Watch Your RAS

Fine-tuning RAS's new features

My January article, "What's New in Windows NT 4.0 RAS?"generated a lot of great feedback and numerous interesting questions andproblems. Many organizations use Windows NT's Remote Access Service (RAS) as thefoundation for remote access and WAN connectivity solutions. Several newfeatures in NT 4.0 RAS, such as Point-to-Point Tunneling Protocol (PPTP) andMultilink RAS, turn what was once a simple remote access component into acomplex, high-powered networking solution. These new features increase thenumber of problems for users implementing RAS. This article answers questionsand introduces a few new RAS-related tips and tricks. To start this discussionof RAS, I'll answer a few questions from readers.

The Case of the Missing Subnet Mask

When I dial in to my Windows NT RAS server and obtain an IP address,running IPCONFIG to display IP address information shows the wrong subnet maskfor the RAS adapter. This problem happens from both NT and Windows 95clients. Why does this occur, and how can I force RAS to recognize the correctsubnet mask?

I've wondered the same thing about RAS since I started using it. We usesubnetting and variable-length subnet masks (e.g., 255.255.255.192, etc.) in myorganization, and RAS has never correctly displayed the network's subnet mask.

Instead, RAS displays the default subnet mask for the IP address. Thisdefault address is based on the first octet of the IP address (e.g., the 192 inthe address 192.x.x.x) and determines the IP network class in use. Table 1 shows how these values are derived.

If you've noticed this behavior in RAS clients, you've probably also noticedthat RAS works fine anyway. RAS uses the default subnet mask because subnetmasks aren't a part of Point-to-Point Protocol (PPP--the industry standardframing method RAS uses), and the system doesn't pass them over the connection.You can stop worrying that your RAS clients are getting the wrong subnet mask:This behavior is not unusual for RAS.

Pump Up the Volume

One thing annoys me about using Windows NT 4.0's Dial-Up Networking(DUN): I like to hear the dialing tones and modem negotiation noises during a RAS connection (the noise reassures me that something ishappening). But something turns off my modem's speaker as soon as I hear thedial tone (i.e., before the modem dials the phone number). Adding the string L3in the Extra Settings field in the Advanced Connection Settings dialog box inthe Control Panel Modems applet didn't make a difference. How can I make mymodem speaker stay on during dialing and negotiation?

I have experienced this problem when manually adjusting the modeminitialization string in RAS/DUN under NT 4.0. Using the slide-tab speakervolume adjustment in the Control Panel Modems applet is a hit-or-miss proposition.If this adjustment doesn't work, try placing the string M1L3 in the ExtraSettings field in the Advanced Connection Setting dialog box. (To reach thisdialog box from the Modems applet, click Properties, select the Connection tab,and click Advanced.)

If neither method works, and you're using Unimodem drivers and not the oldMODEM.INF file entries, try editing the Registry section for your modem'sUnimodem driver. To locate this entry, open one of the NT Registry editors(REGEDIT.EXE or REGEDT32.EXE) and open the HKEY_LOCAL_MACHINECurrentControlSetControlClass key.Under this key, you'll find amany bizarre-looking codes (e.g., "{4D36E351...etc etc"), one of whichrepresents the Unimodem driver class. The specific subkey you're looking for is{4D36E96D-E325-11CE-BFC1-08002BE10318}.

After opening this key, you'll see a subkey beginning with "0000,"for each installed modem. Inside this key, you'll find various modem-relatedsections, including one called Init.

Init has values that are the initialization strings NT uses with yourmodem. You can add the M1L3 statement here or in one of the other subkeys ofthis tree.

The M and L registers control modem speaker and volume settings,respectively. Table 2 lists the possible values and definitions (I chose M1L3 toset the volume to maximum until the modem connects; this setting is sometimesnecessary to hear a modem with a quiet speaker).

RAS Auto Redialing

I want to configure DUN as a service so that when the server boots, itautomatically dials the Internet and makes a connection, without requiring that anyone log in. I had our Windows NT 3.51 server doing this task with the command-line utility RASDIAL. When installed as a service, RASDIAL required no intervention to get the network going. Does NT 4.0 have a feature for this procedure? I don't think the RASDIALutility works as a service in NT 4.0.

Unfortunately, you cannot run this feature with only NT 4.0 RAS. RASDIALworks fine with

NT 3.51 in this capacity (with Service Pack 3 installed), but doesn't workif you try to run it under NT 4.0 as a service. However, you can easily restorethe functionality of RASDIAL under NT 4.0 with the following workaround.

