Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


June 1997

Point-to-Point Tunneling Protocol


From the June 1997 Edition
of Windows IT Pro
Douglas Toombs
Feature
InstantDoc #461
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Point-to-Point Tunneling Protocol (PPTP) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Next, the Client
Now that you have successfully configured your server to accept PPTP traffic, you need to configure each workstation you plan to use. Install PPTP following the same steps you did for the server. Add your VPN device to RAS, but this time, configure the VPN device for Dial out only, as Screen 6 shows. Click Network to modify the protocols RAS can use to dial out. Be sure to include TCP/IP and the protocols you want to access on your private network (IPX or NetBEUI).

As I mentioned earlier, the client must have a functioning Internet connection. Connect your client to the Internet now.

Now you need to create a new entry in the DUN phone book to define the PPTP connection. Select Dial-Up Networking from Programs, Accessories. Create a new DUN connection using your VPN port, but instead of entering a phone number, enter the server's IP address or fully qualified domain name (if it is registered in Domain Name System--DNS), as Screen 7 shows. On the Server tab, select all the protocols (TCP/IP, IPX, and NetBEUI) on your private network that you need to access. On the Security tab, select the Accept only Microsoft encrypted authentication and Require data encryption options shown in Screen 8. Another option is Use current username and password. You can use this option if you expect your username and password on this workstation to be the same as they are in the domain you're dialing into. If you have configured everything correctly, you can now dial up your PPTP connection and connect to your private network.

A Word About Security and Performance
Now, before you tell your CIO that you plan to route your company's sensitive remote-access data over the Internet, make sure that you can answer some obvious questions. I can't cover these issues in depth, but let's review some basics of security and performance.

Microsoft's RAS server uses 40-bit RSA RC4 data encryption, derived from what is called a "shared secret"--your password. The client encrypts its data using your password, and the server does the same with its copy of your password from the security database. Because both systems (client and server) know what your password is, it never has to travel across the Internet unencrypted. This function solves a major security problem, key distribution. Both systems simply use that shared key to perform their encryption. This encryption method is extremely secure (as secure as it can be without exceeding US federal export regulations) so you can feel safe about your data being encrypted with this method. Thousands of credit card transactions occur on the Internet every day using encryption based on similar technologies. For more information on RSA encryption, or PPTP's use of RSA encryption, you can read RSA's FAQ 3.0 on Cryptography at http://www.rsa.com/rsalabs/newfaq, or view Microsoft's PPTP FAQ at http://www.microsoft.com/ntserver/info/pptpfaq.htm.

Obviously, performance over the public Internet won't be as fast as your dedicated dial-up circuits. First, you share a finite amount of bandwidth with several million other users. Keep in mind that the Internet is getting slower as time goes on. Second, running a tunneling protocol has unavoidable overhead, although Microsoft has designed PPTP to minimize overhead.

Because several factors come into play, I can't give you a rule of thumb about how PPTP will affect your system's performance. You will have to try PPTP for a while so you can weigh the cost benefits against the performance hits to determine whether PPTP is a workable solution for your organization.

The Future of PPTP
Although you can't underestimate Microsoft's marketing muscle, you need to evaluate the future of any new technology before rushing headlong into an implementation. In developing and promoting the PPTP standard, Microsoft has joined with several partners, including such name-brand players as 3Com, Ascend Communications, U.S. Robotics, and major ISPs such as UUNET. The primary competition for PPTP is a protocol called Layer 2 Forwarding (L2F). Cisco Systems developed L2F, and the protocol has gained support from Shiva and Northern Telecom. Each protocol has its strengths and weaknesses, and both protocols will meet your VPN needs adequately. To make things even more confusing, the Internet Engineering Task Force (IETF) apparently hasn't endorsed either protocol. Instead, IETF will release a final draft of a hybrid protocol, Layering 2 Tunneling Protocol (L2TP), later this year.

Microsoft currently supports PPTP only for NT 4.0. Microsoft originally expected to have support for Windows 95 by the end of 1996, but that date slipped into mid-1997 and is now expected as part of Memphis. In the interim, you have some options. Some ISPs are implementing PPTP services, so that you need to make only a PPP connection to these services. They will handle the tunneling back to your corporate network. Ask your ISP whether it offers PPTP and how you can configure the service.

As Easy As...
Here's another scenario for you. Joe, a manager in your company, tells you that he absolutely must have dial-in access to the company's network from his home PC, some bargain-basement clone you've never heard of. He can't quite tell you how it's configured, but he knows the PC is beige. Ideally, here is your conversation:

You: Can you surf the Net with your PC?

Joe: Oh, yeah. I configured it all myself. I'm running Netscape 97.

You (after rolling your eyes): Great. Here's our PPTP server's IP address. See you on the network.

I admit I'm oversimplifying. But as industry support for PPTP continues to grow, that scenario isn't unthinkable in the near future.

