Global
To configure global PPTP Point to Point Tunneling Protocol options, proceed as follows:
-
On the Global tab, enable PPTP remote access.
Click the toggle switch.
The toggle switch turns amber and the Main Settings area becomes editable.
-
Specify the following settings:
Authentication via: Select the authentication mechanism. PPTP remote access only supports local and RADIUS Remote Authentication Dial In User Service authentication.
-
Local: If you select Local, specify the users and user groups who should be able to use PPTP remote access. It is not possible to drag backend user groups into the field. Until a user account has been specified, PPTP remote access cannot be activated.
Note – Username and password of the selected users may only contain ASCII printable characters1.
Note – Similar to SSL VPN, the Remote Access menu of the User Portal is only available to users who are selected in the Users and groups box and for whom a user definition does exist on Sophos UTM. Authorized users who have successfully logged in to the User Portal will find a link to installation instructions, which are available at the Sophos Knowledge Base.
- RADIUS: RADIUS can only be selected if a RADIUS server has been previously configured. With this authentication method users will be authenticated against an external RADIUS server that can be configured on the Definitions & Users > Authentication Services > Servers tab. The Users and Groups dialog box will be grayed out. However, its settings can still be changed, which has no effect. The RADIUS server must support MSCHAPv2 Microsoft Challenge Handshake Authentication Protocol Version 2 challenge-response authentication. The server can pass back parameters such as the client's IP Internet Protocol address and DNS Domain Name Service/WINS Windows Internet Naming Service server addresses. The PPTP module sends the following string as NAS Network Access Server-ID Identity to the RADIUS server: pptp. Note that when RADIUS authentication is selected, local users cannot be authenticated with PPTP anymore. Note further that clients must support MSCHAPv2 authentication as well.
Assign IP addresses by: IP addresses can be either assigned from a predefined IP address pool or distributed automatically by means of a DHCP server:
- IP Address pool: Select this option if you want to assign IP addresses from a certain IP range to the clients gaining remote access through PPTP. By default, addresses from the private IP space 10.242.1.0/24 are assigned. This network definition is called the VPN Pool (PPTP) and can be used in all network-specific configuration options. If you want to use a different network, simply change the definition of the VPN Pool (PPTP) on the Definitions & Users > Network Definitions page. Alternatively, you can create another IP address pool by clicking the Plus icon next to the Pool network text box. Note that the netmask is limited to a minimum of 16.
-
DHCP server: If you select DHCP server, also specify the network interface through which the DHCP server is connected. The DHCP Dynamic Host Configuration Protocol server does not have to be directly connected to the interface—it can also be accessed through a router. Note that the local DHCP server is not supported; the DHCP server selected here must be running on a physically different system.
-
-
Click Apply.
Your settings will be saved.
The switch turns green.
Live Log
The PPTP daemon live log logs all PPTP remote access activities. Click the button to open the live log in a new window.