PPTP and Win2K

How to set up PPTP and other network connections

Point-to-Point Tunneling Protocol (PPTP) isn't new. However, its use is becoming more widespread as more companies use PPTP to connect remote users to their Windows NT systems over the Internet. Some NT administrators are even using PPTP to connect remote offices in which the cost of installing a leased line outweighs the benefits.

PPTP will be standard in Windows 2000 (Win2K--­ formerly NT 5.0). Perhaps because of PPTP's increasing popularity, Microsoft keeps changing Win2K's GUI for making network connections. Microsoft is attempting to simplify network interfaces' setup for desktop users. To find out whether Microsoft's attempts are working, I used the new network connection interfaces in NT 5.0 Beta 2 to implement a simple PPTP tunnel. Before I describe how to set up an interface, I discuss some of the changes Microsoft made to the GUI. (This article assumes you're knowledgeable about PPTP. If you aren't, check out the resources listed in the sidebar "Related Articles in Windows NT Magazine," page 115.)

What Has Changed
Beta 2 has several significant changes. One immediately noticeable change is that, under Control Panel, Microsoft replaced the Network applet with the Network Connections folder. As with the Network applet, you can access the Control Panel's Network Connections folder from My Computer on the desktop or from the Settings menu under Start. In addition, you can access individual connections within that folder directly from the top of the Start menu in the same location where Windows Update now appears in Windows 98.

Not all of the Network applet's contents went into the Network Connections folder. The Network applet's Identification, Services, Protocols, Adapters, and Bindings tabs ended up in several areas in Beta 2.

Identification tab. The Computer Name text box and Domain text box under the Identification tab are now in the new Network ID tab in the System folder. Although the location changed, the format is the same.

Services tab. The Services tab that you used to install NT networking services is now under the new Add/Remove Programs folder. To add a networking service, click Components under the Configure Windows heading of the Add/Remove Programs folder. This action opens a window showing the components that NT installed during setup. From this window, click Networking Options to display the subcomponents.

Protocols tab. The Protocols tab is now in the Network Connections folder. Although the location changed, the format is the same.

Adapters tab. The Adapters tab is now part of Win2K's Device Manager, a Microsoft Management Console (MMC) snap-in. As a result of this new location, you can look at the properties and resources of any hardware component in your system. The Device Manager snap-in is part of the Computer Management MMC, which Win2K Server (formerly NT Server 5.0) and Win2K Professional (Pro--­formerly NT Workstation 5.0) install by default. The Device Manager is a welcome addition to Win2K because you can now easily examine your system's hardware, just as you've been able to do for years on Win95.

Bindings tab. The Bindings tab is now in the Network Connections folder. Although the location changed, the format is the same.

Besides the Bindings and Protocols tabs, the new Network Connections folder includes, by default, the Make New Connection icon. If you have a configured Ethernet card in your network, Network Connections will also contain the Local Area Connection icon. As Screen 1 shows, if you highlight the Local Area Connection icon, Win2K displays summary information on the left. If you don't have a network card or modem, Win2K still installs the folder to which you can later add connections. If you want to test a system that doesn't have a network card, use the loopback adapter as an installed device to test the Local Area Connection.

Screen 1 displays the Connections menu in Network Connections. This menu's items include Network Identification, Advanced Settings, and Remote Access. The Network Identification item opens the Network ID tab in the System folder. (Clicking Network Identification under the summary information for the Local Area Connection achieves the same end.) If you click Advanced Settings, you can review information on each adapter, turn bindings on and off using check boxes, and specify the order of the Internet Service Providers (ISPs) that the computer uses to accesses information on the Internet. If you click Remote Access, you get a Dial-up Preferences window. As Screen 2 shows, this window has three tabs: Connections, Autodial, and Callback. You can use these tabs to limit nonprivileged users' access to connections.

As Screen 2 shows, Win2K lets you easily enable and configure or disable network connections. This new setup means you might have several connections in the Network Connections folder, each with a unique set of properties. The folder might contain a Local Area Connection icon for your network adapter, a Dial-up Connection icon for your primary organization, a Dial-up Connection icon for your ISP, and a PPTP Connection icon for a remote organization.

Microsoft put a lot of thought into this new interface, and it has ultimately paid off by being easy to use. Now I'll explain how to set up a PPTP connection from a Win2K workstation to a Win2K domain controller.

Establishing a PPTP Connection from the Client
Client connections are easy to set up in Beta 2. Establishing a PPTP connection from a Win2K workstation to a remote Win2K domain controller is a two-stage process. In stage 1, you create a connection to the dial-up ISP account you will use. In stage 2, you create a connection to the remote network via PPTP.

Stage 1. Creating a connection to the dial-up ISP account is simple because you just select which options you want. To begin, open Control Panel, Network Connections, Make New Connection to launch the Network Connection Wizard. The wizard prompts you to select an option, as Screen 3 shows, after which you click Next to go to the next screen. To proceed, follow these steps:

  1. Choose Dial-up to private network, and click Next.

  2. Specify the full telephone number of the ISP you want to dial. Click Next.

  3. Specify whether the connection is for all users or just your account. Click Next.

  4. Specify whether you want to share the dial-up connection with others on the network. If you share the dial-up connection, specify whether the modem will dial remote sites automatically when it receives requests for resources from those sites. Click Next.

  5. Specify a name for the new network connection icon (e.g., ISP Connection). Click Finish.

Win2K now adds a new ISP Connection icon to the Network Connections folder. This icon is unavailable until you establish the connection.

