Can you change the default VPN port on server 2003 and XP clients?

I would like to be able to VPN directly to multiple servers using the same
router and network, but belonging to separate organizations. The only way I
can think of doing this is if I can use a different VPN port for each server.
Although I don't see any way to change port 1723. I don't want to upgrade
the router, either. Thanks!

There's no way to change the PPTP port.

Normally, when your computer makes a VPN connection, your computer's default
gateway is changed to the IP address of the VPN server. This is a security
feature, as it prevents your computer from being misused as a kind of router
between the remote network and the Internet.

The only way to do what you want would be to disable this functionality.
Then you could make multiple PPTP connections from your computer (PPTP is
NATable, so your router should be able to handle this just fine). However,
now your computer would be set up for "split-tunneling," which is not
recommended at all. If an attacker got control of your computer, he could
jump from the Internet to any of the networks you VPNed to.

Short answer: connect to only one VPN at a time.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Just Guessing" <JustGuessing@discussions.microsoft.com> wrote in message
news:E6AF5D27-61B9-4C95-8B1D-7ADB078EAE87@microsoft.com...
> I would like to be able to VPN directly to multiple servers using the same
> router and network, but belonging to separate organizations. The only way
> I
> can think of doing this is if I can use a different VPN port for each
> server.
> Although I don't see any way to change port 1723. I don't want to upgrade
> the router, either. Thanks!

Because the port can't be changed, this is neither here nor there - but
because each server is owned by a different organization, no one person would
establish more than one VPN connection.

You wouldn't by any chance have a recommendation on how to do this? Router,
software, or some other network wizardry?

"Steve Riley [MSFT]" wrote:

> There's no way to change the PPTP port.
>
> Normally, when your computer makes a VPN connection, your computer's default
> gateway is changed to the IP address of the VPN server. This is a security
> feature, as it prevents your computer from being misused as a kind of router
> between the remote network and the Internet.
>
> The only way to do what you want would be to disable this functionality.
> Then you could make multiple PPTP connections from your computer (PPTP is
> NATable, so your router should be able to handle this just fine). However,
> now your computer would be set up for "split-tunneling," which is not
> recommended at all. If an attacker got control of your computer, he could
> jump from the Internet to any of the networks you VPNed to.
>
> Short answer: connect to only one VPN at a time.
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
> "Just Guessing" <JustGuessing@discussions.microsoft.com> wrote in message
> news:E6AF5D27-61B9-4C95-8B1D-7ADB078EAE87@microsoft.com...
> > I would like to be able to VPN directly to multiple servers using the same
> > router and network, but belonging to separate organizations. The only way
> > I
> > can think of doing this is if I can use a different VPN port for each
> > server.
> > Although I don't see any way to change port 1723. I don't want to upgrade
> > the router, either. Thanks!
>
>

I was assuming that you were wanting to make multiple VPN connections from a
single computer.

Instead, I think you're describing a situation where multiple computers
behind your router will be making VPN connections, each computer connecting
to a different VPN server. Correct?

Is your router a NAT router? Most NAT routers can properly handle this
because they'll use different remapped source ports for the outgoing
connections. Try it. If it doesn't work, then you'll need to look at either
updating or replacing the router.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Just Guessing" <JustGuessing@discussions.microsoft.com> wrote in message
news:134B20DA-2AFB-487F-8B98-E5C1DCCAFED8@microsoft.com...
> Because the port can't be changed, this is neither here nor there - but
> because each server is owned by a different organization, no one person
> would
> establish more than one VPN connection.
>
> You wouldn't by any chance have a recommendation on how to do this?
> Router,
> software, or some other network wizardry?
>
> "Steve Riley [MSFT]" wrote:
>
>> There's no way to change the PPTP port.
>>
>> Normally, when your computer makes a VPN connection, your computer's
>> default
>> gateway is changed to the IP address of the VPN server. This is a
>> security
>> feature, as it prevents your computer from being misused as a kind of
>> router
>> between the remote network and the Internet.
>>
>> The only way to do what you want would be to disable this functionality.
>> Then you could make multiple PPTP connections from your computer (PPTP is
>> NATable, so your router should be able to handle this just fine).
>> However,
>> now your computer would be set up for "split-tunneling," which is not
>> recommended at all. If an attacker got control of your computer, he could
>> jump from the Internet to any of the networks you VPNed to.
>>
>> Short answer: connect to only one VPN at a time.
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>> "Just Guessing" <JustGuessing@discussions.microsoft.com> wrote in message
>> news:E6AF5D27-61B9-4C95-8B1D-7ADB078EAE87@microsoft.com...
>> > I would like to be able to VPN directly to multiple servers using the
>> > same
>> > router and network, but belonging to separate organizations. The only
>> > way
>> > I
>> > can think of doing this is if I can use a different VPN port for each
>> > server.
>> > Although I don't see any way to change port 1723. I don't want to
>> > upgrade
>> > the router, either. Thanks!
>>
>>

