VPN configurations for Firewall

When designing a virtual private network (VPN) remote access solution that involves network firewalls, you typically choose between the following two options for server placement. Each option has different design requirements.

• VPN server behind a firewall.The firewall is attached to the Internet, with the VPN server between the firewall and the intranet. This is the placement used in a typical perimeter network configuration, in which one firewall is positioned between the VPN server and the intranet and another firewall is positioned between the VPN server and the Internet.
  
  
• VPN server in front of a firewall. The VPN server is connected directly to the Internet, with the firewall between the VPN server and the intranet.

VPN server behind a firewall

In the configuration shown in the following figure, the firewall is connected to the Internet and the VPN server is an intranet resource on the perimeter network. The perimeter network is an IP network segment that typically contains resources available to Internet users, such as Web servers and FTP servers. The VPN server has an interface on both the perimeter network and on the private intranet.

In this approach, the firewall must be configured with input and output filters on its Internet and perimeter network interfaces to allow the passing of tunnel maintenance traffic and tunneled data to the VPN server. Additional filters can allow the passing of traffic to Web servers, FTP servers, and other types of servers on the perimeter network. As an added layer of security, the VPN server should also be configured with Point-to-Point Tunneling Protocol (PPTP), Secure Socket Tunneling Protocol (SSTP), or Layer Two Tunneling Protocol (L2TP)/Internet Protocol security (IPsec) packet filters on its perimeter network interface as described in “VPN server in front of a firewall” in this topic.

Because the firewall does not have the encryption keys for each VPN connection, it can only filter on the plaintext headers of the tunneled data, meaning that all tunneled data passes through the firewall. However, this is not a security concern because the VPN connection requires an authentication process that prevents unauthorized access beyond the VPN server.

Packet filters for a VPN server behind a firewall

If the VPN server is behind a firewall, packet filters must be configured for both an Internet interface and a perimeter network interface. In this scenario, the firewall is connected to the Internet and the VPN server is an intranet resource that is connected to the perimeter network. The VPN server has an interface on both the perimeter network and the Internet.

VPN server in front of a firewall.

With the VPN server in front of the firewall and connected to the Internet, as shown in the following figure, administrators need to add packet filters to the Internet interface that allow only VPN traffic to and from the IP address of the VPN server’s interface on the Internet.

For inbound traffic, when the tunneled data is decrypted by the VPN server, it is forwarded to the firewall, which uses its filters to allow the traffic to be forwarded to intranet resources. Because the only traffic that is crossing the VPN server is traffic generated by authenticated VPN clients, firewall filtering in this scenario can be used to prevent VPN users from accessing specified intranet resources.

Because the only Internet traffic allowed on the intranet must go through the VPN server, this approach also prevents the sharing of intranet resources with non-VPN Internet users.

Packet filters for a VPN server in front of a firewall

When a VPN server is in front of a firewall and connected to the Internet, inbound and outbound packet filters on the VPN server must be configured to allow only VPN traffic to and from the IP address of the VPN server’s Internet interface. Use this configuration if the VPN server is in a perimeter network, with one firewall positioned between the VPN server and the intranet and another between the VPN server and the Internet.