Stage 1 is easy because you don't need to specify which modem to use, which protocol to use, whether to redial, or any other relevant but tedious details. The Network Connection Wizard chooses the defaults for you based on your selection in Screen 3. To display the defaults that the wizard selects, right-click the ISP Connection icon and choose Properties. The properties displayed include the modem, type of dial-up server, and network components bound to the connection.

Stage 2. Creating a connection to the remote network via PPTP is simple. You use the Network Connection Wizard to select which options you want. Open Make New Connection to launch the wizard, and follow these steps:

  1. Select Virtual private network (VPN), which is the second option listed in Screen 3. Click Next.

  2. Specify the connection you want the computer to autodial first. The wizard provides a list of connections, with the previously created ISP Connection highlighted. Leaving the default ISP Connection highlighted, click Next.

  3. Specify the destination name or IP address of the Win2K server running Remote Access Service (RAS). Click Next.

  4. Specify whether the connection is for all users or just your account. Click Next.

  5. Specify whether you want to share the dial-up connection with others on the network, and enter a name for the new network connection icon. The default name is Virtual Private Connection. Click Finish.

Win2K now adds a new Virtual Private Connection icon to the Network Connections folder. The icon will be unavailable.

At this point, you've gone as far as you can in setting up the client. Now you need to set up the server.

Setting Up the Server to Accept Incoming Virtual Connections
The third option in Screen 3 is Accept incoming connections. Thus, you might think you can use the same Network Connection Wizard to set up incoming Internet connections on the Win2K server. You are partially correct. If you're on a Beta 2 workstation or server in a workgroup, you can use the wizard to set up incoming connections. The process is similar to the two-stage process you use to set up the ISP Connection and Virtual Private Connection icons. But if you're on a Beta 2 domain controller or server in a domain, you can't use the wizard. If you open Make New Connection, select Accept incoming connections, and click Next, you get a message that says Because this Windows NT 5.0 Server belongs to or controls a domain, you must use the RRAS to configure this machine to accept incoming connections. Cancel the wizard and switch to this console? If you click No, Win2K sends you to Screen 3. If you click Yes, Win2K starts the RRAS console and cancels the wizard. Alternatively, you can open the RRAS Manager instead of using the Network Connections window.

Microsoft introduced the different approaches for different machines in Beta 2. In builds between Beta 1 and Beta 2, you used the Network Connection Wizard to set up an Incoming Connections icon for all types of Win2K machines.

Win2K's RRAS Manager looks similar to the one in NT 4.0--­although when you open the Win2K version, you might be surprised to see that Win2K has already configured the incoming connections for you. Win2K typically installs RRAS with a default configuration when you set up the domain controller for the first time. However, you should reinstall RRAS because the existing default installation isn't customized to your environment. If you reinstall RRAS, Win2K prompts you for relevant configuration settings, which you can set to meet your needs.

To properly install the service, select the host server from the RRAS list. Right-click and then select Install RRAS. A wizard will ask whether you want Routing only, RAS only, or both Routing and RAS. After you select the option you want and exit the wizard, the service reinstalls and reinitializes the configuration. This procedure also works if Win2K did not install RRAS for you by default.

You can use the RRAS Manager to change and manage the incoming connections. If you select Properties for Ports, you can configure PPTP, Layer 2 Tunneling Protocol (L2TP), and incoming RAS connections for each modem attached to your server. In the Ports Properties window in Screen 4, you can see that I didn't configure one modem for routing or dial-in services, but I configured both the PPTP and L2TP modems to allow a default of five incoming connections each.

Although the configurations for the RRAS connections might seem correct, you need to check the actual service configuration by right-clicking the server in RRAS Manager and selecting Properties. As Screen 5 shows, a five-tabbed window displaying the various RRAS properties for the selected server appears. From here, you can enable and disable the current services, specify the type of authentication you want to use, set TCP/IP and Point-to-Point Protocol (PPP) properties, and manage RAS logging.

Of the five tabs, the most interesting ones are Security and TCP/IP. Screen 5 shows the Security tab, which provides many authentication options. (Some controversy exists about PPTP's security. For more information, see the sidebar "How Safe Is PPTP?" page 113.) Screen 6 shows the TCP/IP tab. This screen will worry many network administrators. Microsoft asks you for a start address and subnet mask rather than a start and end address range. This setup means you must determine the correct subnet mask to provide the exact address range you are looking for. In addition, Beta 2 has a bug in the algorithm that sometimes causes the incorrect calculation of the address ranges and the total number of addresses. Presuming that Microsoft fixes this bug in future releases, Screen 6 shows the windows in which you'll allocate the pool of addresses that your incoming connections will require over PPTP if you use Dynamic Host Configuration Protocol (DHCP). By the way, don't copy the IP addresses from Screen 6; they're only meant as an example.

Logging on to the Client via PPTP
You can log on to the client two ways. In the first method, you log on to the workstation as usual and establish an ISP connection first and then a PPTP connection to the remote network. You can then check the IP network connections by typing

ipconfig /all

in a command prompt window.

In the second method, you log on to a domain via the modem. Specifically, you place the workstation in an NT domain. When you log on, you select Logon using dial-up connection in the Logon dialog box. After you click OK, dial-up networking prompt appears with the relevant connection in the dial-up box. You then click Dial, and the process completes.

A Definite Improvement
Overall, Microsoft has made network connections of all types easier to set up and manage in Beta 2. With my range of DHCP addresses in hand, I was able to set up incoming PPTP connections in less than a minute. Setting up my client connections took a similar amount of time. Microsoft's new approach to network connections makes sense and will likely make significant inroads into making Win2K an easier network operating system (NOS) to manage.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.