In the not so distant past, companies who wanted to allow road warriors access to resources on the corporate internal network had to install modem banks and multiple phone lines. The cost of installing multiple dial-up RAS (Remote Access Service) servers was compounded by long-distance charges. If the company wanted to avoid long-distance charges, it still had to shell out for a 1-800 number. VPN servers remove this capital-intensive hardware/telco layer and allow you to support dozens, sometimes hundreds, of remote access calls with a single VPN server and high-speed Internet connection.

I’ll look at how to make your Windows NT 4.0 computers VPN clients for Windows NT 4.0 VPN servers. You can use the same procedures to connect Windows NT 4.0 clients to Windows 2000 VPN servers. The only major difference between Windows NT 4.0 and Windows 2000 VPN servers is that the Windows NT 4.0 VPN servers do not support L2TP/IPSec VPN links. This situation doesn’t pose much of a problem for our Windows NT 4.0 VPN clients, because the only VPN protocol supported by Windows NT 4.0 is the Point-to-Point Tunneling Protocol (PPTP).


Before configuring your Windows NT 4.0 PPTP VPN client software, you should install the latest service packets and security hotfixes. If you haven’t updated the Windows NT 4.0 computer you plan to make a PPTP VPN client, visit the Microsoft Windows Update for Windows NT Server Web site to get at least Windows NT 4.0 Service Pack 6a. You’ll find all the security hotfixes released since Service Pack 6a on this page, too. I also recommend that you install Internet Explorer 6.0; it includes a number of features that improve the user experience and automatically adds 128-bit encryption support.

Creating the PPTP network protocol
Your first step in creating a Windows NT 4.0 PPTP VPN client is to install the PPTP networking protocol. Right-click on the Network Neighborhood icon on the desktop and click Properties. In the Network dialog box, click the Protocols tab. On the Protocols tab, click the Add button.

In the Select Network Protocol dialog box (Figure A), select the Point-to-Point Tunneling Protocol and click OK. A Windows NT Setup dialog box will appear and ask you for the location of the setup files. You can type in the path to a local or network location, or just put your Windows NT 4.0 CD in the tray. Click Continue.

Figure A

In the PPTP Configuration dialog box (Figure B), use the default entry (which is 1). PPTP VPN clients aren’t going to connect to more than one VPN server at a time. This entry is used by the VPN Server to define how many virtual VPN interfaces the server should have available for VPN clients. (Windows NT 4.0 VPN servers support up to 256 PPTP interfaces.) Click OK. At this point, you’ll see a dialog box that informs you that RAS will be installed. Click OK to install and start RAS.

Figure B

The Add RAS Device dialog box (Figure C) will appear and display the name of the single RAS device installed on the VPN client machine. Click OK.

Figure C
VPN1 – RASPPTPM is the name of the VPN interface on the VPN client.

The VPN device is now added to RAS. On a Windows NT 4.0 Workstation computer, the VPN interface is automatically configured to call out only. If you install the VPN interface on a Windows NT 4.0 Server computer, the adapter is configured to allow outbound and inbound calls. To change this setting, click the Configure button in the Remote Access Setup dialog box (Figure D).

Figure D
Network interfaces available on the VPN client computer

Change the setting to Dial Out Only in the Configure Port Usage dialog box (Figure E) to prevent the Windows NT 4.0 Server from allowing incoming calls to the VPN interface.

Figure E
Configure the interface to make outbound calls only.

Click on the Network button in the Remote Access Setup dialog box (Figure D) to configure the LAN protocols you want to support on the VPN interface. Note that these are the LAN protocols used over the PPTP link, and not the WAN protocols used to contact the VPN server. You’ll always use TCP/IP to connect to the VPN interface on the VPN server (Figure F).

Figure F

Click the Continue button in the Remote Access Setup dialog box. The Point-to-Point Tunneling Protocol will be added to the list of protocols on the Protocols tab of the Network dialog box. Click Close. Restart the computer to complete the installation of the protocol.

Creating the ISP dial-up entry
VPN clients typically call an ISP to establish an Internet connection before they establish their VPN link. Creating RAS connections in Windows NT 4.0 isn’t as intuitive as it is in Windows 2000/XP, so let’s take a look at how you configure a PPP connection to an ISP.

Click Start | Programs | Accessories. Click on Dial-Up Networking. You’ll be asked for location information. Enter at least your area code. If you have a number you need to dial to access an outside line, enter that too. Click Close to dispatch the dialog box after entering the information.

