69

Chapter 5. Configuring and Testing Layer 2 Connections

In Chapter 4 , you were introduced to the Point-to-Point Tunneling Protocol, which can be used to create a secure connection between remote users and a network. Out of the box, PPTP is primarily an extension of Windows NT Remote Access Services that helps establish a VPN between an Internet user and a destination network using the RAS server as a gateway. Microsofts Routing and Remote Access addendum to Windows NT Server allows for LAN- to-LAN PPTP connections. This chapter mostly contains hands-on material for those of you wanting to set up your own PPTP connections. The first procedure well discuss is how to configure PPTP on your NT server. Rather than going into detail about setting up RAS, well assume that youve done it before, and only cover the places where RAS and PPTP intersect in detail. If you have no RAS experience, the NT Help files can help you out, and there are several good books available on the subject. When configuring RAS, youll specify the number of ports you want to make available for VPN dial-up access. Although most administrators set their RAS servers up for dial-in only, you can also allow outgoing PPTP connections from the server. RAS also lets you specify which protocols the NT server will route to dial-up users. Limiting the protocols will give you some control over which servers dial-up users can access. For example, allowing only IP will let users get to a TCPIP email server, but prevent them from connecting to a shared drive on a Novell server using IPX. Likewise, if your internal servers dont use IP at all, you can disable IP while enabling the other protocols. Section 5.1.2.1 will point out where you can set this. The RAS server also supports PPTP filtering, which lets you restrict who can connect to the systems LAN adapter. In order to connect, the user must pass through NT domain authentication. On multi-homed NT servers servers with two network adapters, you can use PPTP filtering to restrict access to either local networks or the Internet. Used in combination with IP address filtering and fixed IP addresses, you can use the RAS server as a powerful firewall. If you prefer flexibility, however, NT also supports dynamic IP address assignment via the Dynamic Host Configuration Protocol DHCP. Well delve into how to configure both types of filtering and DHCP in this chapter. As we said in Chapter 4 , some ISPs support PPTP on their access equipment, while others dont. In this chapter, well show you how to handle either possibility. Well also show you how to set up two popular routers for PPTP. ISPs can use PPTP support to make VPN connectivity easier for their customers, while network administrators can use it to offload some of the call processing on their RAS servers. At the end of this chapter, well go over a list of tests to perform and monitors to check if your PPTP connection doesnt work the first time. Well also discuss how PPTP interacts with some other network security products.

5.1 Installing and Configuring PPTP on a Windows NT RAS Server

Installing and configuring PPTP on Windows NT 4.0 is as straightforward as installing any other Windows NT component. There are three basic steps involved: installing the protocol, setting up RAS, and configuring users for dial-up access. 70

5.1.1 Installing PPTP

The PPTP protocol does not automatically come installed on a Windows NT 4.0 server. Its up to the administrator to add it to the list of network protocols active on the system, and youll need your NT 4.0 CD-ROM disk or the NT installation hierarchy e.g., \I386 for Intel and clone processors accessible from some other location. The steps for installing the PPTP protocol are pretty straightforward: 1. Under the Start menu on the control bar, select Settings, then Control Panel. 2. When the Control Panel window comes up, double-click on the Network icon. 3. In the Network dialog box, click on the Protocols tab. 4. In the Network Protocols list in the dialog box, youll see the protocols currently installed on your system. Unless youve installed PPTP on the system before, it shouldnt be one of them. Click on the Add button at the bottom of the list. 5. The Select Network Protocol dialog box will appear, displaying a list of protocols available. Scroll down the list using the scroll bar until you see the Point Tunneling Protocol. Select this item and click the OK button. 6. Another dialog box will appear, entitled PPTP Configuration. Here you must select the Number of Virtual Private Networks you wish to support i.e., the number of simultaneous PPTP connections that are allowed to the RAS server. Its a good way to keep the machine from getting bogged down by too many users. The range is from 1 to 256. For our example, well choose 8 from the selection box and click OK. The installation program will then scan the NT 4.0 CD-ROM disk for the needed files, or ask you for the location of those files.

5.1.2 Setting Up RAS

After the PPTP protocol itself is installed, the process automatically continues with RAS configuration. Youll get a pop-up Setup Message stating that RAS setup will be invoked. Click the OK button on this message to continue. Here are the steps to set up RAS for virtual private networking: 1. The Remote Access Setup dialog will come up, listing the current RAS ports and devices. If you already have a modem configured for RAS, it will appear in this box. To configure RAS to use PPTP devices, click the Add button. 2. The Add RAS Device dialog box will then appear. Use the pull-down selection list to select a RAS-capable device. In addition to your systems serial ports, you should see a list of VPN devices under the Ports heading. Each device will be numbered from 1 to the maximum number of VPN ports you configured when installing the PPTP protocol. In our case, well see one device for each of the eight ports we configured see Figure 5-1 . While RAS was kind enough to automatically include these ports for us, it allows us to select only one at a time from the list. Once youve selected the port to add, click the OK button. Youll then have to click the Add button again from the Remote Access Setup to start the procedure again. 3. The new VPN ports are configured for dial-in only. If you wish to set up the ports for dial-out as well which we cover later in Section 5.2 , click on the Configure button in the Remote Access Setup dialog box. 4. Also from the Remote Access Setup dialog box, you can click the Network button to be brought to the Network Configuration dialog box for a selected VPN port. Well discuss the options it presents in the following sections. As youll see, since theres no