Enable PPTP Filtering Option No Longer Works

Last reviewed: November 24, 1997
Article ID: Q169890
The information in this article applies to:
  • Microsoft Windows NT Server version 4.0
  • Microsoft Routing and Remote Access Service Update for Windows NT Server 4.0

SYMPTOMS

The PPTP filtering option in the Advanced IP Addressing dialog box has no effect after Routing and Remote Access Service (RRAS) is installed.

CAUSE

The updated Routing and Remote Access Service disables the functionality of this option by design. Routing and Remote Access Service includes new, enhanced filtering capabilities. After RRAS is installed, the check box has no functionality; therefore, PPTP filters must be configured manually.

RESOLUTION

PPTP filtering consists of two filters. Both filters must be configured for input and output on the interface that is the endpoint of the PPTP connection. The four filters work together to complete a PPTP filter. The PPTP filter will not be secure unless all four filters are set correctly. If you enabled the PPTP Filtering option before you installed RRAS, those filters are migrated to the new filtering facility and these filters should already appear in the filter lists for that interface.

PPTP uses TCP port 1723 for the control channel and IP Protocol ID 47 for the data channel.

WARNING: The PPTP filters published in the Routing and Remote Access Service "Administrator's Guide" on pages 39-42 are incorrect. Please use the following, more secure, filter definitions.

To add PPTP filters:

  1. Click Start, point to Programs, point to Administrative Tools, and click Routing and RAS Admin.

  2. Double-click IP Routing and double-click Summary.

  3. Right-click the interface on which you want to enable the filter, this should be the external (Internet connected) interface, and click Configure interface.

  4. Click Input Filters in the Packet filters section of the IP Configuration dialog box.

  5. Create the Input Filters.

    a. First Input Filter: Allow packets using the GRE Protocol. This

          filter allows your router to send or receive any PPTP packets.
    

          1. Click Add in the IP Packet Filters Configuration dialog box and
    
             select Other in the Protocol drop-down list.
    
          2. Type 47 in the Protocol text field.
    
          3. Click OK.
    
       b. Second Input Filter: Allow packets coming to the PPTP Control Port.
          This filter allows your router to receive any PPTP Control messages.
    
          1. Click Add in the IP Packet Filters Configuration dialog box.
    
          2. Click Destination Network to check it.
    
          3. Type the IP address of your external adapter in the IP Address
             field and type 255.255.255.255 in the Subnet mask field.
    
          4. Select TCP in the Protocol drop-down list, type 0 (implying
             any)in the Source port field, and type 1723 in the Destination
             port field.
    
          5. Click OK.
    
          6. Click Drop all except listed below in the Filter Action section
             of the IP Packet Filters Configuration dialog box and click OK.
    
    

  6. Click Output Filters in the IP Configuration dialog box to create a set of two output filters.

    a. First Output Filter: Allow packets using the GRE Protocol. This

          filter allows your router to send or receive any PPTP packets.
    

          1. Click Add in the IP Packet Filters Configuration dialog box and
    
             select Other in the Protocol drop-down list.
    
          2. Type 47 in the Protocol text field.
    
          3. Click OK.
    
       b. Second Output Filter: Allows your router to send any PPTP Control
          messages.
    
          1. Click Add in the IP Packet Filters Configuration dialog box.
    
          2. Click Source Network to check it.
    
          3. Type the IP address of your external adapter in the IP Address
             field and type 255.255.255.255 in the Subnet mask field.
    
          4. Select TCP in the Protocol drop-down list, type 1723 in the
             Source port field, and type 0 (implying any) in the Destination
             port field.
    
          5. Click OK.
    
          6. Click Drop all except listed below in the Filter Action section
             of the IP Packet Filters Configuration dialog box.
    
    

  7. Click OK in the IP Packet Filters Configuration dialog box to return to the Routing and RAS Admin.

MORE INFORMATION

The PPTP filters can be combined with Local Host filters to allow other server-based applications such as Microsoft Proxy Server Domain Name Service (DNS) to securely co-exist with Routing and Remote Access Services. For more information, please see the following article in the Microsoft Knowledge Base:

   ARTICLE-ID: Q169548
   TITLE     : Using MS Proxy with Routing and Remote Access
Keywords          : NTRAS ntrouter NTSrv kbnetwork
Version           : 4.0
Platform          : winnt
Issue type        : kbhowto


================================================================================


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: November 24, 1997
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.