8. Select the
Security Tab
and check the
Require data encryption
option.
Click on
OK
to continue.
Figure 4.6. PPTP VPN Properties
© VASCO Data Security 2011
32
Page 1: ...aXsGUARD Gatekeeper PPTP How To 1 7 ...
Page 2: ... Source and Destination Address in Different IP Ranges 2 5 3 Source and Destination address in the Same IP Range 2 6 Firewalls and PPTP 3 PPTP Server Configuration 3 1 Overview 3 2 Activating the PPTP Server 3 3 General Configuration Settings 3 4 Authentication Settings 3 4 1 Recommended Method 3 4 2 Supported Authentication Methods 3 4 3 Configuring the Authentication Method 3 5 User Settings 3 6...
Page 3: ...n 4 4 Windows Vista Configuration 4 5 Windows 7 Configuration 5 Troubleshooting 5 1 Client Side Troubleshooting 5 2 Server Side Troubleshooting 6 Support 6 1 Overview 6 2 If you encounter a problem 6 3 Return procedure if you have a hardware failure Alphabetical Index VASCO Data Security 2011 2 ...
Page 4: ...te Connection 4 4 Connection Name 4 5 VPN Server Selection 4 6 PPTP VPN Properties 4 7 Require Data Encryption 4 8 Windows Vista PPTP Setup 4 9 Set up a Connection or Network 4 10 Connect to a Workplace 4 11 Use My Internet Connection 4 12 Connection IP and Description 4 13 User Name and Password Screen 4 14 Final Configuration Step 4 15 Connecting to the PPTP Server 4 16 Connection Successful 4 1...
Page 5: ...List of Tables 3 1 PPTP General Settings 3 2 PPTP User Settings 3 3 User Level Firewall Settings VASCO Data Security 2011 4 ...
Page 6: ...List of Examples 3 1 Restricting access to two LAN servers VASCO Data Security 2011 5 ...
Page 7: ...CIFICALLY REQUIRES LIABILITY DESPITE THE FOREGOING EXCLUSIONS AND LIMITATIONS Intellectual Property and Copyright VASCO Products contain proprietary and confidential information VASCO Data Security Inc and or VASCO Data Security International GmbH own or are licensed under all title rights and interest in VASCO Products updates and upgrades thereof including copyrights patent rights trade secret r...
Page 8: ...ered to solve difficulties In Chapter 6 Support we explain how to request support and return hardware for replacement As software development is an ongoing process the screens included in this guide may slightly differ from the software version installed on your aXsGUARD Gatekeeper appliance Other documents in the set of aXsGUARD Gatekeeper documentation include aXsGUARD Gatekeeper Installation Gu...
Page 9: ...sily be integrated into existing IT infrastructures as a stand alone authentication appliance or as a gateway providing both authentication services and Internet Security Authentication and other features such as firewall e mail and Web access are managed by security policies which implement a combination of rules for example whether a user must use a DIGIPASS One Time Password in combination with...
Page 10: ... network infrastructure such as the Internet to provide a private secured connection between hosts and network applications A VPN also ensures the integrity of data as it traverses the Internet through authentication tunneling and encryption In other words a VPN allows roaming or remote users to securely connect to corporate LAN resources such as shared folders applications databases or e mail Sev...
Page 11: ...to as tunneling or encapsulation PPTP in its barest form works by encapsulating packets inside PPP packets which are in turn encapsulated in Generic Routing Encapsulation GRE packets The GRE packets are sent over IP to the destination PPTP server and back again The image below shows the structure of a PPTP network packet The PPTP protocol provides the following key security elements 2 3 What is PP...
Page 12: ...he PPTP VPN server checks the provided response against its own calculation of the expected response If the received response matches the server acknowledges the authentication if not the connection is terminated PAP is not supported by the aXsGUARD Gatekeeper because it is insecure Only MS CHAP is supported VASCO recommends DIGIPASS authentication as this is the most secure option Tunneling A VPN...
Page 13: ...client on the Internet and the aXsGUARD Gatekeeper PPTP server A TCP connection is therefore made to the PPTP server on TCP port 1723 as shown in the illustration below This control channel is used to negotiate tunnel parameters such as the encryption method and the compression algorithm see Section 2 3 2 Key Elements of PPTP Security The PPTP control channel also establishes manages and releases ...
