One of the primary reasons to use the PPTP protocol to establish a VPN connection is the overall "start to finish" simplicity. PPTP connections are fairly straightforward to set up, and provide for a decent level of VPN security. PPTP security is user based, however, which means that if a user's credentials are compromised, access could be obtained by unauthorized users. The most secure VPN connections, however, can be set up using the L2TP protocol, which uses a combination of user and computer authentication. L2TP is described in more detail later in this chapter.
Configuring an ISA VPN Connection to Use PPTP
The following process can be used to enable PPTP VPN support on the ISA VPN server.
Configuring a Windows XP Professional Client for PPTP Communication
There are two methods for creating VPN connections for clients. The first method is by using the Connection Management Administration Kit (CMAK) to create a custom profile that can be automatically configured on client workstations. This technique is discussed in detail in later sections of this chapter. The second method is a manual method, and can be performed directly on a client workstation with the following procedure:
This procedure illustrates how to set up a manual connection on Windows XP Professional. Different operating systems such as Windows 2000 Professional use similar steps, with slight modifications to the process. For security reasons, however, it is recommended to set up client VPN access from Windows XP systems.
Testing the PPTP Connection
At this stage the test should be able to establish a VPN tunnel to the server. To test the connection, perform the following:
At this point, the client should make the connection to the ISA VPN server and establish communications with the internal network resources, as specified in the network rules. Note that the client needs to be outside the network to support this. Check the event logs on the IAS server and the ISA VPN server if the connection is not successful.
Recall that simply establishing a VPN connection to an ISA server does not automatically grant a client blanket access to the internal network. Firewall and network rules must first be established, as outlined in the previous sections of this chapter.