PPTP Provides Secure Connectivity to Your Corporate Network

Use the internet as part of your WAN infrastructure

Creating a corporate WAN can be expensive. Small and midsized companies often can't afford the dedicated high-speed line, firewall, router, software, support, and maintenance necessary to build even a simple WAN. The current proliferation of quality Internet Service Providers (ISPs), cable modem providers, and Digital Subscriber Lines (DSLs) lets you create a corporate WAN over the Internet for a fixed monthly fee. This approach virtually eliminates the startup costs traditionally associated with building a corporate WAN. Although DSL and cable modem service providers aren't available on a national basis, large telecommunications companies are expanding these service offerings regionally, and ISPs are capitalizing on the new technology by offering support for DSL connections. Cable modem and DSL connections let you replace traditional low-speed dial-up access, multiple phone lines, and modem banks with higher-performance Virtual Private Networks (VPNs).

When you combine a permanent, reliable, high-speed Internet connection with Windows NT's Point-to-Point Tunneling Protocol (PPTP) and Remote Access Service (RAS) or Routing and Remote Access Service (RRAS), mobile users with Internet access have instant, secure connectivity to the corporate network. This approach has two benefits. First, a VPN lets mobile users avoid long-distance telephone charges (assuming they can access a local ISP). Second, the service provider is responsible for maintaining, updating, and troubleshooting your WAN's infrastructure. NT 4.0's Service Pack 4 (SP4) includes PPTP and RRAS upgrades that provide secure connections, mutual authentication, and optional packet filtering to significantly improve the performance and reliability of VPNs.

What Is PPTP?
Several companies (i.e., Ascend Communications, Microsoft, 3Com, ECI Telematics, and U.S. Robotics) developed PPTP specifically to support VPNs. PPTP is a method for sending network packets over an existing TCP/IP connection (called a tunnel). A VPN requires that the client and server each have an active Internet connection. The server typically has a permanent connection to the Internet. The client connects to the Internet via an ISP and initiates a PPTP connection to the PPTP server from a Dial-Up Networking (DUN) entry. The connection request includes access credentials (i.e., username, password, and domain) and an authentication protocol. RRAS adds the ability to provide server-to-server connections over PPTP, as well as permanent network connections.

A VPN connection exists between the server and client only after the PPTP server authenticates the client. The PPTP session acts as a tunnel through which network packets flow—client to server and vice versa. Network packets are encrypted at the source (client or server), travel inside the tunnel, and are decrypted at the destination. Because network traffic flows inside the tunnel, data is invisible to the outside world. Packet encryption inside the tunnel provides an additional level of security. After the VPN connection is established, a remote user can browse the LAN, connect to shares, and pick up and send email just as a locally connected user can. (For more information about PPTP, see "Related Articles in Windows NT Magazine.")

PPTP Improvements in SP4
The updated version of PPTP in SP4 corrects several security and performance problems. The two most important security enhancements are a new version of Microsoft Challenge Handshake Authentication Protocol (MSCHAP) and improved session encryption.

The new authentication protocol, MSCHAP 2.0, supports mutual client and server authentication. When you set up PPTP on a server with SP4, you can edit the Registry to force incoming PPTP connections to use MSCHAP 2.0 for authentication. Open the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRasManPPP Registry key. Then, edit the SecureVPN entry. Change the DWORD value to 0x00000001 to force MSCHAP 2.0 for VPN connections. The default value of 0x00000000 doesn't force secure MSCHAP 2.0. If you make the Registry edit on the PPTP server, the PPTP server refuses connections that don't request MSCHAP 2.0 authentication. If you make the Registry edit on the client, that client always uses MSCHAP 2.0 for authentication. This Registry setting affects only VPN sessions (not dial-up connections).

The new version of PPTP also provides improved encryption. The original version used the same key for the VPN session's transmit and receive paths. The new release employs seed keys and uses a different key for each path, which makes each VPN session more secure. To compromise the security of a VPN session, an intruder must decipher two unique keys—one for the transmit path and one for the receive path. The updated release also closes security holes that permitted some VPN traffic with no encryption at all.

If you haven't installed SP4 but are running Service Pack 3 (SP3), you can apply the PPTP3 hotfix to upgrade PPTP. You can download this hotfix from ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/pptp3-fix. To get the full benefit of the PPTP enhancements, you must also update PPTP client platforms. For NT systems that function as PPTP clients, install SP4 or the PPTP3 hotfix. For Windows 95 clients, install the Dial-Up Networking 1.3 Performance & Security Update, which you can download from http://www.microsoft.com/windows95/downloads.

