MS Point-to-Point Tunneling Protocol (Windows NT 4.0)

Article
02/20/2014

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Microsoft Point-to-Point Tunneling Protocol

Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server, creating a virtual private network (VPN ) by using TCP/IP-based data networks. PPTP supports multiple network protocols (IP, IPX, and NetBEUI) and can be used for virtual private networking over public and private networks. You can use PPTP to provide secure, on-demand, virtual networks by using dial-up lines, local area networks (LANs), wide area networks (WANs), or the Internet and other public, TCP/IP-based networks.

Using PPTP
Planning for PPTP and Virtual Private Networks
Before Installing PPTP
Installing and Configuring PPTP on a PPTP Server
Installing and Configuring PPTP on a PPTP Client
Configuring Dial-Up Networking on the PPTP Client
Using PPTP to connect to a PPTP server by Dialing an ISP
Dialing-up an ISP PPTP Service to connect to a PPTP Server
Using PPTP Over the LAN to Connect to a PPTP Server

Using PPTP

Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server, thus creating a virtual private network (VPN ) by using TCP/IP-based data networks. PPTP supports multiple network protocols (IP, IPX, and NetBEUI) and can be used for virtual private networking over public and private networks. You can use PPTP to provide secure, on-demand, virtual networks by using dial-up lines, local area networks (LANs), wide area networks (WANs), or the Internet and other public, TCP/IP-based networks.

This white paper provides information on how to install, configure and use PPTP on computers running Windows NT Workstation version 4.0.and Windows NT Server version 4.0 operating systems. The main topics of this document are:

planning for PPTP installation and configuration
what you must know before installing PPTP
installing and configuring a PPTP server
installing and configuring a PPTP client
using PPTP to dial up an ISP and connect to a PPTP server
using Point-to-Point (PPP) to connect to a PPTP server by using an ISP PPTP service
using PPTP over the LAN to connect to a PPTP server

Note: This document provides information about how to install, configure, and use PPTP on computers running Windows NT Server version 4.0 and Windows NT Workstation version 4.0. If you need information about the architecture, components, and features of PPTP, see the white paper titled "Understanding PPTP."

Planning for PPTP and Virtual Private Networks

A virtual private network can be defined as an on-demand connection between two computers in different locations. It consists of the two computers (one computer at each end of the connection) and a route, or tunnel, over a public or private network. To ensure privacy and secure communication, data transmitted between the two computers is encrypted by the Point-to Point Protocol (PPP) (a remote access protocol) and then routed over a dial-up or LAN connection by a PPTP device. In Windows NT Server and Windows NT Workstation terminology, this device is referred to as a virtual private network or VPN.

PPTP uses the VPN device to establish and maintain private, secure communication between computers. It does this by using Remote Access Service (RAS) and Dial-Up Networking to communicate over dial-up lines and public and private networks.

The most common scenario in which a network administrator can use PPTP is one in which the remote user connects to an enterprise network by using Dial-Up Networking and an Internet Service Provider (ISP) connection to the Internet. Other scenarios in which a network administrator can use PPTP to provide secure and encrypted communication include the following:

Remote user access using Dial-Up Networking to connect directly to a PPTP-enabled network access server, such as a computer configured with Windows NT Server version 4.0 and RAS. This scenario starts with a remote computer using PPP to dial up an ISP server that is configured as a PPTP client. The ISP server then accesses a PPTP tunnel that goes from the ISP, over the Internet, to the PPTP server on the private network.
Local network access using Dial-Up Networking on a LAN connection to create a PPTP tunnel across the LAN to another computer on the same LAN. This scenario starts with a remote or local computer configured as a PPTP client. The second computer, at the other end of the PPTP connection, must be configured as a PPTP server. The PPTP client must be able to connect, via the tunnel to a PPTP server using the PPTP device referred to as a VPN.

Hardware Requirements

The PPTP Server

The computer that is configured as a PPTP server must have the minimum configuration required to run Window NT Server version 4.0. In addition, two network adapter cards, also referred to as network interface cards (NICs), are required. One adapter is connected to the Internet; the other is connected to the private enterprise network.

One of the primary advantages of PPTP is that it reduces or eliminates the need for dedicated, telecommunications equipment to support remote and mobile users who need to connect to the enterprise network. PPTP enables secure use of public or outsourced telecommunication networks. This reduces the cost of owning and maintaining dedicated, telecommunication equipment.