Page 14: ... PPTP client and server see Section 2 6 Firewalls and PPTP and Section 3 6 PPTP Firewall Settings On the server side only PPTP traffic is routed through this interface Different routing scenarios apply depending on the network address which is assigned to the client s PPP interface These are explained in the following sections The client s PPP interface has an IP address in a different IP range th...
Page 15: ... than the aXsGUARD Gatekeeper LAN the packet is automatically routed through the PPP interface gateway of the aXsGUARD Gatekeeper The client s PPP interface has an IP address in the same IP range as the LAN IP of the PPTP server as shown in the image below Traffic can only be routed correctly using Proxy ARP which is explained below Figure 2 5 PPTP Client and PPTP Server with different IP ranges 2...
Page 16: ...tes the traffic back to the requesting host Proxy ARP is defined per RFC 1027 For more information about ARP see the appropriate online resources It is highly recommended to configure the aXsGUARD Gatekeeper Firewall so that only required network resources can be accessed by the client This also improves security in case a client s computer is hijacked illustrated below The default system wide Fir...
Page 17: ...ct separate aXsGUARD Gatekeeper Firewall Policies for PPTP VPN access on a user group basis in agreement with your company policies as explained above The aXsGUARD Gatekeeper PPTP Firewall configuration is explained in Section 3 6 PPTP Firewall Settings Use a strong hardware or software Firewall on the client side Ensure that outgoing traffic to TCP port 1723 and the GRE protocol are allowed other...
Page 18: ...ended Firewall Policies Before you can access the PPTP configuration settings you must activate the PPTP feature on the aXsGUARD Gatekeeper 1 Log on to the aXsGUARD Gatekeeper as explained in the System Administration How To 2 Navigate to System Feature Activation 3 Expand the VPN RAS tree 4 Check the Do you use the aXsGUARD Gatekeeper PPTP Server option 5 Click on Update Chapter 3 PPTP Server Con...
Page 19: ... How To 2 Navigate to VPN RAS PPTP General A screen as shown below is displayed 3 Configure the settings as explained in the table below 4 Click on Update when finished 3 3 General Configuration Settings Figure 3 2 PPTP General Configuration Settings VASCO Data Security 2011 18 ...
Page 20: ...ter sharing can be installed on the client so that the printer can be accessed by the terminal server Accept 40 bit encryption insecure 40 bit encryption produces less encryption overhead but is highly insecure This setting is not recommended Start IP address The first IP address of the address pool available for PPTP clients The client acquires this address via DHCP End IP address The last IP add...
Page 21: ...Gatekeeper needs to resolve the domain workgroup name to the IP address of the AD Server AD Authentication is only possible if the Directory Services module is activated and configured For more information consult the aXsGUARD Gatekeeper Directory Services How To which is available via the Documentation button in the Administrator Tool To set or adjust the authentication settings for the PPTP serv...
Page 22: ...nistrator Tool The following VPN settings can be edited at the user level Authorization or denial to use the VPN service The password used to authenticate with the VPN server The user s VPN Firewall settings explained separately in Section 3 6 PPTP Firewall Settings To adjust a user s VPN settings 1 Navigate to Users Groups Users 2 Select the appropriate user name 3 Select the Remote Access tab an...
Page 23: ...n You can specify a different Local Password in combination with DIGIPASS Authentication The user then must enter the specified password followed by the DIGIPASS OTP You cannot overrule the Active Directory Password with a Local Password Password This field only appears when the option above is checked Enter the VPN password twice for verification PPTP VPN RAS Check to enable PPTP access for the u...
Page 24: ...ured in two stages Allow PPTP traffic and enforce Strong Authentication e g DIGIPASS Implement strict PPTP VPN Firewall Rules and restrict access to the needed resources Both stages of the PPTP Firewall configuration are explained in Section 3 6 2 Allowing PPTP Traffic and Section 3 6 3 Firewall Rights An example is provided in Section 3 6 4 Example of Firewall Settings for PPTP PPTP traffic must ...