Each organization has it's own server. Each organization has remote workers
wanting to VPN INTO their organization's server. The only issue is that all
the servers are on one network with one router. Each server represents a
different organization with different users AND A SEPARATE VPN SERVER. No
one remote user will need to VPN into more than one server.

Another way to word it: how do you connect from a remote location to a
network that contains multiple VPN servers, but only one "average" router?
How does the router distinguish between VPN server A and VPN server B?


"Steve Riley [MSFT]" wrote:

> I was assuming that you were wanting to make multiple VPN connections from a
> single computer.
>
> Instead, I think you're describing a situation where multiple computers
> behind your router will be making VPN connections, each computer connecting
> to a different VPN server. Correct?
>
> Is your router a NAT router? Most NAT routers can properly handle this
> because they'll use different remapped source ports for the outgoing
> connections. Try it. If it doesn't work, then you'll need to look at either
> updating or replacing the router.
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
> "Just Guessing" <JustGuessing@discussions.microsoft.com> wrote in message
> news:134B20DA-2AFB-487F-8B98-E5C1DCCAFED8@microsoft.com...
> > Because the port can't be changed, this is neither here nor there - but
> > because each server is owned by a different organization, no one person
> > would
> > establish more than one VPN connection.
> >
> > You wouldn't by any chance have a recommendation on how to do this?
> > Router,
> > software, or some other network wizardry?
> >
> > "Steve Riley [MSFT]" wrote:
> >
> >> There's no way to change the PPTP port.
> >>
> >> Normally, when your computer makes a VPN connection, your computer's
> >> default
> >> gateway is changed to the IP address of the VPN server. This is a
> >> security
> >> feature, as it prevents your computer from being misused as a kind of
> >> router
> >> between the remote network and the Internet.
> >>
> >> The only way to do what you want would be to disable this functionality.
> >> Then you could make multiple PPTP connections from your computer (PPTP is
> >> NATable, so your router should be able to handle this just fine).
> >> However,
> >> now your computer would be set up for "split-tunneling," which is not
> >> recommended at all. If an attacker got control of your computer, he could
> >> jump from the Internet to any of the networks you VPNed to.
> >>
> >> Short answer: connect to only one VPN at a time.
> >>
> >> --
> >> Steve Riley
> >> steve.riley@microsoft.com
> >> http://blogs.technet.com/steriley
> >> http://www.protectyourwindowsnetwork.com
> >>
> >>
> >> "Just Guessing" <JustGuessing@discussions.microsoft.com> wrote in message
> >> news:E6AF5D27-61B9-4C95-8B1D-7ADB078EAE87@microsoft.com...
> >> > I would like to be able to VPN directly to multiple servers using the
> >> > same
> >> > router and network, but belonging to separate organizations. The only
> >> > way
> >> > I
> >> > can think of doing this is if I can use a different VPN port for each
> >> > server.
> >> > Although I don't see any way to change port 1723. I don't want to
> >> > upgrade
> >> > the router, either. Thanks!
> >>
> >>
>

You would need a pool of public IP addresses (at least one public IP for
each VPN server). You would then map one public IP to the private IP address
of each VPN server on the LAN. In other words, you use one to one address
mapping rather than port mapping from one IP.

