Passing PPTP socket 1723

Report Inappropriate Content · ‎08-30-2004

I have tried a number of times to have my fortigate pass socket 1723 or PPTP from the internet to my windows host. This is a task i have been able to acheive on the simplest of NAT routers yet i have failed many times on fortinet product. I even trtried mapping GRE through as well. I can only conclude that the windoes server works us allows connection through every other router i have tried. I have found that PPTP on the router does not allow some aspects like login scripts to load as they should. So it is important that the server controls the VPN connection Please provide a solution for windows 2000 and 2003 servers running RRAS Regards Tom

UkWizard · ‎08-30-2004

Two ports are required for PPTP, they are; Tcp/47 Tcp/1723 This works fine for me when i done it on 2.5 MR9 firmware, what version are you running.

UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.

Report Inappropriate Content · ‎08-30-2004

One correction is not TCp port 47, it is protocol ID 47, which is GRE Create a custom protocol select type IP, number 47 and then create the fw rule.

UkWizard · ‎08-30-2004

Sorry, artiman is correct. But it worked for me anyway ...

The problem with artiman' s way though, you have to do a static nat for this, and not use port forwarding (as this doesnt have a IP option, only tcp/udp) So if you have only one external IP, you are stuffed, so i did it that way and it worked okay.

UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.

Report Inappropriate Content · ‎09-01-2004

Hi, I tried artiman' s method and it did not work for static NAT on FG-60 v2.50. I had to use a custom service defined as " TCP/47 => 47" before it would work. This must be a bug.

Originally I tried (as would be expected) forwarding destination port 1723 and protocol 47 to the virtual IP (static NAT) using a WAN to Internal policy. When I created the custom service above and added it to the WAN to Internal Policy the VPN connection could be initiated to the Windows server behind the firewall. Makes me want to

. Do other agree that this appears to be a bug? Cheers, Philip

UkWizard · ‎09-01-2004

when you say you tried protocol 47, do you mean you have a vip setup and selected the builtin ' pptp' defined service for the rule? The way you set it up, is as i described above, i have had to do this on other firewalls as well. So i dont think its a bug, just a quirk with PPTP and firewalls in general, as firewalls deal with TCP and UDP only.

UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.

Report Inappropriate Content · ‎09-01-2004

For what it' s worth, I port forward TCP/1723 from the IP address on my external interface (in an FG800 HA cluster) to a Windows server running RRAS, and set up a firewall allow rule allowing PPTP using the pre-defined service on the Fortinet. I' ve never had a problem with this configuration. Works like a champ. But in reading this, it shouldn' t based on not forwarding GRE (just allowing it)...curious. FG800-2.50 MR9

Report Inappropriate Content · ‎09-02-2004

UKWizard, john99, I have seen the error in my ways.

As they say RTFM or in this case RTF Predefined Service. I did not see protocol 47 + protocol 6 port 1723 defined for the predefined PPTP service. I was attempting to forward protocol 47 using the predefined GRE service as well as the predefined PPTP service which also includes protocol 47. I' m sure this caused no end of confusion to the inards of the firewall. BTW, it works fine now. Thanks again. Philip

Passing PPTP socket 1723

Nominate a Forum Post for Knowledge Article Creation