68

4.3.3 Multiprotocol Tunneling

The ability to tunnel multiple protocols is one of PPTPs greatest advantages. Some tunneling software allows you to tunnel only IP packets. PPTP, however, can tunnel all of the protocols currently supported by RAS. Users connecting to a RAS server through a VPN will have access to the full range of protocols and servers they would normally have on their LAN. For Windows NT and Windows 9598 users, this means that their usual username and password, and all access privileges associated with their profile, will pertain to the dial-up user. They will be able to browse the network and access file servers and network printers, as always, through their Network Neighborhood.

4.3.4 Ability to Use Corporate and UnregisteredIP Addresses

When VPN users make PPTP connections with the RAS server, they can be assigned IP addresses by that server. The address can be part of the corporations range of IP addresses 2.1.1.129 is part of the 2.1.1.024 CIDR address range in our earlier examples, thus making the RAS users system appear to be on the corporate IP network. Sometimes corporations dont use what are known as registered IP addresses on their internal networks. If a block of addresses is registered, it means that it was obtained by an address registry such as the InterNIC that assures that the addresses are unique on the Internet. The Internet Assigned Numbers Authority IANA has set aside blocks of unregistered IP addresses for use on private internets, or Intranets. These addresses can be used on IP networks that dont have Internet access or that have access through a router that uses Network Address Translation or NAT, which well discuss more later. A listing of these unregistered blocks of addresses can be found in RFC 1918. If a company is using an unregistered range of addresses, a RAS client using PPTP can obtain one of these addresses and have access to the corporate IP network. If the user were simply dialing into an ISP and attempting to access the network without PPTP, a hole in the corporate firewall would have to be opened up for that user. If the user obtains a dynamic IP address whenever they dial into their ISP, this would be nearly impossible. 69

Chapter 5. Configuring and Testing Layer 2 Connections

In Chapter 4 , you were introduced to the Point-to-Point Tunneling Protocol, which can be used to create a secure connection between remote users and a network. Out of the box, PPTP is primarily an extension of Windows NT Remote Access Services that helps establish a VPN between an Internet user and a destination network using the RAS server as a gateway. Microsofts Routing and Remote Access addendum to Windows NT Server allows for LAN- to-LAN PPTP connections. This chapter mostly contains hands-on material for those of you wanting to set up your own PPTP connections. The first procedure well discuss is how to configure PPTP on your NT server. Rather than going into detail about setting up RAS, well assume that youve done it before, and only cover the places where RAS and PPTP intersect in detail. If you have no RAS experience, the NT Help files can help you out, and there are several good books available on the subject. When configuring RAS, youll specify the number of ports you want to make available for VPN dial-up access. Although most administrators set their RAS servers up for dial-in only, you can also allow outgoing PPTP connections from the server. RAS also lets you specify which protocols the NT server will route to dial-up users. Limiting the protocols will give you some control over which servers dial-up users can access. For example, allowing only IP will let users get to a TCPIP email server, but prevent them from connecting to a shared drive on a Novell server using IPX. Likewise, if your internal servers dont use IP at all, you can disable IP while enabling the other protocols. Section 5.1.2.1 will point out where you can set this. The RAS server also supports PPTP filtering, which lets you restrict who can connect to the systems LAN adapter. In order to connect, the user must pass through NT domain authentication. On multi-homed NT servers servers with two network adapters, you can use PPTP filtering to restrict access to either local networks or the Internet. Used in combination with IP address filtering and fixed IP addresses, you can use the RAS server as a powerful firewall. If you prefer flexibility, however, NT also supports dynamic IP address assignment via the Dynamic Host Configuration Protocol DHCP. Well delve into how to configure both types of filtering and DHCP in this chapter. As we said in Chapter 4 , some ISPs support PPTP on their access equipment, while others dont. In this chapter, well show you how to handle either possibility. Well also show you how to set up two popular routers for PPTP. ISPs can use PPTP support to make VPN connectivity easier for their customers, while network administrators can use it to offload some of the call processing on their RAS servers. At the end of this chapter, well go over a list of tests to perform and monitors to check if your PPTP connection doesnt work the first time. Well also discuss how PPTP interacts with some other network security products.

5.1 Installing and Configuring PPTP on a Windows NT RAS Server

Installing and configuring PPTP on Windows NT 4.0 is as straightforward as installing any other Windows NT component. There are three basic steps involved: installing the protocol, setting up RAS, and configuring users for dial-up access.