1. Use the AutoLogon utility in the NT resource kit to configure NT toautomatically log you on during reboot.

2. Create a shortcut in your Startup group that runs the following command:RASDIAL . Be sure thatyou've configured RAS to automatically redial in the event of link failure. Youcan also use ReDial, a utility available from Somarsoft. With ReDial, follow thesame steps as above, but substitute the following for step 2: Create a shortcutin your Startup group that runs the command redial/run.

This workaround gives you the functionality you had under NT 3.51. Toincrease the security of this configuration, set a password-protected screensaver with a short timeout value (e.g., 1 minute). This setup will discouragepeople from accessing this machine, although it will always be logged on andprobably unattended. However, both of these methods present a potential hole inyour system security. Take this caveat into consideration when you evaluatethese procedures for auto-redialing. Make sure that the logon account you'reusing (either by the AutoLogon utility or the RASDIAL utility) has only theminimum privileges necessary to enable the functionality you need.

Keeping RAS Lean and Mean

I am trying to connect to a RAS server running NT 4.0 Workstation;NetBEUI, IPX, and TCP/IP are loaded on the server. My RAS client computer runs NT 4.0 Workstation.I've specified all three protocols in the client DUN setup. I can connect usingNetBEUI and IPX but get the following error when I try to use TCP/IP:Error 733: PPP control protocolfor the network protocol is notavailable on the server. Error 733: the server supports PPP but does not support the client networkprotocol. Do you know what's wrong? Doesn't PPP load automatically on the RASserver if you specify TCP/IP on that end?

This question raises several issues. First, determine whether you need torun all three protocols via RAS. The overhead of three protocols running simultaneously slows your RAS connection; so run all three only if absolutely necessary for your LAN.

Second, the TCP/IP error probably doesn't have anything to do with PPP (theframing method RAS connections use). Either you don't have TCP/IP installed onthe RAS server or you have it installed without RAS configured to assign TCP/IPto clients dialing in. Double-check your RAS configuration on the server, and besure to correctly configure the IP address range you assign to RAS clients(i.e., a range that is part of your IP subnet and doesn't conflict with other IPaddresses in use). To accomplish the IP assignment, use an NT server runningDynamic Host Configuration Protocol (DHCP) to assign the RAS clients' addresses(the RAS server configuration dialog box has a checkbox for this step). Thisapproach will minimize your IP configuration hassles.

Finally, regarding your PPP question: All your protocols, including NetBEUIand IPX, are running over PPP because RAS uses PPP as a frame type much likeEthernet connections used the 802.2, 802.3 and other framing protocols. Theprotocols that your RAS server and client mutually agreed on will be transportedover the PPP RAS link.

PPTP: An Emerging Standard?

I want to use RAS's Point-to-Point Tunneling Protocol (PPTP) for secureWAN connectivity within my organization. I've heard a lot about two other standards, Layer 2 Forwarding (L2F) and Layer 2 Tunneling Protocol (L2TP). What are they and how dothey compare to PPTP?

PPTP, which I discussed in the January article, is one of the coolest newfeatures in NT 4.0's RAS, but it is not without limitations. (For more information on PPTP, see Doug Toombs, "Point-to-Point Tunneling Protocol," June 1997.)Microsoft doesn't support PPTP on all client operating systems. This lack ofsupport creates an obstacle for mixed-environment NT networks.

However, one of Microsoft's suggested scenarios for PPTP is for anorganization to outsource its dial-up communications hardware to InternetService Providers (ISPs) that provide PPTP-enabled dial-up servers. Thisarrangement lets users with non-NT machines running regular PPP-based Internetconnections (i.e., non-PPTP enabled) access resources on their organization'sPPTP servers. Outsourcing to an ISP requires that the ISP have support for theprotocol on its network, and a non-Microsoft-based provider is unlikely to havesuch support (mainly because PPTP has been a Microsoft-centric standard).

Because of PPTP's limitations, Cisco Systems (a data communicationsequipment vendor) has developed L2F, a competing standard to PPTP that haschallenged PPTP as the choice for creating Virtual Private Networks (VPNs) innon-NT environments. Although these factors had the potential to crushwidespread acceptance of PPTP, recent events have turned the tide.

