Skip to main content
A
Anonymous_User
Contributor
November 15, 2009
Question

PPTP and SMTP Passthru Requirements

  • November 15, 2009
  • 12 replies
  • 5111 views
Hi All, Just a beginner in Fortigate firewall. I need to do a port forwarding to an inside Windows server based PPTP server. So I believe all I need to do is to forward anything coming from internet side from any address destined to the WAN interface public IP port PPTP ( TCP 1723) and GRE ( Ip Protocol 47) over to the inside private address of this server. When I look at the manuals and knowledgebase articals, this subject has been made very confusing. Why do I need to set up any user / user groups and authentication to LDAP / Radius etc? I believe that may be the case if we also need firewall to authenticate before such users are allowed to establish session to the inside PPTP server, where they are anyway authenticated via active directory. Further the same server also hosts emails ( MS SBS). So I will do the SMTP ( tcp 25) port forwarding from same Public IP of the wwan interface to this inside server. Please advise.

    12 replies

    A
    Anonymous_UserAuthor
    Contributor
    November 15, 2009
    Can someone comment on this please? I need to work on firewall on Monday and was looking for confirmation that I do not need to set up any pptp range and usregroup etc for the case when pptp server is Microsoft SBS. Thanks
    A
    Anonymous_UserAuthor
    Contributor
    November 16, 2009
    Having no access to firewall yet, I am just looking into the manuals / knowledgebase articals, while doing port forwarding from external interface WAN1 ( public IP), to the inside Windows SBS server private address, I can select Port forwarding, TCP and specify 1723, where do I specify IP protocol 47 or GRE from WAN1 to SBS? Also I assume, that there is no limitation for specifying multiple ports from WAN1 to the same inside machine ( SBS in this case) as the same machine will also be used for SMTP port 25 for Email server. Thanks
    A
    Anonymous_UserAuthor
    Contributor
    November 16, 2009
    Hello folks, Can someone help please? Thanks
    RichardH
    RichardH
    New Member
    November 18, 2009
    Create a Virtual IP and port forward 1723, then create a firewall rule wan :all -> any : virtual IP Select PPTP service (predefined with all required protocols) ACCEPT I don' t NAT this firewall rule...
    A
    Anonymous_UserAuthor
    Contributor
    November 18, 2009
    Thanks RichardH. But how do I port forward for GRE ip/47?
    jmac
    jmac
    New Member
    November 18, 2009
    You don' t need to select GRE. If you select PPTP as the service, the Fortigate includes TCP/1723 and GRE automatically.
    A
    Anonymous_UserAuthor
    Contributor
    November 18, 2009
    Appreciate jmac. I get it now.
    A
    Anonymous_UserAuthor
    Contributor
    November 18, 2009
    Finally what about users / user groups in this case? I do not think for passthru to Windows server that will do user authentication, we need this as indicated in manuals and KB.
    RichardH
    RichardH
    New Member
    November 18, 2009
    If you forward PPTP to the windows server, the firewalls job is done. How your internal server is configured it out of scope for this site. Edit: You may be a bit confused with PPTP to the firewall as opposed to PPTP pass-through to an internal server. Don' t mix the two, FortiOS can support a PPTP server that uses the firewall as an endpoint and requires you to create users/groups. Ignore it, you don' t need it.
    RichardH
    RichardH
    New Member
    November 18, 2009
    For SMTP you can play with multiple protocols on the firewall rule adding the SMTP service. (For this to work, you should remove 1723 on the port forward portion of the virtual IP setup)
    A
    Anonymous_UserAuthor
    Contributor
    November 18, 2009
    Hi RichardH, Of course my fundamentals are very clear and I know the difference between PPTP termination on the firewall or PPTP passthru to the internal server. And I am not asking about anything to do with configuration of internal server. If you will review any documentation from Fortinet on PPTP passthru, they always talk about creating users / user groups on the firewall even though it should be none of business of firewall, other than opening ports for PPTP and GRE. So that is the confusion. When I do Cisco firewalls, I simply have to open up PPTP and GRE thru the firewall and a static (VIP) for the inside server. I hope this time I am more clear as to my question. Thanks
    Show more replies
    Terms & ConditionsAccessibility statement