"Just Guessing" <JustGuessing@discussions.microsoft.com> wrote in message
news:1B6DEB92-A44F-4628-8EA3-423F89E46D15@microsoft.com...
> Each organization has it's own server. Each organization has remote
> workers
> wanting to VPN INTO their organization's server. The only issue is that
> all
> the servers are on one network with one router. Each server represents a
> different organization with different users AND A SEPARATE VPN SERVER. No
> one remote user will need to VPN into more than one server.
>
> Another way to word it: how do you connect from a remote location to a
> network that contains multiple VPN servers, but only one "average" router?
> How does the router distinguish between VPN server A and VPN server B?
>
>
> "Steve Riley [MSFT]" wrote:
>
>> I was assuming that you were wanting to make multiple VPN connections
>> from a
>> single computer.
>>
>> Instead, I think you're describing a situation where multiple computers
>> behind your router will be making VPN connections, each computer
>> connecting
>> to a different VPN server. Correct?
>>
>> Is your router a NAT router? Most NAT routers can properly handle this
>> because they'll use different remapped source ports for the outgoing
>> connections. Try it. If it doesn't work, then you'll need to look at
>> either
>> updating or replacing the router.
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>> "Just Guessing" <JustGuessing@discussions.microsoft.com> wrote in message
>> news:134B20DA-2AFB-487F-8B98-E5C1DCCAFED8@microsoft.com...
>> > Because the port can't be changed, this is neither here nor there - but
>> > because each server is owned by a different organization, no one person
>> > would
>> > establish more than one VPN connection.
>> >
>> > You wouldn't by any chance have a recommendation on how to do this?
>> > Router,
>> > software, or some other network wizardry?
>> >
>> > "Steve Riley [MSFT]" wrote:
>> >
>> >> There's no way to change the PPTP port.
>> >>
>> >> Normally, when your computer makes a VPN connection, your computer's
>> >> default
>> >> gateway is changed to the IP address of the VPN server. This is a
>> >> security
>> >> feature, as it prevents your computer from being misused as a kind of
>> >> router
>> >> between the remote network and the Internet.
>> >>
>> >> The only way to do what you want would be to disable this
>> >> functionality.
>> >> Then you could make multiple PPTP connections from your computer (PPTP
>> >> is
>> >> NATable, so your router should be able to handle this just fine).
>> >> However,
>> >> now your computer would be set up for "split-tunneling," which is not
>> >> recommended at all. If an attacker got control of your computer, he
>> >> could
>> >> jump from the Internet to any of the networks you VPNed to.
>> >>
>> >> Short answer: connect to only one VPN at a time.
>> >>
>> >> --
>> >> Steve Riley
>> >> steve.riley@microsoft.com
>> >> http://blogs.technet.com/steriley
>> >> http://www.protectyourwindowsnetwork.com
>> >>
>> >>
>> >> "Just Guessing" <JustGuessing@discussions.microsoft.com> wrote in
>> >> message
>> >> news:E6AF5D27-61B9-4C95-8B1D-7ADB078EAE87@microsoft.com...
>> >> > I would like to be able to VPN directly to multiple servers using
>> >> > the
>> >> > same
>> >> > router and network, but belonging to separate organizations. The
>> >> > only
>> >> > way
>> >> > I
>> >> > can think of doing this is if I can use a different VPN port for
>> >> > each
>> >> > server.
>> >> > Although I don't see any way to change port 1723. I don't want to
>> >> > upgrade
>> >> > the router, either. Thanks!
>> >>
>> >>
>>

Heh. Finally the architecture design is clear :)

Bill's suggestion is correct. I'd also add each public address to a DNS
server someplace, so that the client connections can use DNS names rather
than IP addresses.

So it would look like this:

vpn.org1.com -> 1.0.0.1 (public) -> NAT router -> 10.0.0.1 (private) ->
VPNserver1
vpn.org2.com -> 2.0.0.2 (public) -> NAT router -> 10.0.0.2 (private) ->
VPNserver2

and so on.