Several major communications equipment manufacturers, including 3Com,Ascend Communications, ECI/Telematics, and U.S. Robotics, have announcedhardware support for PPTP. In addition, the Internet Engineering Task Force(IETF) reached an agreement in June 1996 to gradually merge the disparatefeatures of PPTP and L2F into one unified technology: L2TP. If all parties liveup to their part of the bargain, you can expect Microsoft to provide a newversion of PPTP that includes L2TP.

The final ray of hope shining on PPTP is Microsoft's PPTP driver forWindows 95. It will increase the acceptance of PPTP in environments using Win95clients in addition to NT workstations; currently, these machines can't use PPTPto directly access PPTP-enabled NT servers.

PPTP Firewalling
I also received several questions from people about the use of PPTP as afirewall and specifically about the Enable PPTP Filtering option available inthe Advanced TCP/IP configuration dialog box in the Network Control Panel. Thequestions centered on one theme: using the PPTP protocol as a secure WANconnectivity solution. In my January article, I discussed the steps required toenable PPTP on a RAS server. However, you can enable PPTP filtering to furtherenhance RAS's functionality.

With PPTP filtering, you can disable a RAS server's PPTP-enabled WANinterface for all protocols other than PPTP. Then, only PPTP client traffic canenter the network over the server's RAS interface. This limit provides a levelof security comparable to many commercial firewall products.

This feature leverages PPTP's capabilities and creates an extra-secure NTenvironment--and security is a concern when the network is connected to theInternet. You can enable PPTP filtering in the TCP/IP Properties Advanced dialogbox in the Network Control Panel. Launch Control Panel, double-click Network,and go to Protocols. Highlight TCP/IP, and choose Properties. Next, select theIP Address tab, and select the adapter you want to enable PPTP filtering on (theInternet-connected adapter). Now click the Advanced button to bring up theTCP/IP Advanced IP Addressing dialog box, which Screen 1 shows. After you check the Enable PPTP Filtering box, shut down and restart your system for the changes to take effect.

From the Advanced IP Addressing dialog box in Screen 1, you'll see a handy new feature in NT 4.0. Check the Enable Security box to bring up the TCP/IP Security dialog box shown in Screen 2.

From this dialog box, you can enable packet-filtering on your NT server, afeature common to most standalone routers. Although not inherently connected toRAS or PPTP, this feature is useful if your NT RAS server is acting as yourInternet gateway. (For example, if you have a dual-homed system connected to theLAN on one adapter and an Internet-connected router on the other, you apply thefiltering to the Internet-exposed adapter.)

PPTP Registry Tweaks
As long as we're on the subject of advanced PPTP issues, let's talk about afew Registry tweaks. The first modification relates to enabling the PPTPfiltering option to block non-PPTP traffic. This feature is great for securitybut severely impairs TCP/IP's functionality in several ways.

First, this modification prohibits internal network clients from trying toaccess Internet-based services through a proxy server on the NT RAS servermachine and prohibits external Internet-based clients from accessing otherservices on the PPTP RAS server (e.g., Web, FTP, DHCP, Proxy, etc.). The PPTPfilter disables all incoming non-PPTP traffic types, stopping return packetsfrom Internet servers in their tracks.

However, as of Service Pack 2 (SP2), PPTP can pass such traffic for otherservices, so you can restore these services without compromising the securityPPTP provides. To enable this support, you must have at least SP2 installed(preferably SP3 because of its increased stability) and follow the instructionsbelow to modify the Registry. (For information about the security benefits ofSP3, see Mark Joseph Edwards, "Service Pack 3 is Really Security Pack 3",page 113.)

Warning: Using the Registry editor incorrectly can cause serious,system-wide problems. You may have to reinstall NT to correct them. Use thistool at your own risk.

With that warning out of the way, let's get down to the details. To letnon-PPTP Internet-based clients access services on the RAS PPTP server, startRegistry Editor (either REGEDT32.EXE or REGEDIT.EXE) and locate HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRASPPTPFParameters. Addthe following value under this key:

Next, close Registry Editor, and shut down and restart the RAS server. Whenyou restart the server, the PPTP protocol will coexist with other installedserver services, without interference from the PPTP filter. Refer to MicrosoftKnowledge Base article #Q164052, for more information about this issue.

Another useful Registry tweak is the ability to restrict incoming PPTPconnections by IP address (i.e., specify which addresses can connect to yourPPTP server). Although PPTP is encrypted and secure, nothing can stop anInternet hacker from trying to discover the Administrator password throughrepeated login attempts to your PPTP server. However, if hackers don't come inwith the right source IP address, they won't even get to try. (For moreinformation on protecting your system from hackers, see Mark Minasi, "NTSecurity Scares?" and John Meixner, "Foil Attacks on Your Registry,"July 1997.)