The PPTP Client

A PPTP client can be a computer configured with either Windows NT Workstation version 4.0 or Windows NT Server version 4.0. Thus, the minimum hardware configuration for a PPTP client is dependent on which operating system is being used.

It is important to note that an ISP network access server (NAS) can also be a PPTP client. In this case, the NAS hardware can be a PPTP-enabled server or router manufactured by a variety of companies, including members of the PPTP Forum such as Ascend Communications, 3/Com/Primary Access, ECI Telematics and US Robotics.

If the PPTP client is a remote or mobile enterprise user that connects to an enterprise PPTP server by using dial-up lines over the Internet, additional hardware is required; such as an analog modem or Integrated Service Digital Network (ISDN) device and a device for telephone access, such as a telephone wall jack.

If the PPTP client is connecting over the LAN to a PPTP server, the additional hardware required is the network adapter that is physically wired to the LAN network.

Network Protocols on the Private Enterprise Network

PPTP enables you to use virtual private networking over public TCP/IP networks and retain existing network protocols, network node addresses, and naming schemes on the private enterprise network. Thus, no changes to existing network configurations and to network-based applications are required when using PPTP to tunnel across the Internet or other TCP/IP-based public networks. For example, IPX or NetBEUI clients can continue to run applications that require these protocols.

Name resolution methods—such as Windows Internet Naming Service (WINS) for NetBIOS computers, Domain Name System (DNS) for TCP/IP host names, and Service Advertisement Protocol (SAP) for IPX networking—do not need to be changed. In addition, IP addresses that are not valid on the Internet can be used on the private network.

Note, however, that the address and name resolution schemes on the private enterprise network must be correctly configured. If they are not, PPTP clients will not able to communicate with computers on the private network.

Before Installing PPTP

Before you begin installing PPTP, it is important that you understand the following points:

PPTP uses Microsoft's implementation of RAS and the Point-to-Point Protocol (PPP) to establish connections with remote computers by using dial-up lines, Ethernet networks, or token ring networks. PPP provides remote-user authentication and data encryption between the PPTP client and the PPTP server. Thus, to use PPTP you must install and configure RAS with Dial-Up Networking on both PPTP clients and PPTP servers.
Because PPTP requires RAS and the PPP protocol, you must establish a PPP account with your ISP to use PPTP over an ISP connection to the Internet.
PPTP uses virtual devices called VPNs. When you configure PPTP, you install and configure VPNs in RAS as if they were physical devices, just like modems.
PPTP is installed and configured on PPTP clients and PPTP servers only. Computers on the route between the PPTP client and PPTP server do not require PPTP installation.
A PPTP server can be placed behind a firewall on the private enterprise network to ensure that traffic in and out of the private network over the PPTP server is secured by the firewall computer.
To ensure enterprise network security, PPTP clients must be authenticated (just like any other remote user using RAS and Dial-Up Networking) in order to connect to the private enterprise network.
Using the Internet to establish a connection between a PPTP client and a PPTP server means that the PPTP server must have a valid, Internet-sanctioned IP address. However, the encapsulated IPX, NetBEUI, or TCP/IP packets sent between the PPTP client and the PPTP server can be addressed to computers on the private enterprise network using private network addressing or naming schemes. The PPTP server disassembles the PPTP packet from the PPTP client and forwards the packet to the correct computer on the private network.

Installing and Configuring PPTP on a PPTP Server

PPTP is installed on a Windows NT-based server as a network protocol by using the Protocols tab in the Network option of Control Panel. You can add, configure, and remove PPTP by using the Protocols tab.

This section explains how to install and configure the PPTP protocol on a PPTP server and assumes the following:

Windows NT Server version 4.0 is installed.
One or more network adapters are installed. In most cases, two or more network adapters are required: one to connect to the Internet and one or more to connect to enterprise networks.
TCP/IP is installed and bound to the network adapter connected to the private enterprise network, and the adapter is connected to the Internet.
The network protocol used on the private enterprise network, (TCP/IP, NetBEUI, or IPX) is installed and bound to the adapter(s) connected to the private enterprise network.
The PPTP server is configured with a static IP address.
RAS, with Dial-Up Networking, is installed and configured.
You know how many simultaneous connections with remote PPTP clients you want the PPTP server to support, so that you can configure the correct number of VPN devices.

