Point-to-Point Tunneling Protocol
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Point-to-Point Tunneling Protocol
Point-to-Point Tunneling Protocol (PPTP) is a tunneling protocol first supported in Windows NT 4.0 and Windows 98. PPTP is an extension of Point-to-Point Protocol (PPP) and leverages the authentication, compression, and encryption mechanisms of PPP. Client support for PPTP is built-in to the Windows XP remote access client.
VPN server support for PPTP is built in to members of the Windows Server 2003 family. PPTP is installed with the TCP/IP protocol. Depending on your choices when running the Routing and Remote Access Server Setup Wizard, PPTP is configured for five or 128 PPTP ports. For more information, see Checklist: Installing and configuring a PPTP server.
PPTP and Microsoft Point-to-Point Encryption (MPPE) provide the primary VPN services of encapsulation and encryption of private data.
Encapsulation
A PPP frame (an IP, IPX, or Appletalk datagram) is wrapped with a Generic Routing Encapsulation (GRE) header and an IP header. In the IP header is the source and destination IP address that correspond to the VPN client and VPN server.
The following illustration shows PPTP encapsulation for a PPP frame.
.gif "PPTP encapsulation")
Encryption
The PPP frame is encrypted with Microsoft Point-to-Point Encryption (MPPE) by using encryption keys generated from the MS-CHAP, MS-CHAP v2, or EAP-TLS authentication process. Virtual private networking clients must use the MS-CHAP, MS-CHAP v2, or EAP-TLS authentication protocol in order for the payloads of PPP frames to be encrypted. PPTP is taking advantage of the underlying PPP encryption and encapsulating a previously encrypted PPP frame.
For more information on deploying PPTP-based VPN connections, see Deploying Virtual Private Networks. For a PPTP-based VPN server checklist, see Checklist: Installing and configuring a PPTP server. For an example implementation of PPTP-based VPN connections, see Virtual Private Network Implementation Examples. For information on configuring PPTP-based VPN connections in a test lab, see Virtual Private Network Test Lab.
Notes
It is possible to have a nonencrypted PPTP connection where the PPP frame is sent in plaintext. However, a nonencrypted PPTP connection is not recommended for VPN connections over the Internet because communications of this type are not secure.
The IPX/SPX protocol is not available on Windows XP 64-bit Edition (Itanium) and the 64-bit versions of the Windows Server 2003 family.
On Windows Server 2003, Web Edition, and Windows Server 2003, Standard Edition, you can create up to 1,000 Point-to-Point Tunneling protocol (PPTP) ports, and you can create up to 1,000 Layer Two Tunneling protocol (L2TP) ports. However, Windows Server 2003, Web Edition, can accept only one virtual private network (VPN) connection at a time. Windows Server 2003, Standard Edition, can accept up to 1,000 concurrent VPN connections. If 1,000 VPN clients are connected, further connection attempts are denied until the number of connections falls below 1,000.