End of Article

   Previous  1  [2]  Next  


Reader Comments
I was pleased Douglas Toombs wrote a seemingly thorough article on the basics of setting up PPTP, “Point-to-Point Tunneling Protocol,” June 1997. When I set up a server for my company, I couldn’t find any step-by-step information about how to do it. So I didn’t know what I did wrong when the setup didn’t work. I discovered that our router is too old and doesn’t support GRE packets, which pass PPTP through to a server. Also TCP port 1723 must be open. I wish Douglas’ article had included that information for people with servers hooked up to dedicated Internet connections. I found the information in an FAQ on PPTP from a third-party vendor who makes PPTP clients for Windows and Mac. (The documentation for the beta of the Windows 95 PPTP client does mention protocol ID 47—GRE—and TCP port 1723.)<br>
--Edward Baichtal<br><br>

<i>Thanks for sharing your findings. As you noted, the beta for PPTP in Win95 has been released and is available for public download. Your information will be very useful for people with older routers and certain firewall configurations.<br>
--Doug Toombs</i>

Edward Baichtal August 13, 1999

Having read the June “Point-to-Point Tunneling Protocol” article by Douglas Toombs, I believe his review of the security of information exchanged between a RAS server and client is incorrect. True, the encryption is based on “shared secrets” initialized in the client and the server, and this approach means that these shared secrets are never sent over the Internet. However, to then state that the encryption method is extremely secure and that you can feel safe about your data being encrypted with this method is completely incorrect.
Even if you don’t send the shared encryption key over the Internet, you cannot escape the fact that the 40-bit RC4 encryption algorithm is being used. An exhaustive key search (i.e., a search through all keys) can easily decrypt a message encrypted with a 40-bit RC4 key, in a matter of hours. Therefore, it does not matter whether the key used to encrypt the message is actually sent over the Internet.
I suggest that if information is important enough to require encryption, you should not rely on 40-bit RC4. Instead, use a strong algorithm (e.g., IDEA, DES, RC4), with a large key size (i.e., at least above 56 bits, ideally 128 bits). Because the number of keys to search through would be so huge, a key size of 128 bits with a strong algorithm can stop even the most determined attacker (even governments) from decrypting information by searching through all keys.<br>
--Liaquat Khan<br><br>

<i>Thanks for your input. You are probably referring to Berkeley’s Network of Workstations (NOW) project, which, earlier this year, broke a 40-bit RC5 encryption by brute force in 3.5 hours. Although that feat is reason for concern, an equally important consideration is that the NOW system is the 190th fastest supercomputer in the universe.
Obviously, not everyone has that type of computing power readily available, and bringing that type of computing power to bear on an encryption is not necessarily easy. But even clusters of not-so-super computers, all working in unison, have broken even stronger encryption methods, such as the US government’s DES standard, a mainstay in the world’s banking and financial institutions.
To be fair, RSA RC4 was first cracked (that I am aware of) on August 15, 1995. The first-announced decryption used 120 workstations and 2 parallel supercomputers at 3 major research centers. All that processing power took 8 days to break the encryption by brute force. Again, this amount of computing power is relatively significant, but demonstrates the amount of computing power that someone can harness by using the spare cycles of a large number of machines. An estimated 70,000 computers worldwide performed the 56-bit DES break in June this year, and even as I write this email, my computer is participating in an ongoing attempt to break a RC5 56-bit encryption.
The question most people face is how much encryption is enough? Do you feel safe with the current exportable encryption technologies used to protect secure transactions on the Internet? If so, PPTP will suit your needs. If you require a level of encryption that even a government couldn’t crack, PPTP won’t be secure enough. Obviously each organization must decide, but you raise a very valid point: Most organizations will probably want to use the maximum amount of encryption available.<br>
--Douglas Toombs</i>

Liaquat Khan August 13, 1999

I have spent weeks trying to implement a PPTP connection using the step-by-step instructions covered in this article.
There are two crucial steps that will must be followed in order to successfully create a PPTP connection:
1. Remote Access Server and Remote Access Connection Manager
services must be started and set to Automtic startup.
2. The latest service pack used on your system must be applied after you set up PPTP.

If you skip these two steps PPTP won't work. Trust me, I spent hours scratching my head with this one.

Ronnie Saada March 01, 2000

I am a relative newcomer to this field, and I have found coverage of the subject to be pretty dismal (including the coverage in Microsoft's own MCSE books). This article instantly made PPTP clear to me.

Marvin Freedland July 23, 2000

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of November 23, 2009

An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

2009 Windows IT Pro Editors' Best and Community Choice Awards

Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...
Related Articles Create a Virtual Private Network with RRAS

DNS and PPTP for Network Security

The Beginner's Guide to Optimizing Windows NT Server
Related Events Deep Dive into Windows Server 2008 R2 presented by John Savill

Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

SQL Server Administration for Oracle DBAs
Related Windows OSs Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Free CDs Offer Fundamental Content for IT Pros
Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Exchange Server 2010: Deploying Unified Communications - Virtual conference
December 1, 2009 - Free Registration. Build your Unified Communications future on a strong Exchange Server 2010 foundation.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement