Subscribe to Windows IT Pro
December 01, 1996 12:00 AM

Deciphering PPTP

Mark Minasi
Windows IT Pro
InstantDoc ID #2848
Rating: (0)
A poor person's firewall

One of Windows NT 4.0's few all-new features is the Point-to-Point Tunneling Protocol (PPTP). It has puzzled me a bit since it first appeared in NT 4.0 beta 2, because Microsoft didn't document it. The puzzle's now solved, at least for me. But many people write me about it, so I'm taking a short detour from my name resolution series to talk about PPTP and accessing your company's intranet from the Internet.

Not a Connectivity Tool
The first misconception people have about PPTP is that it's somehow a connectivity tool. It is not; it's a security tool, plain and simple. An example will help me explain that statement. Suppose your company has an IP-based network on the Internet. The company's on the East Coast, you're temporarily in a hotel or at a client site on the West Coast, and NT Workstation 4.0 is on your laptop. How can you connect to your firm's intranet from across the country?

I've heard several Microsoft people paint this very picture, ask this very question, and say, "The answer is PPTP." Because that reply is not entirely right, I want to focus on some methods that could solve the problem.

The first of several solutions, the simplest approach, is the one that's been possible since NT 3.1: Set up a Remote Access Service (RAS) server on the East Coast, put a modem on it, attach a modem to your laptop, and dial in to the company. This approach is not bad, but it does mean that you'll have to deal with all the standard pain and suffering of getting a modem on a laptop in a hotel room to successfully dial long distance. This trick's not impossible, but it ain't fun either. Further, you'll have to set up modems and phone lines on the receiving end. On the plus side, the software setup is easy, and you can dial in whether you're a DOS, Windows for Workgroups, Windows 95, or NT client. Using RAS to dial in to your firm is a perfectly good idea, but some companies don't have any dial-in RAS servers because of concern that you can't properly secure them.

Another approach is a bit sneakier: Get on the Internet, point your Windows Internet Name Service (WINS) server to the WINS server at the office, and voila! If your company doesn't have a firewall or some other filtering device between your company's LAN and the Internet, you'll be able to log on to your NT-based network right over the Internet.

But if your company is on the Internet, you've got another way into your network. You're probably a member of some national Internet Service Provider (ISP) such as America Online (AOL) or CompuServe, and it probably has a local access number. This access provider lets you dial out to the Internet without a lot of complex dialing and without breaking the bank--and from the Internet, you may be able to get to your firm's network.

Set up the Dial-Up Networking script so that you use the TCP/IP protocol to dial in to the ISP. In the Dial-Up Networking phone book, click Server, and only TCP/IP will be checked under network protocols. Next to TCP/IP is a button, TCP/IP settings.... Click it, and then click Specify name server settings. I don't much care what you do with the Domain Name System (DNS) server value, but be sure to fill in the Primary WINS Server entry with the IP address of your company's main WINS server. Then dial up your ISP to get to the Internet.

Once you connect to the Internet, try opening the Network Neighborhood folder. You will probably see the flashlight wave around awhile, and after a few minutes, you'll probably get the list of servers in your workgroup. Although you're thousands of miles away from your firm's network, you're using its WINS server, so your system will act just as if you were hooked up to the company LAN, except of course, for the speed. But wait--what about NT security?

What About Security?
When you log on to your NT laptop, you must punch in a username and password. Assume that you enter the same username and password as you do on the network in the office. Now suppose your workstation tries to ask the NT network back home some kind of privileged question, such as "What shares are on server XYZ?" The server will ask your workstation for credentials. Your workstation says something like, "Well, Joe with password SWORDFISH is sitting on me." If your domain account name is Joe and your password is SWORDFISH, you'll be invisibly logged on to the domain. If not, NT will pop up a box that says something like, "Incorrect password for user Joe."

In some cases, NT will ask just for a password, and in other cases, it'll ask for a username and password. Be sure to enter the username in the form <domainname>\<username> (for example, SALES\Patricia), so that the network knows which domain to search for your account. After one successful security challenge, the network will treat you like a local user, except of course, for the speed.

But most firms won't let just anyone connect to the corporate network over the Internet. Instead, companies use some security device between the Internet and their intranet. PPTP is such a device.

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
    There are no comments to display. Be the first one!
You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.