Microsoft Virtual Private Networks have been designed to make their implementation easy for network administrators. Benefits of using a VPN include the following:
All of this combines to make Microsoft VPN the economical, easy-to-implement, and secure way to use the vast Internet infrastructure in creating your own virtual private networks.
Once PPTP is installed on the Microsoft Windows NT Server-end, tunneling access is achieved either through a PPTP-enabled client, or through a PPTP-enabled Internet service provider (ISP) point-of-presence (POP) server.
This flexibility means that a person with a PPTP-enabled laptop or home computer can make secure tunneled connection with their company's NT Server network, even when using an ISP that is not PPTP enabled.
Similarly, a user without a PPTP-enabled computer can make a secure tunneled connection if their ISP has upgraded its network to support PPTP on its servers.
This gives ISPs the ability to provide value-added services to users who want to take advantage of PPTP communication, but haven't installed it on their own computers.
PPTP can also be used for a remote client using a non-telephone connection such as an Ethernet card connected to a Frame relay service with a direct connection into an Internet carrier. As long as both the remote client PC and the server are upgraded to support PPTP, the user can benefit from secure PPTP connections.
Internet Service Providers can provide their customers full multiprotocol VPN capability with an easy software upgrade for their existing remote access servers. Ascend, 3Com, ECI Telematics, and US Robotics are including PPTP support in their existing products as a software upgrade.
Again, end users can install PPTP on their PCs and use essentially any Internet Service Provider. A software upgrade to the client PC and organization's server will enable the secure tunnel through any Internet POP, even if the ISP has not upgraded its infrastructure to support PPTP.
VPN supports all major networks including TCP/IP, IPX/SPX, and NetBEUI. Multiprotocol VPN enables remote users to access heterogeneous networks across the Internet.
Microsoft VPN allows a user to dial in with an analog modem, an ISDN connection, an X.25 device, or other connection, through a POP, which would ideally be local to avoid long distance telephone charges. VPN can go through any type of network, including Windows NT Remote Access Server, IPX-based Novell, and NetBEUI environments. Because VPN supports multiprotocols, users can retain the benefits of PPTP when on different networks.
VPN requires no change to existing network addressing schemes. This is helpful to companies deploying internal networks with an arbitrary device-numbering scheme that doesn't conform to the standard Internet Assigned Numbers Authority (IANA) approach. Once a user registers their domain name, the DNS can resolve the common name used in the address.
This ability to handle nonconforming addresses can be a huge benefit for LAN administrators, saving them from having to re-address each device on their network just to enable remote access. Because PPTP uses encapsulation, which hides nonstandard addresses, VPNs allow companies to use non-standard IP and IPX addresses.
Microsoft VPN allows companies to leverage their existing communication links and services. Rather than add an entire bank of new modem gear or other equipment to allow remote access to their networks, a company can use their existing links to the Internet. By eliminating the need for custom hardware and software, Microsoft VPN also saves companies in staffing and training costs that are otherwise needed to support custom proprietary solutions.
Microsoft has included a new flow control protocol as part of PPTP. Flow control sits between the client and the server on the data path. Without flow control, a client can continue sending packets to an overloaded server that cannot handle them. Performance will be slowed as packets are sent several times before they pass through. Flow control allows the server to tell the client to stop, and to start again when resources are available. Flow control also reduces network congestion, by eliminating the need to re-send packets.
Microsoft VPN is based upon PPTP (a protocol introduced by the PPTP Forum) and is now an IETF Internet Draft Standard. PPTP is an extension of two important Internet foundations for routing and security: IP and PPP. PPTP enjoys broad and growing industry support, and has been embraced by leading remote access vendors, ISPs, and vendors of other related products.
Because PPTP is an open standard, it isn't specific to Windows-based systems and can be deployed throughout a heterogeneous environment. Any PPP client computer (including UNIX and Macintosh), server type, or other remote access system can make use of PPTP.
Microsoft has published sample source code to facilitate PPTP implementation on other platforms. You can download it from the Web at ftp://ftp.microsoft.com/developer/drg/pptp/src.
