control of your computer, he could
jump from the Internet to any of the networks you VPNed to.

Short answer: connect to only one VPN at a time.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Just Guessing" <JustGuessing@discussions.microsoft.com> wrote in message
news:E6AF5D27-61B9-4C95-8B1D-7ADB078EAE87@microsoft.com...
> I would like to be able to VPN directly to multiple servers using the same
> router and network, but belonging to separate organizations. The only way
> I
> can think of doing this is if I can use a different VPN port for each
> server.
> Although I don't see any way to change port 1723. I don't want to upgrade
> the router, either. Thanks!


Reply With Quote
  #3  
Old 05-10-2007
Just Guessing
 
Posts: n/a
Re: Can you change the default VPN port on server 2003 and XP clie

Because the port can't be changed, this is neither here nor there - but
because each server is owned by a different organization, no one person would
establish more than one VPN connection.

You wouldn't by any chance have a recommendation on how to do this? Router,
software, or some other network wizardry?

"Steve Riley [MSFT]" wrote:

> There's no way to change the PPTP port.
>
> Normally, when your computer makes a VPN connection, your computer's default
> gateway is changed to the IP address of the VPN server. This is a security
> feature, as it prevents your computer from being misused as a kind of router
> between the remote network and the Internet.
>
> The only way to do what you want would be to disable this functionality.
> Then you could make multiple PPTP connections from your computer (PPTP is
> NATable, so your router should be able to handle this just fine). However,
> now your computer would be set up for "split-tunneling," which is not
> recommended at all. If an attacker got control of your computer, he could
> jump from the Internet to any of the networks you VPNed to.
>
> Short answer: connect to only one VPN at a time.
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
> "Just Guessing" <JustGuessing@discussions.microsoft.com> wrote in message
> news:E6AF5D27-61B9-4C95-8B1D-7ADB078EAE87@microsoft.com...
> > I would like to be able to VPN directly to multiple servers using the same
> > router and network, but belonging to separate organizations. The only way
> > I
> > can think of doing this is if I can use a different VPN port for each
> > server.
> > Although I don't see any way to change port 1723. I don't want to upgrade
> > the router, either. Thanks!

>
>

Reply With Quote
  #4  
Old 05-10-2007
Steve Riley [MSFT]
 
Posts: n/a
Re: Can you change the default VPN port on server 2003 and XP clie

I was assuming that you were wanting to make multiple VPN connections from a
single computer.

Instead, I think you're describing a situation where multiple computers
behind your router will be making VPN connections, each computer connecting
to a different VPN server. Correct?

Is your router a NAT router? Most NAT routers can properly handle this
because they'll use different remapped source ports for the outgoing
connections. Try it. If it doesn't work, then you'll need to look at either
updating or replacing the router.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Just Guessing" <JustGuessing@discussions.microsoft.com> wrote in message
news:134B20DA-2AFB-487F-8B98-E5C1DCCAFED8@microsoft.com...
> Because the port can't be changed, this is neither here nor there - but
> because each server is owned by a different organization, no one person
> would
> establish more than one VPN connection.
>
> You wouldn't by any chance have a recommendation on how to do this?
> Router,
> software, or some other network wizardry?
>
> "Steve Riley [MSFT]" wrote:
>
>> There's no way to change the PPTP port.
>>
>> Normally, when your computer makes a VPN connection, your computer's
>> default
>> gateway is changed to the IP address of the VPN server. This is a
>> security
>> feature, as it prevents your computer from being misused as a kind of
>> router
>> between the remote network and the Internet.
>>
>> The only way to do what you want would be to disable this functionality.
>> Then you could make multiple PPTP connections from your computer (PPTP is
>> NATable, so your router should be able to handle this just fine).
>> However,
>> now your computer would be set up for "split-tunneling," which is not
>> recommended at all. If an attacker got control of your computer, he could
>> jump from the Internet to any of the networks you VPNed to.
>>
>> Short answer: connect to only one VPN at a time.
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>> "Just Guessing" <JustGuessing@discussions.microsoft.com> wrote in message
>> news:E6AF5D27-61B9-4C95-8B1D-7ADB078EAE87@microsoft.com...
>> > I would like to be able to VPN directly to multiple servers using the
>> > same
>> > router and network, but belonging to separate organizations. The only
>> > way
>> > I
>> > can think of doing this is if I can use a different VPN port for each
>> > server.
>> > Although I don't see any way to change port 1723. I don't want to
>> > upgrade
>> > the router, either. Thanks!