Configuring PPTP on the Server
Configuring PPTP on a server is straightforward. You need to install and configure RAS or RRAS and load PPTP. During the PPTP configuration, you must enter the number of VPNs, which is the number of concurrent PPTP connections the server will support. You can define a maximum of 256 ports per server.

After you load PPTP, RAS starts automatically as part of the configuration process, so you can define the new VPN connections, as Screen 1, page 94, shows. You configure VPNs the same way you configure dial-up lines. For each VPN port, you must select Dial out only, Receive calls only, or Dial out and Receive calls; define the protocols to accept; and define TCP/IP settings. Because the server accepts VPN connections, you typically define the VPN ports as Receive calls only. Next, select and configure the inbound protocols the client can use (i.e., NetBEUI, TCP/IP, or IPX). Finally, select Require Microsoft encrypted authentication to use MSCHAP 2.0, as Screen 2 shows, and select the check box for Require data encryption to force the client to use MSCHAP 2.0. After you complete the configuration, you need to shut down and reboot the server.

Configuring PPTP on the Client
Configuring PPTP on a client is almost as simple as configuring it on a server. The client needs Internet access to use PPTP. Thus, you need a modem and an ISP DUN entry or a permanent Internet connection. Install the latest version of PPTP client software for your platform. Then, load the PPTP protocol and define the number of VPN connections you plan to make concurrently (most clients need only one connection to a PPTP server). Finally, shut down and reboot the client.

The last step is the only part of the configuration process that isn't intuitive. As Screen 3 shows, you need to create a DUN entry that identifies the PPTP server by TCP/IP address or Domain Name System (DNS) name. You can enter the server's DNS name if you're sure your ISP will resolve it correctly. To match the PPTP server configuration, you must also enable encryption on the client side, as Screen 4 shows. Select Accept only Microsoft encrypted authentication, and select the check box for Require data encryption to ensure that the PPTP connection is encrypted in both directions. To disable the username and password prompt, select the Use current username and password check box. (This method assumes the PPTP logon credentials are the same as the ones you logged on with.)

After you complete the configuration, you are ready to test the VPN connection. Connect to the Internet, select the PPTP server DUN entry, and dial. If the configuration is correct, the connection is almost instantaneous. If you're using the DUN icon monitor, you'll see the active connection and the connection speed in the lower right corner of the screen. My PPTP client reports a connection speed of 100,000Kbps to a server connected via a DSL line. Although the tunnel is established immediately, you might not be able to browse the network until the browse list updates on the client. You can use the same technique to initiate a VPN connection from a client that has a permanent connection to the Internet.

Troubleshooting
Microsoft Support Online contains many articles to help you troubleshoot VPN connections and speed up client browsing. For a list of these articles, see the sidebar "Microsoft Articles About PPTP Installation and Troubleshooting." To find one of these articles, search Microsoft's Support Online Web site at http://support.microsoft.com/support/c.asp. These articles apply to SP4 and PPTP3 hotfix implementations and don't include problems and workarounds in earlier versions of PPTP.

If the VPN client is a member of the same domain that it dials in to and the logon credentials are correct, building the browse list might take several minutes the first time you connect (depending on the speed of the Internet and ISP connection). If the client isn't a member of the domain, the browse list isn't available. The easiest way to ensure that the client connects over the VPN is to connect it directly to the corporate network first. This method creates the domain credentials and browse list from the LAN connection and ensures that the domain is valid for the VPN connection. For information about changing client domains, see the Microsoft article "How to Log On to a Windows NT Domain Using a PPTP Connection" at http://support.microsoft.com/support/kb/articles/q176/5/75.asp.

Using multiple DUN entries to log on is cumbersome. You can reduce the double dialing to one batch file that contains two rasdial commands. The rasdial command takes four arguments, and the /domain switch is necessary for Microsoft encrypted authentication. The format of the rasdial command is

rasdial /domain:

In the following example, RMI is the DUN entry for my ISP and WinntMag is the DUN entry for the PPTP server:

rasdial RMI paula

rasdial WinntMag paula /domain:Duke

This technique is a one-step procedure for establishing a secure VPN connection. However, you need to be aware of security problems when you store passwords in text files.

To troubleshoot PPTP problems most effectively, you need to know how to configure a multihomed RAS server (you can define only one default gateway, regardless of the number of NICs) and how Windows Internet Naming Service (WINS), DNS, and Dynamic Host Configuration Protocol (DHCP) work with RAS clients. You can easily justify a VPN investment when you consider the cost savings, security, and ease of use that PPTP provides for mobile users, telecommuters, and support personnel.