Microsoft VPN was shipped as part of Windows NT 4.0, and an upgrade will be supplied for Windows 95. Open APIs will be provided toward the end of 1996 so that other companies can create Windows 3.1 or other client implementations of PPTP. Third-party companies are also creating products that support PPTP for other operating systems.
Because it is based upon Windows NT Server, Microsoft VPN provides all of the benefits of Windows NT. Windows NT is open, reliable and robust; supports multithreading and multitasking; is secure and scalable; and is completely integrated with the Microsoft BackOffice™ family of server applications for the Internet and intranet. These attributes make Windows NT an excellent platform for value-added development of communications applications, such as routing and telephony, in addition to remote access.
Internet service providers can use Microsoft VPN to offer secure, tunneled connections for subscribers, allowing them to tap into their own virtual private networks. ISPs can use this important value-added feature to distinguish their services in an increasingly competitive market.
Microsoft's Multiprotocol VPN, enabled by the Point-to-Point Tunneling Protocol (PPTP), is the easiest way for businesses to securely and economically extend their private networks across the Internet to remote users. Ease of use has been built into VPN from its inception for both the server and client personal computer. For network administrators faced with rolling out new technologies, ease of use means rapid and effective adoption.
Setting up VPN on Windows NT Server 4.0 is easy. VPN can be considered just a special case or use of RAS, an important feature set already built into Windows NT. As a result, setting up a VPN using PPTP involves many of the same steps an IS administrator takes when setting up a server to accept dial-up networking connections via RAS.
After setting up the Wide Area Networking (WAN) card, the IS administrator then selects the protocol or protocols to be used with RAS—IP, IPX, and/or NetBEUI. PPTP is now another protocol that can be selected and installed in the same way these other protocols are enabled. IS administrators who are familiar with RAS set-up will find the few screens and dialog boxes used to set up and use PPTP quite similar.
The IS administrator can set-up the server to accept only PPTP-based users as an added measure of security.
The IS administrator retains control of who gets access to the corporate network with Microsoft's VPN, even if the company has outsourced its VPN service to a third party. That's because user profiles are retained on the Windows NT Server so they can be quickly updated by the IS administrator to reflect employee changes, and so on.
As an added security measure when using VPN, the IS manager can have the server apply a filter that gives access to the corporate network only to PPTP-based users . This is shown in the preceding figure.
VPN set-up and use on the client is also easy. As noted, when PPTP support is provided by an ISP, no change in set-up is required to the client computer. In this situation, VPN support is transparent to the user, as shown in the following figure..
Establishing a VPN connection via an Internet Service Provider that supports PPTP is transparent to the client computer. The remote client computer dial up sequence looks like any other RAS dial-up sequence.
VPN service can also be enabled on the client computer, allowing the user to connect to the corporate network via any ISP—even those ISPs which do not provide PPTP support in their points of presence. In this case, the client computer must have the PPTP protocol installed, in much the same manner as on the server machine. Again, PPTP is treated just like IP, IPX or other selectable protocols.
Once PPTP is installed on the client computer, the user then creates a RAS Phone Book entry for the VPN connection. This entry looks like any other Phone Book entry with two exceptions: an IP address appears in place of a telephone number , and the Dial Using pull down list includes a PPTP option. This VPN Phone Book entry is activated after the user has connected to the ISP, so it is a two-step process. To further simplify use, both the ISP connection and the VPN connection can be set up and activated from one easy auto-dial Phone Book entry.
Setting up a client computer to enable it to use VPN service is straightforward, as this screen indicates. PPTP has already been installed on this computer so that when a new RAS Phone Book entry is created, a PPTP option is available in the Dial Using pull down list.
Once this Phone Book entry has been set up, the user can simply double-click on the Phone Book Entry icon to automatically dial into the PPTP-supported server via any ISP, as noted in following figure.
Establishing a VPN connection from a PPTP-enabled client computer lets you use essentially any ISP to connect to the Internet and back to your corporate network.