>>
>>

Reply With Quote
  #5  
Old 05-10-2007
Just Guessing
 
Posts: n/a
Re: Can you change the default VPN port on server 2003 and XP clie

Each organization has it's own server. Each organization has remote workers
wanting to VPN INTO their organization's server. The only issue is that all
the servers are on one network with one router. Each server represents a
different organization with different users AND A SEPARATE VPN SERVER. No
one remote user will need to VPN into more than one server.

Another way to word it: how do you connect from a remote location to a
network that contains multiple VPN servers, but only one "average" router?
How does the router distinguish between VPN server A and VPN server B?


"Steve Riley [MSFT]" wrote:

> I was assuming that you were wanting to make multiple VPN connections from a
> single computer.
>
> Instead, I think you're describing a situation where multiple computers
> behind your router will be making VPN connections, each computer connecting
> to a different VPN server. Correct?
>
> Is your router a NAT router? Most NAT routers can properly handle this
> because they'll use different remapped source ports for the outgoing
> connections. Try it. If it doesn't work, then you'll need to look at either
> updating or replacing the router.
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
> "Just Guessing" <JustGuessing@discussions.microsoft.com> wrote in message
> news:134B20DA-2AFB-487F-8B98-E5C1DCCAFED8@microsoft.com...
> > Because the port can't be changed, this is neither here nor there - but
> > because each server is owned by a different organization, no one person
> > would
> > establish more than one VPN connection.
> >
> > You wouldn't by any chance have a recommendation on how to do this?
> > Router,
> > software, or some other network wizardry?
> >
> > "Steve Riley [MSFT]" wrote:
> >
> >> There's no way to change the PPTP port.
> >>
> >> Normally, when your computer makes a VPN connection, your computer's
> >> default
> >> gateway is changed to the IP address of the VPN server. This is a
> >> security
> >> feature, as it prevents your computer from being misused as a kind of
> >> router
> >> between the remote network and the Internet.
> >>
> >> The only way to do what you want would be to disable this functionality.
> >> Then you could make multiple PPTP connections from your computer (PPTP is
> >> NATable, so your router should be able to handle this just fine).
> >> However,
> >> now your computer would be set up for "split-tunneling," which is not
> >> recommended at all. If an attacker got control of your computer, he could
> >> jump from the Internet to any of the networks you VPNed to.
> >>
> >> Short answer: connect to only one VPN at a time.
> >>
> >> --
> >> Steve Riley
> >> steve.riley@microsoft.com
> >> http://blogs.technet.com/steriley
> >> http://www.protectyourwindowsnetwork.com
> >>
> >>
> >> "Just Guessing" <JustGuessing@discussions.microsoft.com> wrote in message
> >> news:E6AF5D27-61B9-4C95-8B1D-7ADB078EAE87@microsoft.com...
> >> > I would like to be able to VPN directly to multiple servers using the
> >> > same
> >> > router and network, but belonging to separate organizations. The only
> >> > way
> >> > I
> >> > can think of doing this is if I can use a different VPN port for each
> >> > server.
> >> > Although I don't see any way to change port 1723. I don't want to
> >> > upgrade
> >> > the router, either. Thanks!
> >>
> >>

>

Reply With Quote
  #6  
Old 05-10-2007
Bill Grant
 
Posts: n/a
Re: Can you change the default VPN port on server 2003 and XP clie

You would need a pool of public IP addresses (at least one public IP for
each VPN server). You would then map one public IP to the private IP address
of each VPN server on the LAN. In other words, you use one to one address
mapping rather than port mapping from one IP.

