PPTP Settings (Client-to-Server VPN)

The Point-to-Point Tunneling Protocol (PPTP) is used to create client-to-server Virtual Private Networks (VPNs).

The IP addresses for PPTP clients are allocated from within the local subnet range managed by the DHCP server. The addresses are taken from the last portion of the range, and the number used depends on the “Number of PPTP clients” that you program.

For example, if you program “10” as the “Number of PPTP clients” for local subnet 192.168.1.10 to 192.168.1.100, then the last ten addresses in the range (.11 to .100) will be allocated to PPTP clients for VPNs.

If necessary, you can increase the total number of addresses available to all clients by modifying the local subnet range. For details see Configure DHCP Server.

VPN access and configuration

To enable VPN access:

  1. Under Security click Remote access.

  2. Under PPTP Settings in the Remote Access panel, enter the number of individual PPTP clients that will be allowed to connect to the server simultaneously. This can be the total number of remote PPTP clients in the organization, or, if you have a slow connection to the Internet and do not want all of those PPTP clients to connect at the same time, enter a lower number. Enter 0 to deny PPTP connections.

  3. Click Save. The server is now ready to accept PPTP connections.

Setting Up a VPN Connection on Clients

Use the following procedures to set up a VPN connection on each user's computer:
Note: The following procedures outline how to create and configure a VPN connection in Microsoft Windows 7. For instructions to perform these procedures in another operating system, refer to your product documentation.
To create a VPN connection on the user's computer:

  1. Click Start > Control Panel > Network and Sharing Center.

  2. Click Set up a new connection or network.

  3. In the Connection Option list, select Connect to a Workplace.

  4. Select No, create a new connection if prompted, and then click Next.

  5. Select Use my Internet connection.

  6. Enter the server IP address or host name.

  7. Enter a name for your VPN connection.

  8. Select Don’t connect now; just set it up and then click Next.

  9. Enter your user name. Password is not required if you are using certificate for authentication.

  10. Click Create and then click Close.

To configure a VPN connection on the user's computer:

  1. Click Start > Control Panel > Network and Sharing Center.

  2. In the left-hand menu, click Change adapter settings.

  3. Right-click your VPN name and then click Properties.

  4. On the Networking tab, select Internet Protocol Version 4 and then click Properties.

  5. Click Advanced.

  6. Clear the Use default gateway on remote network check box.

  7. Click OK twice to return VPN Connection Properties dialog.

  8. On the Security tab, in the Type of VPN list, select Point to Point Tunneling Protocol (PPTP).

  9. Under Authentication, select Use Extensible Authentication Protocol (EAP).

  10. In the EAP list, select Microsoft: Smart Card or other certificate.

  11. Click Properties.

  12. Under “When connecting” select Use a certificate on this computer and then select User simple certificate selection.

  13. Choose whether to validate the server certificate. When selected, Windows prompts users to confirm that they're connecting to the correct server and that the certificate is valid. If you choose to enable validation, clear the Connect to these servers check box.

  14. Click OK until you return to the Control Panel > Network Connections dialog.

  15. Right-click on your VPN name and then click Connect.

Remote Management

Remote management allows hosts on the specified remote IPv4 and IPv6 network(s) to access the server manager of your MSL server. To limit access to the specified host, enter a subnet mask of 255.255.255.255 for IPv4 networks or a CIDR prefix of /128 for IPv6 networks. If your mask allows a range of IP addresses, any hosts within that range can access the server manager using HTTPS. See also Grant Access Privileges to Trusted Local Networks.

To add a remote management network:

  1. Under Security, click Remote access.

  2. Scroll to the Remote Management section.

  3. In the Network field, enter the IP address of the remote host for which you want to allow access.

  4. In the Subnet mask field, enter a mask to limit the range of access (255.255.255.255 limits access to the specified IP address).

  5. Click Save.

Secure Shell Settings

About the Secure Shell

Use the Secure Shell Settings section to control access to your server. The public setting should only be enabled by experienced administrators for remote problem diagnosis and resolution. We recommend leaving this parameter set to "No Access" unless you have a specific reason to do otherwise.
Warning: Before allowing secure shell access to the server using standard passwords, please ensure you set a secure admin/root password on the server. With a weak password, an internet- facing server can be compromised very quickly.

Configuring SSH (Secure Shell)

SSH (secure shell) provides a secure, encrypted way to log in to a remote machine across an IPv4 or IPv6 network, or to copy files from a local machine to a server. Programs such as telnet and ftp transmit passwords in plain, unencrypted text across the network or the Internet. SSH and its companion program SCP provide a secure way to log in or copy files. For more information about SSH Communications Security and its commercial products, visit http://www.ssh.com/.

OpenSSH, included with the MSL server, is a version of the SSH tools and protocol. The server provides the SSH client programs as well as an SSH server daemon and supports the SSH2 protocol.

To configure SSH:

  1. Under Security, click Remote access.

  2. Scroll to the Secure Shell Settings section.

  3. Select a Secure shell access option:

    • No Access – (Default) SSH access not allowed.

    • Allow access only from trusted and remote management networks – This option enables you to access the server from local networks and remote management networks. To add a remote management network, see Remote Management.

    • Allow public access (entire Internet)– This option enables you to access the server from anywhere on the Internet. It is selectable only if you have configured a strong SSH (system admin) password. If you have weak password and attempt to select this option, you will receive the following warning: "The system administration password is set to a weak value. The "Allow public access" option in the form below will remain disabled until the system administration password has been reset to a strong value."

  4. Program the configuration options:

    • Allow administrative command line access over secure shell - This option allows someone to connect to the server and log in as "root" with the administrative password. The user would then have full access to the underlying operating system. This can be useful if someone is providing remote support for the system, but in most cases we recommend setting this option to No.

    • Allow secure shell access using standard passwords - If you set this option to Yes, users will be able to connect to the server using a standard user name and password. This may be a concern from a security point of view, in that someone wishing to break into the system could connect to the SSH server and repeatedly enter user names and passwords in an attempt to find a valid combination. A more secure way to allow SSH access is called RSA Authentication and involves copying an SSH key from the client to the server.

  5. Click Save.

Once SSH is enabled, connect to the server by launching the SSH client on the remote system. Ensure that it is pointed to the external domain name or IP address for the server. In the default configuration, you will be prompted for your user name. Enter "admin" and the administrative password. You will be in the server console. From here you can change the server configuration, access the Administrator Portal through a text browser or perform other server console tasks.

Note: By default, only two user names can be used to log in remotely to the server: "admin" (to access the server console) and "root" (to use the Linux shell). Regular users are not permitted to log in to the server.

Obtaining an SSH Client

A number of different free software programs provide SSH clients for use in a Windows or Macintosh environment. Several are extensions of existing telnet programs that include SSH functionality. Two different lists of known clients can be found online at http://www.openssh.com/windows.html and http://www.freessh.org/.

A commercial SSH client is available from SSH Communications Security at: http://www.ssh.com/products/ssh/download.html. Note that the client is free for evaluation, academic, and certain non-commercial uses.