Microsoft stops supporting PPTP and L2TP VPN protocols in Windows Server
Microsoft has officially discontinued support for Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) in future versions of Windows Server. Administrators were advised to switch to other protocols that provide increased security.
For more than 20 years, enterprises have used PPTP and L2TP VPN protocols to provide remote access to corporate networks and Windows servers. However, as attacks and cybersecurity resources have become more sophisticated and powerful, protocols have become less secure. For example, PPTP is vulnerable to offline authentication hash attacks, and L2TP does not provide encryption unless combined with another protocol such as IPsec. However, if L2TP/IPsec is configured incorrectly, it can become vulnerable to attacks.
In this regard, Microsoft recommends that users switch to the new Secure Socket Tunneling Protocol (SSTP) and Internet Key Exchange version 2 (IKEv2) protocols, which provide better performance and security.
Microsoft shared the benefits of each protocol.
SSTP:
-
reliable encryption: SSTP uses SSL/TLS encryption, providing a secure communication channel;
-
firewall bypass: SSTP can easily pass through most firewalls and proxies, ensuring a seamless connection;
-
ease of use: with built-in support in Windows, SSTP is easy to configure and deploy.
Advantages of IKEv2:
-
high security: IKEv2 supports reliable encryption algorithms and authentication methods;
-
mobility and multicast: IKEv2 is particularly effective for mobile users, supporting VPN connections during network changes;
-
improved performance: With faster tunneling and lower latency, IKEv2 offers superior performance compared to legacy protocols.
Microsoft emphasizes that when a feature is deprecated, it is no longer in active development and may be removed from future versions of Windows. This aging period can last months or years, giving administrators time to migrate to the proposed VPN protocols.
In this aging, future versions of Windows RRAS Server (VPN Server) will no longer accept incoming connections using the PPTP and L2TP protocols. However, users can still establish outgoing PPTP and L2TP connections.
To help administrators migrate to SSTP and IKEv2, Microsoft released a support bulletin in June with instructions for configuring these protocols.
Previously, Microsoft officially announced that Windows Server Update Services (WSUS) is obsolete. The company plans to maintain their current functionality and continue to publish updates through the channel.