"Just Guessing" <JustGuessing@discussions.microsoft.com> wrote in message
news:1B6DEB92-A44F-4628-8EA3-423F89E46D15@microsoft.com...
> Each organization has it's own server. Each organization has remote
> workers
> wanting to VPN INTO their organization's server. The only issue is that
> all
> the servers are on one network with one router. Each server represents a
> different organization with different users AND A SEPARATE VPN SERVER. No
> one remote user will need to VPN into more than one server.
>
> Another way to word it: how do you connect from a remote location to a
> network that contains multiple VPN servers, but only one "average" router?
> How does the router distinguish between VPN server A and VPN server B?
>
>
> "Steve Riley [MSFT]" wrote:
>
>> I was assuming that you were wanting to make multiple VPN connections
>> from a
>> single computer.
>>
>> Instead, I think you're describing a situation where multiple computers
>> behind your router will be making VPN connections, each computer
>> connecting
>> to a different VPN server. Correct?
>>
>> Is your router a NAT router? Most NAT routers can properly handle this
>> because they'll use different remapped source ports for the outgoing
>> connections. Try it. If it doesn't work, then you'll need to look at
>> either
>> updating or replacing the router.
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>> "Just Guessing" <JustGuessing@discussions.microsoft.com> wrote in message
>> news:134B20DA-2AFB-487F-8B98-E5C1DCCAFED8@microsoft.com...
>> > Because the port can't be changed, this is neither here nor there - but
>> > because each server is owned by a different organization, no one person
>> > would
>> > establish more than one VPN connection.
>> >
>> > You wouldn't by any chance have a recommendation on how to do this?
>> > Router,
>> > software, or some other network wizardry?
>> >
>> > "Steve Riley [MSFT]" wrote:
>> >
>> >> There's no way to change the PPTP port.
>> >>
>> >> Normally, when your computer makes a VPN connection, your computer's
>> >> default
>> >> gateway is changed to the IP address of the VPN server. This is a
>> >> security
>> >> feature, as it prevents your computer from being misused as a kind of
>> >> router
>> >> between the remote network and the Internet.
>> >>
>> >> The only way to do what you want would be to disable this
>> >> functionality.
>> >> Then you could make multiple PPTP connections from your computer (PPTP
>> >> is
>> >> NATable, so your router should be able to handle this just fine).
>> >> However,
>> >> now your computer would be set up for "split-tunneling," which is not
>> >> recommended at all. If an attacker got control of your computer, he
>> >> could
>> >> jump from the Internet to any of the networks you VPNed to.
>> >>
>> >> Short answer: connect to only one VPN at a time.
>> >>
>> >> --
>> >> Steve Riley
>> >> steve.riley@microsoft.com
>> >> http://blogs.technet.com/steriley
>> >> http://www.protectyourwindowsnetwork.com
>> >>
>> >>
>> >> "Just Guessing" <JustGuessing@discussions.microsoft.com> wrote in
>> >> message
>> >> news:E6AF5D27-61B9-4C95-8B1D-7ADB078EAE87@microsoft.com...
>> >> > I would like to be able to VPN directly to multiple servers using
>> >> > the
>> >> > same
>> >> > router and network, but belonging to separate organizations. The
>> >> > only
>> >> > way
>> >> > I
>> >> > can think of doing this is if I can use a different VPN port for
>> >> > each
>> >> > server.
>> >> > Although I don't see any way to change port 1723. I don't want to
>> >> > upgrade
>> >> > the router, either. Thanks!
>> >>
>> >>

>>


Reply With Quote
  #7  
Old 05-10-2007
Steve Riley [MSFT]
 
Posts: n/a
Re: Can you change the default VPN port on server 2003 and XP clie

Heh. Finally the architecture design is clear :)

Bill's suggestion is correct. I'd also add each public address to a DNS
server someplace, so that the client connections can use DNS names rather
than IP addresses.

So it would look like this:

vpn.org1.com -> 1.0.0.1 (public) -> NAT router -> 10.0.0.1 (private) ->
VPNserver1
vpn.org2.com -> 2.0.0.2 (public) -> NAT router -> 10.0.0.2 (private) ->
VPNserver2

and so on.