Configuring a computer running Windows NT Server version 4.0 as a PPTP server involves three major procedures:

Installing PPTP and then selecting the number of VPN devices
Adding the VPN devices as RAS ports and devices
Configuring encryption and authentication options

Installing PPTP on a PPTP Server

To install the PPTP protocol on a computer running Windows NT Server version 4.0

Click Start, point to Settings, and click Control Panel.
Double-click Network in Control Panel.
Click the Protocols tab and then click Add to display the Select Network Protocol dialog box. The Select Network Protocol dialog box is illustrated in the following figure.

Figure 1: - Selecting the PPTP network protocol
Select Point To Point Tunneling Protocol and click OK.
Type the drive and directory location of your Windows NT Server version 4.0 installation files in the Windows NT Setup dialog box, and then click Continue. The PPTP files are copied from the installation directory, and the PPTP Configuration dialog box will appear as shown in the following figure.

Figure 2: - Configuring the Number of VPN Devices for the PPTP Server
Click the Number of Virtual Private Networks drop-down arrow to select the number of simultaneous VPNs you want the server to support. You can select a number between 1 and 256. Typically, multiple VPNs are installed on a PPTP server to enable multiple clients to simultaneously connect to the PPTP server. The server can be configured to support a maximum number of 256 simultaneous VPN connections.
Click OK, and then click OK again in the Setup Message dialog box.
In the Remote Access Setup properties dialog box you can do either of the following:

a) Temporarily stop installation of PPTP by clicking Cancel, closing Network, and shutting down and restarting the computer. Note that you must perform the procedure described in the following section "Adding VPN Devices as RAS Ports on a PPTP Server" to complete installation of PPTP.

b) Continue installation of PPTP by clicking Add to add the VPN devices installed with PPTP to RAS. (See step 5 of the following procedure.)

Adding VPN Devices as RAS Ports on a PPTP Server

After installing PPTP, you must add the VPN devices to RAS. Follow these steps to add VPN devices on a computer running Windows NT Server version 4.0.

To configure VPN devices on the PPTP server

Click Start, point to Settings, and then click Control Panel
Double-click Network in Control Panel.
Click the Services tab and select Remote Access Service.
Click Properties to display the Remote Access Setup properties dialog box.
Click Add. The Add RAS Device properties dialog box will appear as shown in the following figure.

Figure 3: - Adding the VPN Devices to RAS on the PPTP Server
Click the RAS Capable Devices list arrow to display VPN devices that must be added and configured as a port and device in RAS.
Select a VPN device and click OK. Repeat steps 5, 6, and 7 until all the VPNs are added to the Remote Access Setup properties dialog box.
Select a VPN port and click Configure. Verify that the Receive calls only option in the Port Usage dialog box is selected and then click OK to return to the Remote Access Setup properties dialog box. (If you also use this server as a PPTP client and want to use this VPN device to dial out as a PPTP device, select Dial-out.)
Repeat the last step for each VPN device that is displayed on the Remote Access Setup properties tab. (By default, VPN devices on a computer running Windows NT Server version 4.0 are automatically configured with the Receive calls only option, but you should verify this configuration.)
Click Network to display the Network Configuration dialog box. Verify that only TCP/IP is checked in the Server Settings in the Network Configuration dialog box. Click OK to return to the Remote Access Setup properties dialog box.
Click Continue.
Close Network, shut down, and then restart the computer.

Configuring PPTP Server Encryption and Authentication Options

This section provides procedures and information about configuring a PPTP server. This involves three sets:

Encrypting data sent over the Internet
Accepting only PPTP packets from the Internet
Accessing a private network

Configuring Server Encryption for PPTP

The encryption of data is performed by the remote access protocol PPP. You enable encryption by configuring each VPN device that was added and configured in RAS properties. This configuration is identical to configuring encryption for other RAS devices, such as a modem.

To enable encryption on a VPN device on the PPTP server

Click Start, point to Settings, and then click Control Panel.
Double-click Network in Control Panel.
Click the Services tab and select Remote Access Service.
Click Properties to display the Remote Access Setup properties dialog box (shown below).

Figure 4: - Selecting a VPN Device for Encryption on the PPTP server
Select a VPN device for which you want to enable encryption, and then click Network. The Network Configuration dialog box will appear.

