Application Layer Gateway for PPTP Protocol
The Citrix ADC appliance supports Application Layer Gateways (ALGs) for the Point-to-Point Tunneling Protocol (PPTP).
PPTP is a network protocol that enables secure transfer of data from a remote client to an enterprise server by creating a tunnel across TCP/IP-based data networks. PPTP encapsulates PPP packets into IP packets for transmission over the Internet. PPTP establishes a tunnel for each communicating PPTP network server (PNS)-PPTP Access Concentrator (PAC) pair. After the tunnel is set up, enhanced generic routing encapsulation (GRE) is used to exchange PPP packets. A call ID in the GRE header indicates the session to which a particular PPP packet belongs.
The Citrix ADC appliance recognizes PPTP packets that arrive on the default TCP port, 1723. The appliance parses PPTP control packets, translates the call ID, and assigns a NAT IP address. For two-way data communication between the client and server, the Citrix ADC appliance creates an LSN session entry based on the server call ID, and an LSN session based on the client call ID. The appliance then parses the GRE data packets and translates call IDs on the basis of the two LSN session entries.
For PPTP protocol, the Citrix ADC appliance also includes timeout setting for any idle PPTP LSN sessions. If a PPTP LSN session is idle for a time that exceeds the timeout setting, the Citrix ADC appliance removes the session.
The following are the limitations of PPTP ALG on a Citrix ADC appliance:
- PPTP ALG is not supported for hairpin LSN flow.
- PPTP ALG is not supported to work with any RNAT configuration.
- PPTP ALG is not supported in Citrix ADC clusters.
Configuring PPTP ALG
Configuring PPTP ALG on the Citrix ADC appliance consist of the following tasks:
- Create an LSN configuration and enable PPTP ALG on it. In an LSN configuration, the LSN group includes the PPTP ALG setting. For instructions on creating an LSN configuration, see Configuration Steps for LSN.
- (Optional) Set the global timeout for idle PPTP LSN sessions.
At the command prompt, type:
add lsn group <groupname> -clientname <string> [-pptp ( ENABLED | DISABLED )] show lsn group <!--NeedCopy-->
At the command prompt, type:
set appAlgParam -pptpGreIdleTimeout <positive_integer> show appAlgParam <!--NeedCopy-->
In the following sample LSN configuration, PPTP ALG is enabled for subscribers in the 192.0.2.0/24 network.
Also idle PPTP LSN session timeout is set to 200 secs.
add lsn client LSN-CLIENT-1 Done bind lsn client LSN-CLIENT-1 -network 192.0.2.0 -netmask 255.255.255.0 Done add lsn pool LSN-POOL-1 Done bind lsn pool LSN-POOL-1 203.0.113.3 Done add lsn group LSN-GROUP-1 -clientname LSN-CLIENT-1 -pptp ENABLED Done bind lsn group LSN-GROUP-1 -poolname pool1 LSN-POOL-1 Done set appAlgParam -pptpGreIdleTimeout 200 Done <!--NeedCopy-->