VPN and Remote Access Connections Fail
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Typically, you encounter this problem when you try to connect to a corporate or private network using a virtual private network (VPN) or remote access connection and you are unable to connect or you receive an error message telling you that the connection failed.
Cause
This usually occurs when you configure VPN or remote access settings and exceptions in the Windows Firewall domain profile, but Windows Firewall uses the settings and exceptions that are in the standard profile. If you have not configured VPN or remote access settings and exceptions in the standard profile, the VPN and remote access connections will fail.
This happens because VPN and remote access connections are special connection types. A computer that connects through a VPN or remote access connection does not undergo any checks for domain membership when Windows Firewall determines the network on which a computer resides. For example, if your computer is connected to a public network, such as the Internet, and you attempt to create a VPN or remote access connection directly to a private network that contains the domain controllers of the domain in which your computer account resides, the VPN or remote access connection is ignored and Windows Firewall will determine that your computer is currently connected to a public network. Because your computer is connected to a public network, Windows Firewall uses the settings and exceptions in the standard profile instead of the settings in the domain profile.
Solution
To solve this problem, you need to configure VPN and remote access settings and exceptions in the standard profile. The following table lists some of the common ports that you might need to add to the exceptions list for your VPN configuration. It is not an exhaustive list. You might not need to add all of these ports to the exceptions list for your VPN configuration. For example, if you are allowing only Layer Two Tunneling Protocol (L2TP), you would not configure a filter for Point-to-Point Tunneling Protocol (PPTP).
| Service or Protocol | Port |
|---|---|
PPTP |
TCP 1723, UDP 1723 |
L2TP |
TCP 1701, UDP 1701 |
Hypertext Transport Protocol (HTTP) |
TCP 80 |
Secure Hypertext Transport Protocol (HTTPS) |
TCP 443 |
Simple Mail Transfer Protocol (SMTP) |
TCP 25, UDP 25 |
Dynamic Host Control Protocol (DHCP). Required if the remote access server uses an external DHCP server. |
TCP 67, UDP 67 |
Post Office Protocol version 3 (POP3) |
TCP 110 |
Domain Name Service (DNS) |
UDP 53 |
IPsec |
UDP 500 |
IPsec with network address translation (NAT) |
UDP 4500 |