Page 25: ...active by default is available in the Firewall How To This document can be accessed via the on screen Documentation button in the Administrator Tool You can also click on a Firewall Rule Policy to view its contents User Group Firewall Rights As mentioned in Section 2 6 Firewalls and PPTP VASCO highly recommends the use of a strong client side firewall and the creation of dedicated Firewall Policie...
Page 26: ...s for allowed traffic 1 Navigate to Firewall Rules Through 2 Search for the fwd access lan Rule and click to view its contents 3 Click on the Edit as New button 4 Provide a name and description for the new Rule 5 Check the enabled option 6 Do not specify a Source IP Figure 3 7 User Level Firewall Settings Option Description Use Group Firewall Policies Select this option if you wish to apply the sa...
Page 27: ...rst followed by the drop Rule 6 Save the Firewall Policy Add the Firewall Policy to the VPN RAS Group Settings of the user 1 Add the new Firewall Policy to the user s VPN Group Policy add it separately or overrule the user s VPN Firewall policy see above Ensure that this Firewall Policy is the only one in the list 2 Update your settings As a result only network traffic towards the specific servers...
Page 28: ...rminated The public IP address of the remote client The PPP IP address used by the remote client The authentication information Information about encryption The type of compression Useful error messages for troubleshooting Figure 3 8 PPTP Log entries VASCO Data Security 2011 27 ...
Page 29: ...lowed on the client Firewall otherwise you will not be able to connect to the aXsGUARD Gatekeeper PPTP server Refer to your Firewall s documentation if necessary 1 Click on Start Control Panel Network and Internet Connections Network Connections A screen as shown below should appear 2 Click on Create a new connection in the left pane Chapter 4 PPTP Client Configuration 4 1 Overview 4 2 Client Side...
Page 30: ...network at my workplace and click on Next 4 Select Virtual Private Network Connection and click on Next Figure 4 1 Windows XP Network Connections Figure 4 2 Connecting to the Network at my Workplace VASCO Data Security 2011 29 ...
Page 31: ...5 Enter a Connection Name and click on Next Figure 4 3 Virtual Private Connection Figure 4 4 Connection Name VASCO Data Security 2011 30 ...
Page 32: ...IP address or the public FQDN of the aXsGUARD Gatekeeper PPTP server and click on Next Afterwards click on Finish 7 In the connection screen click on Properties Figure 4 5 VPN Server Selection VASCO Data Security 2011 31 ...
Page 33: ...8 Select the Security Tab and check the Require data encryption option Click on OK to continue Figure 4 6 PPTP VPN Properties VASCO Data Security 2011 32 ...
Page 34: ... button The connection should be up after a few seconds You can verify the status of the VPN connection by navigating to the Network Connections screen see step 1 1 From the Start button select Connect To Figure 4 7 Require Data Encryption 4 4 Windows Vista Configuration VASCO Data Security 2011 33 ...
Page 35: ...2 Select Set up a connection or network Figure 4 8 Windows Vista PPTP Setup VASCO Data Security 2011 34 ...
Page 36: ...3 Select Connect to a workplace 4 Click on Next Figure 4 9 Set up a Connection or Network Figure 4 10 Connect to a Workplace VASCO Data Security 2011 35 ...
Page 37: ...ection and click on Next 6 In the Internet Address field type the external IP address or the FQDN of the aXsGUARD Gatekeeper PPTP server 7 In the Destination Name field type a description for your PPTP VPN Connection 8 Select the Don t connect now option and click on Next Figure 4 11 Use My Internet Connection VASCO Data Security 2011 36 ...
Page 38: ...Enter the username and password provided by your system administrator Do not enter a password if you are using DIGIPASS authentication Figure 4 12 Connection IP and Description VASCO Data Security 2011 37 ...
Page 39: ...10 Click on the Create button and then the Close button Figure 4 13 User Name and Password Screen Figure 4 14 Final Configuration Step VASCO Data Security 2011 38 ...
Page 40: ...onnect to 12 Select the VPN connection in the window and click on Connect 13 Enter the user name and password provided by your system administrator and click on the Connect button The connection should be up after a few seconds Figure 4 15 Connecting to the PPTP Server VASCO Data Security 2011 39 ...