Figure 5: - Configuring the VPN device with encryption on the PPTP server
Select Require Microsoft encrypted authentication and Require data encryption. This configures RAS and PPP to enforce Windows NT-based authentication of all remote clients connecting to the PPTP server.
Click OK to return to the Remote Access Setup properties dialog box.
Click Continue.
Close Network, shut down, and then restart the computer.

Configuring PPTP Filtering on the PPTP Server

Enabling PPTP filtering provides a form of security for your private network by configuring an adapter on the computer to block all packets except PPTP packets. In a multi-homed computer, such as a PPTP server with one adapter connected to the enterprise network and another adapter connected to the Internet, PPTP filtering should be enabled on the adapter over which the PPTP connection is being made.

In other words, if remote or mobile users connect to the enterprise network by using the PPTP server and the Internet, PPTP filtering should be enabled on the server adapter that is connected to the Internet. PPTP filtering in this case is enabled by configuring TCP/IP settings for the adapter that is connected to the Internet.

Note: When PPTP filtering is enabled, all other network packets are ignored. Thus, packets from TCP/IP utilities such as ping and tracert are not accepted by the adapter on which PPTP filtering is enabled. This provides security, but it also means it can be difficult to troubleshoot possible problems on the PPTP server by using the TCP/IP troubleshooting utilities.

To enable PPTP filtering on an adapter in the PPTP server

Click Start, point to Settings, and then click Control Panel.
Double-click Network in Control Panel.
Click the Protocols tab, select TCP/IP Protocol, and then click Properties.
Click the IP Address tab and then click Advanced.
Click the Adapter drop-down arrow and select the adapter connected to the Internet. Click Enable PPTP Filtering as shown in the following dialog box. Note that filtering is enabled only on network adapters. Filtering cannot be enabled on modems or ISDN devices.

Figure 6: - Enabling PPTP Filtering on the PPTP server
Click OK, click OK again, and then close Network.
Shut down and then restart the computer.

Configuring LAN Routing on the PPTP Server

RAS must be configured to access your private network using the appropriate network protocols in order to enable the PPTP server to forward a packet from a PPTP client to the correct destination computer. For more information about general RAS server configuration (for example, using TCP/IP, IPX, or NetBEUI), see Rassetup.hlp in the \winnt\system32 directory.

After RAS is configured to access the private network, a PPTP server requires the following steps:

The TCP/IP protocol must be configured to enable IP forwarding.
Default routes must be suppressed by adding a Registry entry.
Static routes to the private network must be established.

Enable IP Forwarding

You must enable IP forwarding on the PPTP server.

To enable IP forwarding

Click Start, point to Settings, and then click Control Panel.
Double-click Network in Control Panel
Click the Protocols tab, select TCP/IP, and then click Properties.
Click the Routing Properties dialog box, and then click Enable IP Forwarding.
Click OK, click OK again, and then close Network.

Adding the DontAddDefaultGateway Registry Entry

By default, Windows NT Server and Windows NT Workstation both place a default route (0.0.0.0) on each network adapter in a computer. This causes the server to send route discovery requests of unknown IP addresses to the network adapter configured with the default route. This is the normal and desired action of a router, but it must be reconfigured on a server connected to a private network and to the Internet.

You must disable the automatic addition of a default route on all the network adapters installed on the PPTP server. You do this on the PPTP server by adding the Registry entry DontAddDefaultGateway with a value of REG_DWORD 0x1 in the following Registry key:

HKEY_LOCALMACHINE \SYSTEM \CurrentControlSet \Services

<networkadapter>\Parameters\Tcpip\DontAddDefaultGateway

This entry prevents the default route from being added to the network adapters. Use the Registry editor to add this entry, and then stop and restart the computer.

After the DontAddDefaultGateway entry is created you must add static routes for each network adapter. These static routes must configure the PPTP server to route incoming data from the Internet to the correct server on the private network.

Adding Static Routes for the Private Network

You add static routes to your private network on the PPTP server by using the route command in the Command Prompt. The static entries can be added by using a .bat file that contains the routes or by using the route command with the persistent (-p) option.

The route command causes all subnets and computers on the private network to be known to the PPTP server. Without the necessary route commands, the PPTP server would broadcast for every address required by PPTP clients.

To add the static routes to the PPTP server type, route with the -p option at the command prompt as shown in the following example:

C:\>route -p 172.16.48.10

The route command must contain all the computers or networks you want PPTP clients to reach.

