PPTP Settings (Client-to-Server VPN)

The Point-to-Point Tunneling Protocol (PPTP) is used to create client-to-server Virtual Private Networks (VPNs).

Note: The PPTP Settings (Client-to-Server VPN) is not available if you are on the SMB Controller.

The IP addresses for PPTP clients are allocated from within the local subnet range managed by the DHCP server. The addresses are taken from the last portion of the range, and the number used depends on the “Number of PPTP clients” that you program.

For example, if you program “10” as the “Number of PPTP clients” for local subnet 192.168.1.10 to 192.168.1.100, then the last ten addresses in the range (.11 to .100) will be allocated to PPTP clients for VPNs.

If necessary, you can increase the total number of addresses available to all clients by modifying the local subnet range. For details see Configure DHCP Server.

Enable VPN Access

To enable VPN access:

  1. Under Security click Remote access.

  2. Under PPTP Settings in the Remote Access panel, enter the number of individual PPTP clients that will be allowed to connect to the server simultaneously. This can be the total number of remote PPTP clients in the organization, or, if you have a slow connection to the Internet and do not want all of those PPTP clients to connect at the same time, enter a lower number. Enter 0 to deny PPTP connections.

  3. Click Save. The server is now ready to accept PPTP connections.

Setting Up a VPN Connection on Clients

Use the following procedures to set up a VPN connection on each user's computer:

Note: The following procedures outline how to create and configure a VPN connection in Microsoft Windows 7. For instructions to perform these procedures in another operating system, refer to your product documentation.

To create a VPN connection on the user's computer:

  1. Click Start > Control Panel > Network and Sharing Center.

  2. Click Set up a new connection or network.

  3. In the Connection Option list, select Connect to a Workplace.

  4. Select No, create a new connection if prompted, and then click Next.

  5. Select Use my Internet connection.

  6. Enter the server IP address or host name.

  7. Enter a name for your VPN connection.

  8. Select Don’t connect now; just set it up and then click Next.

  9. Enter your user name. Password is not required if you are using certificate for authentication.

  10. Click Create and then click Close.

To configure a VPN connection on the user's computer:

  1. Click Start > Control Panel > Network and Sharing Center.

  2. In the left-hand menu, click Change adapter settings.

  3. Right-click your VPN name and then click Properties.

  4. On the Networking tab, select Internet Protocol Version 4 and then click Properties.

  5. Click Advanced.

  6. Clear the Use default gateway on remote network check box.

  7. Click OK twice to return VPN Connection Properties dialog.

  8. On the Security tab, in the Type of VPN list, select Point to Point Tunneling Protocol (PPTP).

  9. Under Authentication, select Use Extensible Authentication Protocol (EAP).

  10. In the EAP list, select Microsoft: Smart Card or other certificate.

  11. Click Properties.

  12. Under “When connecting” select Use a certificate on this computer and then select User simple certificate selection.

  13. Choose whether to validate the server certificate. When selected, Windows prompts users to confirm that they're connecting to the correct server and that the certificate is valid. If you choose to enable validation, clear the Connect to these servers check box.

  14. Click OK until you return to the Control Panel > Network Connections dialog.

  15. Right-click on your VPN name and then click Connect.

 

Remote Management

Remote management allows hosts on the specified remote IPv4 and IPv6 network(s) to access the server manager of your MSL server. To limit access to the specified host, enter a subnet mask of 255.255.255.255 for IPv4 networks or a CIDR prefix of /128 for IPv6 networks. If your mask allows a range of IP addresses, any hosts within that range can access the server manager using HTTPS. See also Grant Access Privileges to Trusted Local Networks.

To add a remote management network:

  1. Under Security, click Remote access.

  2. Scroll to the Remote Management section.

  3. In the Network field, enter the IP address of the remote host for which you want to allow access.

  4. In the Subnet mask field, enter a mask to limit the range of access (255.255.255.255 limits access to the specified IP address).

  5. Click Save.

 

Secure Shell Settings

About the Secure Shell

Use the Secure Shell Settings section to control access to your server. The public setting should only be enabled by experienced administrators for remote problem diagnosis and resolution. We recommend leaving this parameter set to "No Access" unless you have a specific reason to do otherwise.

WARNING: Before allowing secure shell access to the server using standard passwords, please ensure you set a secure admin/root password on the server. With a weak password, an internet- facing server can be compromised very quickly.

Configuring SSH (Secure Shell)

SSH (secure shell) provides a secure, encrypted way to log in to a remote machine across an IPv4 or IPv6 network, or to copy files from a local machine to a server. Programs such as telnet and ftp transmit passwords in plain, unencrypted text across the network or the Internet. SSH and its companion program SCP provide a secure way to log in or copy files. For more information about SSH Communications Security and its commercial products, visit http://www.ssh.com/.

OpenSSH, included with the MSL server, is a version of the SSH tools and protocol. The server provides the SSH client programs as well as an SSH server daemon and supports the SSH2 protocol.

To configure SSH:

  1. Under Security, click Remote access.

  2. Scroll to the Secure Shell Settings section.

  3. Select a Secure shell access option:

  1. Program the configuration options:

  1. Click Save.

Once SSH is enabled, connect to the server by launching the SSH client on the remote system. Ensure that it is pointed to the external domain name or IP address for the server. In the default configuration, you will be prompted for your user name. Enter "admin" and the administrative password. You will be in the server console. From here you can change the server configuration, access the Administrator Portal through a text browser or perform other server console tasks.

Note: By default, only two user names can be used to log in remotely to the server: "admin" (to access the server console) and "root" (to use the Linux shell). Regular users are not permitted to log in to the server.

Obtaining an SSH Client

A number of different free software programs provide SSH clients for use in a Windows or Macintosh environment. Several are extensions of existing telnet programs that include SSH functionality. Two different lists of known clients can be found online at http://www.openssh.com/windows.html and http://www.freessh.org/.

A commercial SSH client is available from SSH Communications Security at: http://www.ssh.com/products/ssh/download.html. Note that the client is free for evaluation, academic, and certain non-commercial uses.