Chapter 11 - Point-To-Point Tunneling Protocol (PPTP)

A RAS server is usually connected to a PSTN, ISDN, or X.25 network, allowing remote users to access a server through these networks. RAS now allows remote users access through the Internet by using the new Point-to-Point Tunneling Protocol (PPTP).

PPTP is a new networking protocol that supports multiprotocol virtual private networks (VPNs), enabling remote users to access corporate networks securely across the Internet by dialing into an Internet Service Provider (ISP) or by connecting directly to the Internet. PPTP offers the following advantages:

Lower Transmission Costs PPTP uses the Internet as a connection instead of a long-distance telephone number or 800 service. This can greatly reduce transmission costs.

Lower Hardware Costs PPTP enables modems and ISDN cards to be separated from the RAS server. Instead, they can be located at a modem pool or at a communications server (resulting in less hardware for an administrator to purchase and manage).

Lower Administrative Overhead With PPTP, network administrators centrally manage and secure their remote access networks at the RAS server. They need to manage only user accounts instead of supporting complex hardware configurations.

Enhanced Security Above all, the PPTP connection over the Internet is encrypted and secure, and it works with any protocol (including, IP, IPX, and NetBEUI).

Applications for PPTP

PPTP provides a way to route PPP packets over an IP network. Since PPTP allows multiprotocol encapsulation, you can send any type of packet over the network. For example you can send IPX packets over the Internet.

PPTP treats your existing corporate network as a PSTN, ISDN, or X.25 network. This virtual WAN is supported through public carriers, such as the Internet.

Compare PPTP to the other WAN protocols: When you use PSTN, ISDN, or X.25, a remote access client establishes a PPP connection with a RAS server over a switched network. After the connection is established, PPP packets are sent over the switched connection to the RAS servers to be routed to the destination LAN.

In contrast, when you use PPTP instead of using a switched connection to send packets over the WAN, a transport protocol such as TCP/IP is used to send the PPP packets to the RAS server over the virtual WAN.

The end benefit for both the user and the corporation is a savings in transmission costs by using the Internet rather than long distance dial-up connections.

The following three sections describe how PPTP can be used: for outsourcing a dial-up network, for client connections directly through the Internet , and for client connections through an ISP.

PPTP in Outsourced Dial-Up Networks

Communications hardware available for supporting dial-up needs can be complicated and not well integrated. For a large enterprise, putting together a Windows NT RAS server requires modems, serial controllers, and many cables. Furthermore, many solutions do not provide a single integrated way to efficiently support V.34 and ISDN dial-up lines.

Many corporations would like to outsource dial-up access to their corporate backbone networks in a manner that is cost effective, hassle free, protocol independent, secure, and that requires no changes to the existing network addressing. Virtual WAN support using PPTP is one way a service provider can meet the needs of corporations.

By separating modem pools from a RAS server, PPTP allows you to outsource dial up services or geographically separate the RAS server from the hardware within a corporation. For example, a telephone company can manage modems and telephone lines so that user account management can be centralized at the RAS server. An end user would then make a local call to the telephone company which connects to a Windows NT RAS Server using a WAN link. The client then has access to the corporate network.

This type of solution leverages existing proven PPP authentication, encryption, and compression technologies.

See figure 11.1 for an example: The RAS client does not need to have the PPTP protocol; the client simply makes a PPP connection to the modem pool or communications server. Note that the communication server or modem pool must implement PPTP for communication with the RAS server.

Figure 11.1 An outsourced dial-up network using PPTP 

Secure Access to Corporate Networks over the Internet (Virtual Private Networks)

A RAS client that has PPTP as its WAN driver can access resources on a remote LAN by connecting to a Windows NT RAS server through the Internet. There are two ways to do this: By connecting directly to the Internet or by dialing an ISP as shown in the following examples.

In the first, a client directly connected on the Internet dials the number for the RAS server. PPTP on the client makes a tunnel through the Internet and connects to the PPTP enabled RAS server. After authentication, the client can access the corporate network, as shown in figure 11.2.

Note Connecting directly to the Internet means direct IP access without going through an ISP. (For example, some hotels allow you to use an Ethernet cable to gain a direct connection to the Internet.)

Figure 11.2 RAS client connected directly to the Internet 

In the second example, the same functionality is achieved by calling an ISP instead of being directly connected to the Internet. The client first makes a call to the ISP. After that connection is established, the client makes another call to the RAS Server that establishes the PPTP tunnel. See figure 11.3 for an example.

Figure 11.3 RAS client dialing into an ISP 

Security Considerations

Data sent across the PPTP tunnel is encapsulated in PPP packets. Because RAS supports encryption, the data will be encrypted. RAS supports bulk data encryption using RSA RC4 and a 40-bit session key that is negotiated at PPP connect time between the RAS client and the Windows NT RAS server.

PPTP uses the Password Authentication Protocol and the Challenge Handshake Authentication Protocol encryption algorithms.

In addition to supporting encrypted PPP links across the Internet, a PPTP-based solution also enables the Internet to become a network backbone for carrying IPX and NetBEUI remote-access traffic. PPTP can transfer IPX traffic because it encapsulates and encrypts PPP packets so that they can ride TCP/IP. Thus, a solution does not depend only on TCP/IP LANs.

Installing PPTP

You must have the PPTP protocol installed on the RAS server—and on the client or communications server—for PPTP tunneling to succeed.

To install the PPTP protocol 

1. In Control Panel, double-click the Network icon, then click the Protocols tab. 

2. Click Add and select Point to Point Tunneling Protocol. 

   When prompted for the path to the distribution files, provide the path and click OK.

3. Enter the number of connections you want available to PPTP (i.e. Virtual Private Networks). 

   RAS setup will start and add the PPTP protocol to RAS. Choose the port on which you want to install the PPTP protocol and click OK. 

4. You must restart your computer for the PPTP configuration to take effect. 

Protecting a RAS Server from Internet Attacks

If you select PPTP filtering, you effectively disable the selected network adapter for all other protocols. Only PPTP packets will be allowed in.

You might want to do this when you have a multihomed computer with one network adapter (with PPTP filtering enabled) connected to the Internet and another network adapter connected to the internal corporate network. Clients outside the corporate network can use PPTP to connect to the computer from across the Internet and gain secure access to the corporate network. Thus, the only traffic that can access the corporate network is PPTP packets from clients who have been authenticated using RAS authentication. Figure 11.4 illustrates this concept.

Note The RAS client can either be connected to the Internet directly or to a service provider. It is not necessary to be connected to both to use PPTP.

Figure 11.4 PPTP filtering between the Internet and the corporate network 

To enable PPTP filtering 

1. In Control Panel, double-click the Network icon, then click the Protocols tab. 

2. Select TCP/IP Protocol, and click Properties. 

3. On the IP Address tab, click Advanced. 

4. In the Adapter box, select the network adapter for which you want to specify PPTP filtering. The PPTP filtering settings in this dialog box are defined only for the selected network adapter. 

5. To enable PPTP filtering, select Enable PPTP Filtering.

The settings take effect after you restart the computer.

For more information about advanced TCP/IP configuration, see the topic "To Configure Advanced TCP/IP Options" in the TCP/IP online Help file.