Page 41: ...Network Icon in the lower right corner of your Windows desktop see the image below 1 Click on the Start button and navigate to the Control Panel Figure 4 16 Connection Successful Figure 4 17 PPTP Connection Status 4 5 Windows 7 Configuration VASCO Data Security 2011 40 ...
Page 42: ...2 In the Control Panel select Network and Internet Figure 4 18 Windows 7 Control Panel VASCO Data Security 2011 41 ...
Page 43: ...3 Select Network and Sharing Center 4 Click on Set up a new connection or network Figure 4 19 Windows 7 Control Panel Figure 4 20 Windows 7 Network and Sharing Center VASCO Data Security 2011 42 ...
Page 44: ...a Workplace and click on Next 6 Select the first option create a new connection as shown below and click on Next Figure 4 21 Set up a New Connection or Network Figure 4 22 Connect to a Workplace VASCO Data Security 2011 43 ...
Page 45: ...7 Click on Use my Internet connection Figure 4 23 Creating a New Connection Figure 4 24 Creating a New Connection VASCO Data Security 2011 44 ...
Page 46: ...nd enter a name for the connection e g office 9 Leave the other options open and click on Next 10 Enter the user name and password provided by your system administrator to connect to the remote aXsGUARD Gatekeeper PPTP server 11 Enter the domain you are connecting to optional Figure 4 25 PPTP Connection Settings VASCO Data Security 2011 45 ...
Page 47: ...depending on the speed of your Internet connection You can verify the status of the VPN connection by clicking on the Network Icon in the lower right corner of your Windows desktop see the image below Figure 4 26 PPTP Connection Settings VASCO Data Security 2011 46 ...
Page 48: ...Figure 4 27 PPTP Status VASCO Data Security 2011 47 ...
Page 49: ...tination address in the Same IP Range Modify the IP address range of the client accordingly Refer to the documentation of the Operating System if necessary PPTP error Your credentials have failed remote network authentication 1 Your username or password may be incorrect Contact your system administrator 2 Check if the connecting PC is in a Windows domain If this is the case check the properties of...
Page 50: ...computer does not support the required data encryption type See error 734 above PPTP Error 769 The specified destination is not reachable The hostname or IP address of the machine you are connecting to is incorrect Check your settings and or contact your system adminstrator if necessary PPTP Error 678 There was no answer See error 769 above PPTP Error 619 the specified port is not connected If you...
Page 51: ...ones WINS successor should work as well WINS is slowly getting phased out by Microsoft being and being replaced by GlobalNames zones On MS server 2008 WINS is no longer a role but has become a feature The WINS configuration itself is exactly the same as on MS server 2003 For more information about setting up a WINS server consult your Microsoft documentation Information can also be found on this M...
Page 52: ...ault Make sure this option is enabled 2 Server firewall Make sure the aXsGUARD Gatekeeper PPTP server can receive a connection on port 1723 and that protocol 47 is being allowed see Section 2 6 Firewalls and PPTP and Section 3 6 PPTP Firewall Settings Protocol 47 is not the same as port 47 This is a simple but common problem Do not get port 47 confused with protocol 47 Opening port 47 on your fire...
Page 53: ...lution in the Knowledge Base please contact the company which supplied you with the VASCO product 3 If your supplier is unable to solve your problem they will automatically contact the appropriate VASCO expert For details about support capabilities by user visit http www vasco com support support_services types_of_customes aspx If you experience a hardware failure contact your VASCO supplier Chapt...
Page 54: ...ilable Guides E Encapsulation Protocol Description F Firewall rights Firewall Rights G GRE Key Elements of PPTP Security I ipconfig Overview M MPPE Key Elements of PPTP Security P PAP Key Elements of PPTP Security Point to Point Tunneling Protocol Protocol Description Port 1723 Standard PPTP Deployment PPTP Protocol Description Proxy ARP Source and Destination address in the Same IP Range Alphabet...
Page 55: ...rview S Support Support T Troubleshooting Troubleshooting Tunneling Protocol Description V Virtual private network What is a Virtual Private Network VPN What is a Virtual Private Network VASCO Data Security 2011 54 ...