--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Bill Grant" <not.available@online> wrote in message
news:e7FUpPvBIHA.3916@TK2MSFTNGP02.phx.gbl...
> You would need a pool of public IP addresses (at least one public IP for
> each VPN server). You would then map one public IP to the private IP
> address of each VPN server on the LAN. In other words, you use one to one
> address mapping rather than port mapping from one IP.
>
> "Just Guessing" <JustGuessing@discussions.microsoft.com> wrote in message
> news:1B6DEB92-A44F-4628-8EA3-423F89E46D15@microsoft.com...
>> Each organization has it's own server. Each organization has remote
>> workers
>> wanting to VPN INTO their organization's server. The only issue is that
>> all
>> the servers are on one network with one router. Each server represents a
>> different organization with different users AND A SEPARATE VPN SERVER.
>> No
>> one remote user will need to VPN into more than one server.
>>
>> Another way to word it: how do you connect from a remote location to a
>> network that contains multiple VPN servers, but only one "average"
>> router?
>> How does the router distinguish between VPN server A and VPN server B?
>>
>>
>> "Steve Riley [MSFT]" wrote:
>>
>>> I was assuming that you were wanting to make multiple VPN connections
>>> from a
>>> single computer.
>>>
>>> Instead, I think you're describing a situation where multiple computers
>>> behind your router will be making VPN connections, each computer
>>> connecting
>>> to a different VPN server. Correct?
>>>
>>> Is your router a NAT router? Most NAT routers can properly handle this
>>> because they'll use different remapped source ports for the outgoing
>>> connections. Try it. If it doesn't work, then you'll need to look at
>>> either
>>> updating or replacing the router.
>>>
>>> --
>>> Steve Riley
>>> steve.riley@microsoft.com
>>> http://blogs.technet.com/steriley
>>> http://www.protectyourwindowsnetwork.com
>>>
>>>
>>> "Just Guessing" <JustGuessing@discussions.microsoft.com> wrote in
>>> message
>>> news:134B20DA-2AFB-487F-8B98-E5C1DCCAFED8@microsoft.com...
>>> > Because the port can't be changed, this is neither here nor there -
>>> > but
>>> > because each server is owned by a different organization, no one
>>> > person
>>> > would
>>> > establish more than one VPN connection.
>>> >
>>> > You wouldn't by any chance have a recommendation on how to do this?
>>> > Router,
>>> > software, or some other network wizardry?
>>> >
>>> > "Steve Riley [MSFT]" wrote:
>>> >
>>> >> There's no way to change the PPTP port.
>>> >>
>>> >> Normally, when your computer makes a VPN connection, your computer's
>>> >> default
>>> >> gateway is changed to the IP address of the VPN server. This is a
>>> >> security
>>> >> feature, as it prevents your computer from being misused as a kind of
>>> >> router
>>> >> between the remote network and the Internet.
>>> >>
>>> >> The only way to do what you want would be to disable this
>>> >> functionality.
>>> >> Then you could make multiple PPTP connections from your computer
>>> >> (PPTP is
>>> >> NATable, so your router should be able to handle this just fine).
>>> >> However,
>>> >> now your computer would be set up for "split-tunneling," which is not
>>> >> recommended at all. If an attacker got control of your computer, he
>>> >> could
>>> >> jump from the Internet to any of the networks you VPNed to.
>>> >>
>>> >> Short answer: connect to only one VPN at a time.
>>> >>
>>> >> --
>>> >> Steve Riley
>>> >> steve.riley@microsoft.com
>>> >> http://blogs.technet.com/steriley
>>> >> http://www.protectyourwindowsnetwork.com
>>> >>
>>> >>
>>> >> "Just Guessing" <JustGuessing@discussions.microsoft.com> wrote in
>>> >> message
>>> >> news:E6AF5D27-61B9-4C95-8B1D-7ADB078EAE87@microsoft.com...
>>> >> > I would like to be able to VPN directly to multiple servers using
>>> >> > the
>>> >> > same
>>> >> > router and network, but belonging to separate organizations. The
>>> >> > only
>>> >> > way
>>> >> > I
>>> >> > can think of doing this is if I can use a different VPN port for
>>> >> > each
>>> >> > server.
>>> >> > Although I don't see any way to change port 1723. I don't want to
>>> >> > upgrade
>>> >> > the router, either. Thanks!
>>> >>
>>> >>
>>>
>