A poor person's firewall

One of Windows NT 4.0's few all-new features is the Point-to-Point Tunneling Protocol (PPTP). It has puzzled me a bit since it first appeared in NT 4.0 beta 2, because Microsoft didn't document it. The puzzle's now solved, at least for me. But many people write me about it, so I'm taking a short detour from my name resolution series to talk about PPTP and accessing your company's intranet from the Internet.

Not a Connectivity Tool
The first misconception people have about PPTP is that it's somehow a connectivity tool. It is not; it's a security tool, plain and simple. An example will help me explain that statement. Suppose your company has an IP-based network on the Internet. The company's on the East Coast, you're temporarily in a hotel or at a client site on the West Coast, and NT Workstation 4.0 is on your laptop. How can you connect to your firm's intranet from across the country?

I've heard several Microsoft people paint this very picture, ask this very question, and say, "The answer is PPTP." Because that reply is not entirely right, I want to focus on some methods that could solve the problem.

The first of several solutions, the simplest approach, is the one that's been possible since NT 3.1: Set up a Remote Access Service (RAS) server on the East Coast, put a modem on it, attach a modem to your laptop, and dial in to the company. This approach is not bad, but it does mean that you'll have to deal with all the standard pain and suffering of getting a modem on a laptop in a hotel room to successfully dial long distance. This trick's not impossible, but it ain't fun either. Further, you'll have to set up modems and phone lines on the receiving end. On the plus side, the software setup is easy, and you can dial in whether you're a DOS, Windows for Workgroups, Windows 95, or NT client. Using RAS to dial in to your firm is a perfectly good idea, but some companies don't have any dial-in RAS servers because of concern that you can't properly secure them.

Another approach is a bit sneakier: Get on the Internet, point your Windows Internet Name Service (WINS) server to the WINS server at the office, and voila! If your company doesn't have a firewall or some other filtering device between your company's LAN and the Internet, you'll be able to log on to your NT-based network right over the Internet.

But if your company is on the Internet, you've got another way into your network. You're probably a member of some national Internet Service Provider (ISP) such as America Online (AOL) or CompuServe, and it probably has a local access number. This access provider lets you dial out to the Internet without a lot of complex dialing and without breaking the bank--and from the Internet, you may be able to get to your firm's network.

Set up the Dial-Up Networking script so that you use the TCP/IP protocol to dial in to the ISP. In the Dial-Up Networking phone book, click Server, and only TCP/IP will be checked under network protocols. Next to TCP/IP is a button, TCP/IP settings.... Click it, and then click Specify name server settings. I don't much care what you do with the Domain Name System (DNS) server value, but be sure to fill in the Primary WINS Server entry with the IP address of your company's main WINS server. Then dial up your ISP to get to the Internet.

Once you connect to the Internet, try opening the Network Neighborhood folder. You will probably see the flashlight wave around awhile, and after a few minutes, you'll probably get the list of servers in your workgroup. Although you're thousands of miles away from your firm's network, you're using its WINS server, so your system will act just as if you were hooked up to the company LAN, except of course, for the speed. But wait--what about NT security?

What About Security?
When you log on to your NT laptop, you must punch in a username and password. Assume that you enter the same username and password as you do on the network in the office. Now suppose your workstation tries to ask the NT network back home some kind of privileged question, such as "What shares are on server XYZ?" The server will ask your workstation for credentials. Your workstation says something like, "Well, Joe with password SWORDFISH is sitting on me." If your domain account name is Joe and your password is SWORDFISH, you'll be invisibly logged on to the domain. If not, NT will pop up a box that says something like, "Incorrect password for user Joe."

In some cases, NT will ask just for a password, and in other cases, it'll ask for a username and password. Be sure to enter the username in the form <domainname>\<username> (for example, SALES\Patricia), so that the network knows which domain to search for your account. After one successful security challenge, the network will treat you like a local user, except of course, for the speed.

But most firms won't let just anyone connect to the corporate network over the Internet. Instead, companies use some security device between the Internet and their intranet. PPTP is such a device.

Wrapping Paper
PPTP is a relatively new Internet protocol. The idea is simple: Just as Point-to-Point Protocol (PPP), the common dial-up Internet protocol, acts as a kind of wrapping paper for delivering protocol blocks of all kinds, PPTP acts as a kind of wrapping paper for PPP.

Put simply, you want your laptop in San Francisco to be able to deliver some file server-oriented requests ("Please log me on," "Please print this on the print servers," "Please get me this data from the file servers") straight to your company's servers. Once you're on the company network, a security manager has a hard time monitoring and controlling what you're doing. Worse yet, if you're directly connected and logged on to an NT network, the security manager has no way to disconnect you, short of finding your network cable and unplugging it. In contrast, denying dial-in users access to the network has always been simple--just go to RAS Administrator and disconnect them. The ability to just as easily disconnect people who attach to your company network through the Internet is appealing--and PPTP gives it to you.

With PPTP, your PC sends its PPP packets to a RAS server. The RAS server then unpacks these packets and puts them on the company network, so you can use the company's servers. But any time an administrator wants to cut you off from the network, that person only needs to run RAS Administrator and disconnect you; it's as simple as that. Of course, for maximum protection, a company has to set up the RAS PPTP server so that it is the gateway to the Internet--a PC with a WAN link to the Internet and a LAN link to the company LAN.

Getting onto a network via PPTP involves three steps. First, back at the office, you must have an NT machine running the RAS server with PPTP enabled. That machine will validate PPTP logons. So it can even act as a kind of firewall if it stands between the Internet and the company's intranet.

Next, on the client side, you first have to install PPTP. You install it in Control Panel in the Networking applet under Protocols. Then you must get onto the Internet. You either physically connect to a network on the Internet or use RAS to dial in to an ISP. If you're dialing in to an ISP, you will, of course, tell RAS to dial with your modem. Remember that point: In a minute, it'll be important.

Then, once your IP stack is running, open RAS and create a phone book entry. This new entry will not dial out on the modem. Instead, it'll dial out on a device called VPNPPTP1, a sort of logical modem that activates PPTP and establishes a connection with the RAS server running PPTP. You tell your computer to use the phone number field in the phone book entry to find that RAS server. Don't enter a phone number there; enter the RAS server's DNS name or IP address.

That entry was the part that threw me, so let me review what you have to do to use PPTP to connect to a network from afar. Unless you have a LAN connection, you'll run Dial-Up Networking twice: first to dial up the ISP, and second to establish the PPTP connection. For that first dialup, you'll use the modem device and specify the phone number of the ISP. The second time you run Dial-Up Networking, you'll specify the VPNPPTP1 device--instead of the phone number--and use the IP address or DNS name of the RAS server you want to connect to.

Poor Person's Firewall
At first glance, PPTP looks like an interesting idea, kind of a poor person's firewall (and as an extra advantage, PPTP lets you entirely encrypt the communication, solving the problem of Internet security). Between PPTP and the Microsoft Proxy Server, Microsoft is apparently thinking seriously about the problems of security and Internetting. Stay tuned, and I'll tell you more as I find it out!