For more information about LAN-to-LAN routing using RAS, consult the Windows NT Server version 4.0 Networking Supplement, Chapter 4, "Routing in Windows NT," or the Microsoft Knowledge Base article 121877 available on www.microsoft.com.

Installing and Configuring PPTP on a PPTP Client

A PPTP client can connect to a PPTP server in three ways:

by using either dial-up lines to the Internet
by using a LAN connection, such as an Ethernet connection and adapter
by using a network tap found in mobile office work areas, such as a conference room

The procedures in this section assume the following:

Windows NT Workstation version 4.0 or Windows NT Server version 4.0 is installed
TCP/IP is installed on the computer.
RAS with Dial-up Networking is installed on the computer.
An analog modem, ISDN device, or other modem device is installed and configured in RAS to enable you to make a dial-out connection from the computer.
If you are using the Internet to connect to the PPTP server, you have a PPP account with your ISP.

Installing PPTP on a PPTP Client

To install the PPTP protocol on a PPTP client running Windows NT Workstation version 4.0 or Windows NT Server version 4.0

Click Start, point to Settings, and then click Control Panel.
In Control Panel, double-click Network.
Click the Protocols tab, and then click Add to display the Select Network Protocol dialog box, shown in the following figure.

Figure 7: - Selecting the PPTP network protocol on the PPTP client
Select Point To Point Tunneling Protocol and click OK.
Type the drive and directory location of your installation files in the Windows NT Setup dialog box, and then click Continue.

The PPTP files are copied from the installation directory and the PPTP Configuration dialog box will appear as shown in the following figure.

Figure 8: - Adding a VPN device on the PPTP client
Click the Number of Virtual Private Networks drop-down arrow and select the number of VPN devices you want the client to support. You can select a number between 1 and 256 for computers running Windows NT Workstation version 4.0 or Windows NT Server version 4.0. Typically, only one VPN is installed on a PPTP client.

Note: If the PPTP client is an ISP server running Windows NT Server version 4.0, you can select multiple VNP devices as needed to simultaneously support the PPP clients using the ISP server to connect to a PPTP server. Windows NT Server version 4.0 supports a maximum number of 256 VPN devices.
Click OK, and then click OK in the Setup Message dialog box.
In the Remote Access Setup properties dialog box, you can do either of the following:

a) Temporarily stop installation of PPTP by clicking Cancel, closing Network, and then shutting down and restarting the computer. Note that you must perform the procedure described in the following section "Adding a VPN Device as a RAS Port on the PPTP Client" to complete installation of PPTP.

b) Continue installation by clicking Add to add to RAS the VPN device installed with PPTP. (See step 5 of the procedure described in the following section.)

Adding a VPN Device as a RAS Port on the PPTP Client

You must add the VPN device to RAS after installing PPTP. Follow these steps to add a VPN device on a computer running Windows NT Workstation version 4.0.

To configure a VPN device on the PPTP client

Click Start, point to Settings, and then click Control Panel.
In Control Panel, double-click Network.
Click the Services tab and select Remote Access Service.
Click Properties to display the Remote Access Setup properties dialog box.
Click Add. The Add RAS Device properties dialog box is illustrated in the following figure.

Figure 9: - Adding the VPN to RAS on a PPTP client
Click the RAS Capable Devices list to display the VPN devices that must be added and configured as a port and device in RAS.
Select the VPN1 - RASPPTPM device, and then click OK. (If you installed PPTP with more than one VPN device, repeat steps 5, 6, and 7 until all the VPNs are added to the Remote Access Setup properties dialog box.)
By default, the VPN device on a computer running Windows NT Workstation version 4.0 is configured to dial out only. Select the VPN port and click Configure. Verify that the Dial out only option in the Port Usage dialog box is the only option selected, and then click OK. This returns you to the Remote Access Setup properties dialog box.
Click Network to display the Network Configuration dialog box.
Verify that the TCP/IP option in Dial out Protocols is the only option checked, and then click OK.
Click Continue.
Close Network, shut down, and then restart the computer.

Configuring Dial-Up Networking on the PPTP Client

PPTP is most commonly used for enabling secure and encrypted communications to private enterprise networks via the Internet. In this scenario, the PPTP client must have two phonebook entries: one to connect to the ISP and one to connect to a PPTP server

However, if you are using PPTP to connect to another computer on the LAN, you only need to have one phonebook entry; the PPTP server phonebook entry.