A dialog box will appear informing you that your phone book is empty. Click OK to create a phone book entry for your ISP. This action brings up the first page of the New Phonebook Entry Wizard (Figure G). Enter a name for the connection and click Next.

Figure G

The Server page will appear (Figure H). Always select the I Am Calling The Internet option. Check with your ISP to see what type of password authentication it requires. You won’t need to use the third option in this dialog box unless you’re using a SLIP connection, and it’s not likely you’ll bother with SLIP connections these days. Click Next.

Figure H

Enter your POP access number on the Phone Number page (Figure I). You can click the Alternates button to add alternate numbers to try if the first one fails. These numbers are useful when your ISP gives you multiple POP access numbers. Click Next, and then click Finish on the last page of the wizard.

Figure I
You can use alternate numbers when you use an ISDN terminal adapter that uses different numbers for each line.

The new Phonebook entry will appear and you can use it right away (Figure J). You don’t need to restart the computer.

Figure J

Creating the PPTP VPN dial-up entry
If you use a dial-up connection to connect to the ISP, you’ll need to activate that before connecting the VPN link. In other words, the PPTP connection rides on top of the ISP connection. The Windows NT 4.0 PPTP VPN client can also take advantage of dedicated links, such as T1, DSL, and cable connections. In these cases, you don’t need to establish the dial-up entry before firing up the VPN.

Click the New button in the Dial-Up Networking dialog box (Figure J) to create the VPN connectoid. The same wizard you used to create the dial-up connection creates the VPN connection. The only difference is that you use the IP address or Fully Qualified Domain Name for the phone number and configure the connection to use the VPN interface (Figure K).

Figure K
Enter the FQDN or IP address of the VPN server.

After you create the VPN connectoid, click on the More button in the Dial-Up Networking dialog box’s phonebook area and click the Edit Entry And Modem Properties entry to bring up the Edit Phonebook Entry dialog box (Figure L). In the Dial Using drop-down list box, you’ll need to select the VPN device you created earlier.

Figure L

Click on the Server tab and you’ll see what appears in Figure M. Select the LAN protocols you want to support in the VPN in the Network Protocols frame. Select Enable Software Compression and Enable PPP LCP Extensions if your Windows NT 4.0 VPN server supports them.

Figure M

Click the TCP/IP Settings button and you’ll see what appears in Figure N. The default setting is to allow IP address assignment automatically from the VPN server. This is the most common option but if you need to specify a particular IP address or DNS server, select the option to specify and enter the appropriate IP address. Use the Use IP Header Compression option if your VPN server supports this option.

IP Header Compression support

Your Windows NT 4.0 VPN Server will support this option, but your Windows 2000 VPN won’t if you haven’t upgraded to at least SP4 on the VPN client.

Figure N

The Use Default Gateway On Remote Network option is an extremely important one for you to understand. When you select this option, the VPN client uses the VPN interface as its gateway for all non-local networks. Typically, when the client first dials into the ISP, the ISP assigns the computer a default gateway, which is one of the ISP’s routers to the Internet. When the Use Default Gateway On Remote Network option is enabled, the VPN server assigns the VPN client a new default gateway, which forwards all non-local packets to the VPN server. The result is that the VPN client cannot access the Internet once it connects to the corporate VPN.

If this option is disabled, the VPN client will be able to access both the internal corporate network and the Internet at the same time. This creates the possibility that the VPN client will be able to route packets from the Internet to the internal network.

Click on the Security tab and you’ll see the screen shown in Figure O. The only option you need to select is Accept Only Microsoft Encrypted Authentication. Selecting this option ensures that the PPTP VPN client uses MS-CHAP version 2 to authenticate with the Windows NT 4.0 Server. If the Windows NT 4.0 Server does not support MS-CHAP version 2 (because it has not been updated with the latest service pack), the client will fall back to MS-CHAP version 1.

Figure O

Use Windows NT 4.0 for secure VPN connections
Configuring the VPN client on a Windows NT 4.0 computer is more challenging than it is on Win9x computers with DUN1.4 installed. It’s definitely not as easy to configure as the Windows 2000/XP client. But once you get the Windows NT 4.0 PPTP VPN client installed, you’ll have solid and secure connections that use MS-CHAP version 2 for authentication and 128-bit data encryption.