72 Figure 5-2. The RAS Network Configuration dialog box From the same dialog box, you can also limit the user to the RAS server, rather than give access to the entire network. For our scenario, Sara N. will have access to the entire network. We dont recommend limiting access for several reasons: • First of all, its uninteresting. One of the exciting things about VPNs is that they give users secure remote access as if they were directly connected to the LAN. Limiting them to the RAS server means that youre limiting what theyre allowed to do on the network to the services the RAS server is performing. • If youre limiting remote user access to the RAS server itself, this probably means that youre running other services on the RAS server, such as email or printing services, or that youre using the RAS server as an application server. Unless you have four or fewer clients on your network, we dont recommend using the RAS server for anything but RAS. Otherwise, it can get bogged down by acting as both a router and a server. • A PPTP RAS server, by its very nature, needs to be at least partially accessible from the Internet. Thus, it will also be open to attacks from the Net. If youre running critical applications on or from the RAS server and it proves vulnerable to one of these attacks and crashes, your application will go down with it.

5.1.2.2 Choosing your authentication method

In Chapter 4 , we went over the authentication methods available in RAS: authentication with encryption CHAP, authentication with Microsoft-enhanced encryption MS-CHAP, and clear text PAP. You can either require CHAP or MS-CHAP, or allow both encryption methods plus PAP. You make your choice in the Network Configuration dialog box. 73 If its available to all of your clients e.g., if theyre all Windows clients or youre using TunnelBuilder on your Macs, we suggest that you use MS-CHAP. Using it will give you the benefit of being able to turn on data encryption, so that the PPTP connection will be truly secure. Using the other methods is certainly possible if you dont have MS-CHAP-capable clients, but you run the risk of sending unencrypted data over the Internet, and unencrypted passwords in the case of PAP.

5.1.2.3 IP address negotiation using DHCP

The Dynamic Host Configuration Protocol DHCP is an ideal way to configure incoming PPTP clients with a dynamic IP address. Windows NT 4.0 comes with a DHCP server service that must be installed through the Network Control Panel. [1] Follow the instructions for installing RAS, but install the Microsoft DHCP Server service instead. Once the service is installed, a DHCP Manager program will also be installed under the Start menu in Administrative Tools. To configure DHCP, follow these steps: 1. Under the Start Programs Administrative Tools listing, open the DHCP Manager. The DHCP Manager dialog box will appear see Figure 5-3 . 2. Under the DHCP Servers column, select the Local Machine. Then go to the Scope menu item and select Create. 3. The Create Scope dialog box shown in Figure 5-3 will appear. Enter the Start Address and End Address for your assignments. In our case, well choose 2.1.1.129 for the starting address and 2.1.1.136 for the ending address. Figure 5-3. The Windows NT DHCP Manager 1 DHCP will not work on a Windows NT 4.0 RAS server that has two network cards with PPTP filtering enabled on one of them. Microsoft found the problem and issued a fix in Windows NT 4.0 Service Pack 2. We recommend having Service Pack 3 or later installed if you want to use DHCP with RAS. See other problems between DHCP and PPTP filtering in Section 5.1.3.2 later in this chapter.