The following procedures describe how to use Dial-Up Networking to create phonebook entries for the ISP and the PPTP server.

Creating the Phonebook Entry to Dial a ISP

If you are using PPTP and Dial-Up Networking to connect to a PPTP server over the Internet, you will need to create a Phonebook entry for your ISP.

Note: You do not need to create a Phonebook entry for your ISP if you are using a LAN connection to dial up a PPTP server on the LAN.

Before starting the following procedures, make sure you have:

Installed all network protocols used on the private network to which you want to connect
Configured RAS to dial out using those network protocols.

To create a new ISP entry by using the Phonebook Wizard

Click Start, point to Accessories, and then click Dial-Up Networking. (If this is the first phonebook entry you are creating, the Dial-Up Networking dialog box will appear. Click OK.)
Type the name of your ISP in Name the new phonebook entry, and then click Next.
Click I am calling the Internet and click Next. This configures the phonebook entry to use TCP/IP and PPP as the Dial-Up Networking protocols.
Select your modem device in Select the modem or adapter this entry will use on the Modem or Adapter dialog box, and then click Next.
Type the ISP phone number in Phone number on the Phone Number dialog box. Click Use Telephony dialing properties if you need to add an area code or other prefix. Click Alternatives if you have an alternative phone number for your ISP.
Click Next, and then click Finish.
Verify the phonebook entry by using the following procedure.

To verify or edit your ISP phonebook entry

Click More in Dial-Up Networking, and then click Edit entry and modem properties to verify that your ISP phonebook entry is correctly configured. The Edit Phonebook Entry dialog box is illustrated in the following figure.

Figure 10: - Example Phonebook entry used to dial up an ISP
Review the information on the Basic tab to ensure that the phone number is correct and that the correct modem or ISDN device is selected. Make any necessary changes.
Click the Server tab. The Server tab is illustrated in the following figure.

Figure 11: - Verifying the Dial-Up Server properties
Review the information on the Server tab to ensure that the Dial-up server type displays "PPP: Windows NT, Windows 95 Plus, Internet."
In the Network protocols box, ensure that TCP/IP is selected.
Click TCP/IP Settings to display the PPP TCP/IP Settings dialog box. Ensure that the TCP/IP settings conform to the IP address and name server information specified by your ISP.
By default, the options Enable Software Compression and Enable PPP LCP extensions are selected. These settings are compatible with most ISP services. Check with your ISP before changing these default settings.
Click the Script tab, and then select None. The PPP protocol provided in RAS is designed to automate remote logon. If your ISP requires a manual logon, consult your ISP for the correct configuration.
Click the Security tab. Click Accept only Microsoft encrypted authentication. The configures PPP to encrypt the user name and password for remote logon to a server that enforces Windows NT authentication.
Click OK and then click Close to complete the ISP phonebook entry.

Creating the Phonebook Entry to Dial a PPTP Server

You must create a phonebook entry to connect to your PPTP server by using a VPN device.

Note: You do not need to create a Phonebook entry for your PPTP server if your computer is not PPTP-enabled and you are using a PPTP service provided by your ISP.

Before starting the following procedures you must have previously done the following:

Installed all network protocols (IP, IPX, NetBEUI) used on the private network to which you want to connect.
Configured RAS to dial out using the network protocols (IP, IPX, NetBEUI) used on the private network.

To create an phonebook entry to dial-up a PPTP server by using a VPN device

Click Start, point to Accessories, and then click Dial-Up Networking. (If this is the first phonebook entry, a Dial-Up Networking dialog box will appear. Click OK.)
Type the name of your PPTP server in Name the new phonebook entry, and click Next.
Click I am calling the Internet and click Next. This configures the phonebook entry to use TCP/IP and PPP as the Dial-Up Networking protocols.
Select RASPPTPM(VPN1) in the Select the modem or adapter this entry will use list in the Modem or Adapter dialog box, and then click Next.
Type the IP address of the adapter on the PPTP server that is connected to the Internet in the Phone Number dialog box.

Note: If your PPTP server has an Internet registered DNS name, you could alternatively enter it's DNS name in this field.
Click Next, and then click Finish.
Verify the phonebook entry by using the following procedure.

