69

Chapter 5. Configuring and Testing Layer 2 Connections

In Chapter 4 , you were introduced to the Point-to-Point Tunneling Protocol, which can be used to create a secure connection between remote users and a network. Out of the box, PPTP is primarily an extension of Windows NT Remote Access Services that helps establish a VPN between an Internet user and a destination network using the RAS server as a gateway. Microsofts Routing and Remote Access addendum to Windows NT Server allows for LAN- to-LAN PPTP connections. This chapter mostly contains hands-on material for those of you wanting to set up your own PPTP connections. The first procedure well discuss is how to configure PPTP on your NT server. Rather than going into detail about setting up RAS, well assume that youve done it before, and only cover the places where RAS and PPTP intersect in detail. If you have no RAS experience, the NT Help files can help you out, and there are several good books available on the subject. When configuring RAS, youll specify the number of ports you want to make available for VPN dial-up access. Although most administrators set their RAS servers up for dial-in only, you can also allow outgoing PPTP connections from the server. RAS also lets you specify which protocols the NT server will route to dial-up users. Limiting the protocols will give you some control over which servers dial-up users can access. For example, allowing only IP will let users get to a TCPIP email server, but prevent them from connecting to a shared drive on a Novell server using IPX. Likewise, if your internal servers dont use IP at all, you can disable IP while enabling the other protocols. Section 5.1.2.1 will point out where you can set this. The RAS server also supports PPTP filtering, which lets you restrict who can connect to the systems LAN adapter. In order to connect, the user must pass through NT domain authentication. On multi-homed NT servers servers with two network adapters, you can use PPTP filtering to restrict access to either local networks or the Internet. Used in combination with IP address filtering and fixed IP addresses, you can use the RAS server as a powerful firewall. If you prefer flexibility, however, NT also supports dynamic IP address assignment via the Dynamic Host Configuration Protocol DHCP. Well delve into how to configure both types of filtering and DHCP in this chapter. As we said in Chapter 4 , some ISPs support PPTP on their access equipment, while others dont. In this chapter, well show you how to handle either possibility. Well also show you how to set up two popular routers for PPTP. ISPs can use PPTP support to make VPN connectivity easier for their customers, while network administrators can use it to offload some of the call processing on their RAS servers. At the end of this chapter, well go over a list of tests to perform and monitors to check if your PPTP connection doesnt work the first time. Well also discuss how PPTP interacts with some other network security products.

5.1 Installing and Configuring PPTP on a Windows NT RAS Server

Installing and configuring PPTP on Windows NT 4.0 is as straightforward as installing any other Windows NT component. There are three basic steps involved: installing the protocol, setting up RAS, and configuring users for dial-up access.