--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Bill Grant" <not.available@online> wrote in message
news:e7FUpPvBIHA.3916@TK2MSFTNGP02.phx.gbl...
> You would need a pool of public IP addresses (at least one public IP for
> each VPN server). You would then map one public IP to the private IP
> address of each VPN server on the LAN. In other words, you use one to one
> address mapping rather than port mapping from one IP.
>
> "Just Guessing" <JustGuessing@discussions.microsoft.com> wrote in message
> news:1B6DEB92-A44F-4628-8EA3-423F89E46D15@microsoft.com...
>> Each organization has it's own server. Each organization has remote
>> workers
>> wanting to VPN INTO their organization's server. The only issue is that
>> all
>> the servers are on one network with one router. Each server represents a
>> different organization with different users AND A SEPARATE VPN SERVER.
>> No
>> one remote user will need to VPN into more than one server.
>>
>> Another way to word it: how do you connect from a remote location to a
>> network that contains multiple VPN servers, but only one "average"
>> router?
>> How does the router distinguish between VPN server A and VPN server B?
>>
>>
>> "Steve Riley [MSFT]" wrote:
>>
>>> I was assuming that you were wanting to make multiple VPN connections
>>> from a
>>> single computer.
>>>
>>> Instead, I think you're describing a situation where multiple computers
>>> behind your router will be making VPN connections, each computer
>>> connecting
>>> to a different VPN server. Correct?
>>>
>>> Is your router a NAT router? Most NAT routers can properly handle this
>>> because they'll use different remapped source ports for the outgoing
>>> connections. Try it. If it doesn't work, then you'll need to look at
>>> either
>>> updating or replacing the router.
>>>
>>> --
>>> Steve Riley
>>> steve.riley@microsoft.com
>>> http://blogs.technet.com/steriley
>>> http://www.protectyourwindowsnetwork.com
>>>
>>>
>>> "Just Guessing" <JustGuessing@discussions.microsoft.com> wrote in
>>> message
>>> news:134B20DA-2AFB-487F-8B98-E5C1DCCAFED8@microsoft.com...
>>> > Because the port can't be changed, this is neither here nor there -
>>> > but
>>> > because each server is owned by a different organization, no one
>>> > person
>>> > would
>>> > establish more than one VPN connection.
>>> >
>>> > You wouldn't by any chance have a recommendation on how to do this?
>>> > Router,
>>> > software, or some other network wizardry?
>>> >
>>> > "Steve Riley [MSFT]" wrote:
>>> >
>>> >> There's no way to change the PPTP port.
>>> >>
>>> >> Normally, when your computer makes a VPN connection, your computer's
>>> >> default
>>> >> gateway is changed to the IP address of the VPN server. This is a
>>> >> security
>>> >> feature, as it prevents your computer from being misused as a kind of
>>> >> router
>>> >> between the remote network and the Internet.
>>> >>
>>> >> The only way to do what you want would be to disable this
>>> >> functionality.
>>> >> Then you could make multiple PPTP connections from your computer
>>> >> (PPTP is
>>> >> NATable, so your router should be able to handle this just fine).
>>> >> However,
>>> >> now your computer would be set up for "split-tunneling," which is not
>>> >> recommended at all. If an attacker got control of your computer, he
>>> >> could
>>> >> jump from the Internet to any of the networks you VPNed to.
>>> >>
>>> >> Short answer: connect to only one VPN at a time.
>>> >>
>>> >> --
>>> >> Steve Riley
>>> >> steve.riley@microsoft.com
>>> >> http://blogs.technet.com/steriley
>>> >> http://www.protectyourwindowsnetwork.com
>>> >>
>>> >>
>>> >> "Just Guessing" <JustGuessing@discussions.microsoft.com> wrote in
>>> >> message
>>> >> news:E6AF5D27-61B9-4C95-8B1D-7ADB078EAE87@microsoft.com...
>>> >> > I would like to be able to VPN directly to multiple servers using
>>> >> > the
>>> >> > same
>>> >> > router and network, but belonging to separate organizations. The
>>> >> > only
>>> >> > way
>>> >> > I
>>> >> > can think of doing this is if I can use a different VPN port for
>>> >> > each
>>> >> > server.
>>> >> > Although I don't see any way to change port 1723. I don't want to
>>> >> > upgrade
>>> >> > the router, either. Thanks!
>>> >>
>>> >>
>>>

>

Reply With Quote
Reply

  TechArena Community > Technical Support > Computer Help > Windows Server > Windows Server Help
Tags: , , , ,



Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads for: "Can you change the default VPN port on server 2003 and XP clients?"
Thread Thread Starter Forum Replies Last Post
Unable to telnet Exchange 2003 server on port 25 HarshaB Networking & Security 4 01-04-2010 12:56 PM
Can Windows 2003 R2 Server manage Windows 7 Clients? Breckon Active Directory 3 24-03-2010 11:40 AM
Change default port no for mysql in XAMPP nachiket Software Development 3 28-12-2009 03:42 PM
How to change the Default Port and IP address in IIS Shaan12 Windows Software 3 25-12-2009 11:54 PM
Change remote administration to application server mode in windows 2003 terminal server RockeЯ Operating Systems 3 29-06-2009 06:47 PM


All times are GMT +5.5. The time now is 08:10 PM.