Note: If you are configuring the VPN device on an ISP server running Windows NT Server version 4.0 that is configured with multiple VPN devices, repeat this procedure for each VPN device.

To verify or edit your phonebook entry for the PPTP server

Click More in Dial-Up Networking, and then click Edit entry and modem properties to verify that your PPTP server phonebook entry is correctly configured. The Edit Phonebook Entry dialog box will appear as illustrated in the following figure.

Figure 12: - Example Phonebook entry for PPTP server and a VPN device
Review the information on the Basic tab to ensure that the phone number is correct and that the RASPPTPM(VPN1) device is selected. Make any necessary changes.
Click the Server tab.

Figure 13: - Verifying the Dial-Up Server configuration on the PPTP client
Review the information on the Server tab to ensure that the Dial-up server type displays "PPP: Windows NT, Windows 95® Plus, Internet."
In the Network protocols dialog box, ensure that the network protocols used on your private network are selected. Any selected protocol (TCP/IP, IPX/SPX, NetBEUI) must already be installed on the PPTP client you are configuring. In addition, RAS must be configured to use that protocol to dial out. Note that TCP/IP does not need to be selected unless it is the protocol used on your private network.
If you use TCP/IP on your private network, click TCP/IP Settings to display the PPP TCP/IP Settings dialog box. Ensure that the TCP/IP settings conform to the settings required by the RAS configuration on the PPTP server. This includes the Enable Software Compression and Enable PPP LCP extensions settings
Click the Script tab, and then select None. The PPP protocol used in RAS is designed to automate remote logon. If your ISP requires a manual logon, consult your ISP for the correct configuration.
Click the Security tab. Click Accept only Microsoft encrypted authentication. The PPP protocol encrypts the user name and password for remote logon. The user name and password used to log on to the current session can be used by selecting Use current username and password. You are prompted by the PPTP server if this box is not selected. Both methods are encrypted and are therefore secure.

Note: If you are configuring the VPN device on an ISP server running Windows NT Server version 4.0 that is configured with multiple VPN devices, repeat this procedure for each VPN device.

Using PPTP to connect to a PPTP server by Dialing an ISP

A PPTP-enabled client must have two phonebook entries (as described in the previous section) to connect to a PPTP server. This section explains how to make the connection.

To connect to a PPTP server using a PPTP client to dial up an ISP

Click My Computer, and then click Dial-up Networking.
Click More and select User Preferences. On the Appearance tab, clear the Close on dial checkbox. Click OK.
In the Dial-Up Networking dialog box, click the drop-down arrow in the Phonebook entry to dial list to select the entry for your ISP phonebook entry, and then click Dial.
After connecting to your ISP, click the drop-down arrow in the Phonebook entry to dial list once more to select the entry for your PPTP server. Click Dial.

After successful connection, all traffic through your modem is routed by the ISP over the Internet to your PPTP server, which routes the traffic to the correct computer.

Dialing-up an ISP PPTP Service to connect to a PPTP Server

You can use a PPP client to make a connection to a PPTP server across the Internet if your ISP provides a PPTP service. You do this by using Dial-Up Networking and your modem or ISDN device to connect to your ISP server. You do not need to make a second dial-up call because the ISP server configured as a PPTP client, makes the connections to the PPTP server for the PPP client.

Contact your ISP for information about whether they provide a PPTP service and if so, how to connect to their server that provides the PPTP service.

Using PPTP Over the LAN to Connect to a PPTP Server

PPTP clients with a typical network connection or null modem connection to an IP network can use PPTP tunneling over that IP network. You can create a virtual private network by using your direct LAN connection; data sent from your PPTP client to another computer on the LAN is encrypted and secure because your are using a PPTP server to connect to the remote computer.

In this scenario, the PPTP client uses Dial-UP networking over the LAN connection instead of a telephone line. A single dial-up connection to the PPTP server using a Phonebook entry and the PPTP client VPN is required.

To connect to a PPTP server over a LAN connection

Click My Computer, and then click Dial-up Networking.
Click More and select User Preferences. On the Appearance tab, clear the Close on dial checkbox, and then click OK.
In the Dial-Up Networking dialog box, click the drop-down arrow in the Phonebook entry to dial list to select the entry for your PPTP server.
Click Dial.

After successful connection, all traffic from your computer is first routed to your PPTP server, which then forwards your data across the LAN to the remote computer

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

0197 Part no. 098-68565