I'm setting up a VPN test server, on Windows 2008 R2. I seem to remember that PPTP isn't ideal, as on a Cisco firewall you need to allow quite a large range of ports open (with the GRE protocol too?)
Anyway, my vague memories of this aren't brilliant, so I would like to know, what's the more secure protocol for setting up remote VPN access (from users dialling in from home, so not a VPN tunnel or anything).
You should probably use IKEv2 as a primary if you have Windows Vista/7 clients and 2008r2 servers, with a fallback to SSTP if for whatever reason UDP port 500 is blocked at the client's site.
SSTP has a severe performance problem in that you get TCP-in-TCP for most data traffic. This causes the "inner" TCP layer to be mis-informed about the actual packet loss on the network, resulting in huge delays or disconnections. See this link for detailed information on that issue.
Our own tests showed SSTP performing terribly on lossy networks, particularly wireless networks at hotels, coffee shops, mobile broadband, etc. So we intially chose IKEv2 as our primary mechanism with SSTP as a fallback. Neither SSTP or IKEv2 require client certificate deployment, but they do require all clients to trust the certificate of the VPN server. The VPN server certificate is easily deployed via Group Policy.
Another problem common to PPTP, SSTP, and IKEv2 in the Windows implementations is that they do not verify that the client computer is trusted, only that the user who is connecting knows a password and has VPN permissions. This issue ultimately led us to go back to L2TP with client-side certificate deployment using Microsoft Certificate Authority to issue certificates to trusted machines. You can configure NAT traversal for L2TP with a registry setting (again deployed via Group Policy).
Don't use PPTP--it's completely insecure if you're using the MSChapv2 protocol. https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
If you're using a different encryption method such as certificates--it's significantly more work to set up, obviating any benefits of PPTP in the first place.
I'm planning to replace PPTP in my own organization with OpenVPN. IPSec / L2TP is another good option.
If you have a newer Cisco firewall you can use the SSL VPN features if you license it. You can also use the normal Cisco VPN client/server setup.
For using W2k8 R2, I'd recommend going the SSTP route over PPTP. PPTP might be easier to deploy but, security aside, there are quite a few places nowadays (other biz, hotels, etc.) that don't allow you to connect to one from them (outbound) which frustrates employees, guests.