To enable this feature, you must make two related Registry modificationsthat need to be added during the same session. These and the other Registryvalues mentioned below are in HKEY_LOCAL_MACHINESYSTEMServicesRASPPTPEParametersConfiguration.The two values you need to add to this keyfor IP-based restriction follow. The first value tells PPTP to accept onlyincoming calls from the IP addresses listed in the second key, the PeerClientIPAddresses value.

The next PPTP Registry values worth mentioning are network adapter-specificvalues that you can enable for each adapter. The first value is related tocreating default gateway addresses. On multi-homed NT servers with IP forwardingenabled (i.e., those acting as IP routers), NT automatically creates a defaultgateway on each of the server's LAN adapters. On servers with one adapter on theinternal LAN and one connected to the Internet, you can enhance security bydisabling the default route creation on the internal LAN adapter.

To disable the route creation, locate the Registry key related to theparticular network adapter. This key will appear in a format similar to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices<AdapterName>ParametersTcpip.Once you locate the key, add the following value:

Another adapter-specific value lets you specify PPTP filtering, on aper-adapter basis rather than as a global value for all adapters (the value isglobal if you enabled the PPTP Filtering checkbox I described earlier). Toenable or disable PPTP filtering on a specific adapter, add or modify thefollowing value in the adapter's Registry key (the same key listed above):

A final noteworthy PPTP-related Registry entry is related to timeouts onPPTP WAN connections. If Internet traffic is heavy and packet latency betweenPPTP-enabled machines is significant, NT might drop the PPTP RAS connection. Tocure this problem, increase the number of times PPTP packets will be retried.Add a value to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters.

PPTP Sessions o' Death
Although PPTP opens a world of opportunities for NT shops, ISPs, and users,it isn't perfect. I've experienced a few problems with RAS and PPTP in mytravels. Although rare, these problems have ranged from minor to deadly.

The minor problem is a tendency for PPTP sessions to drop off anddisconnect, even when the underlying RAS session is active. In some cases,increasing the PPTPTcpMaxDataRetransmissions value has helped.

The serious problem I've encountered with PPTP is the PPTP Session o'Death, which is akin to a Blue Screen of Death in severity. In this situation, aPPTP session from a client to the server is rolling along for about 10 to 15minutes, with no apparent problems. At the 10 to 15 minute mark, the PPTPsession becomes a data-corrupting Session o' Death, trashing any data the clientis accessing on the LAN.

This problem happened on my network during a seemingly normal session to myprimary NT server. I copied one large file and accessed my mailbox on myExchange server. However, when I copied the file, Explorer seemed to completethe copy operation faster than it should have. The Exchange session crashed, andI was unable to re-access the Exchange server during the session. I quicklyrealized something was seriously wrong, so I terminated the session.

When I examined the server, I made some unpleasant discoveries. AlthoughProperties on the icon revealed the correct file size, the file was trashed whenI pulled it up. I wasn't able to re-access Exchange because my mailbox on theExchange server was trashed. In fact, no amount of resuscitation of Exchange viarepair utilities could fix it.

I had to fully restore my Exchange database to repair the problem. Thescary thing about this situation was not only the data corruption, but the factthat I received no warning before the problem occurred.

This situation never happened before I installed SP2 on both machines(something I wish I had never done), and it hasn't recurred since I installedSP3. My SP3 installation might have fixed this problem, but I was unable to findany references to it in the SP3 documentation. I recommend that you install SP3on any system that you use PPTP on.

I hope this situation never happens to you, regardless of the service packlevel you've installed; however, if you do experience the PPTP Session o' Death,please be sure to let Microsoft know. Microsoft needs to address this bug in afuture service pack or hotfix. If you aren't experiencing such problems, don'tlet this story scare you. (I've seen this problem happen twice, and both timeswere on the same network.)

Fine Tuning RAS
I've examined some additional aspects of RAS and the PPTP protocol to helpyou fine-tune your RAS implementation. With the addition of PPTP filtering, youcan use your Internet-connected PPTP RAS server not only as acommunications backbone for the entire company, but as a solid line of defenseagainst Internet hackers. The combination of a PPTP-enabled RAS server and aproxy server such as Microsoft Proxy Server or Deerfield Communications' WinGateoffers an alternative to standard applications-level firewalls.