A proxy server is typically an applicaiton-layer function. I believe that when you say "act like a proxy" you're really saying "route their traffic across the VPN to that server which will, in turn, route the traffic to its default gateway and ultimately to the Internet".
I'd start with a "tracert" (or OS equivalent command) from a client while connected to the VPN to an Internet address and see where the traffic is going.
It's fairly commonplace in the Microsoft VPN client for users to untick the "Use default gateway on remote network" (set in the "Advanced" settings of TCP/IP on the VPN connection) which will cause only traffic bound for the remote VPN subnet to cross the VPN. Have you checked to see that no one has unticked that box on the clients?
Typically the Microsoft VPN client will "push down" the DNS and WINS settings from the VPN server to the client computers. If the clients are having an inability to access web sites with a browser, for example, it may be that they are routing traffic down the VPN tunnel but that the DNS server being "pushed down" can't resolve Internet names.
Viewing the routing table on a client while connected with the "route print" command will also help figure out what's going on. There should be two default-gateway (0.0.0.0 with a subnet mask of 0.0.0.0) entries on a client that's configured to route all traffic down the VPN-- one for the client's on-subnet default gateway, and one "pointing" to the VPN tunnel.
Edit:
If you want all the traffic from the VPN clients to cross the VPN and egress to the Internet from the VPN "hub" then leave the "Use default gateway on remote network" checkbox ticked on the client computers.
I would suspect that you're having a name resolution problem. I'd connect a client to the VPN and do the following:
tracert -d (your favorite Internet IP address here)
You can use any IP address you want in that command, so long as it's something that's really reachable. Heck, use the IP address of "star.slashdot.org"-- I've already used it in some examples on here... >smile< 216.34.181.48
That will show you the route that packets are taking. It's important to use an IP address in that command so that you aren't relying on DNS.
If that looks okay (i.e. you see the packets cross the VPN and leave through the VPN "hub" Internet connection) then give DNS a shot:
nslookup star.slashdot.org
You should get back something like:
C:\>nslookup star.slashdot.org
Server: the-name-of-the-VPN-server's-DNS-server
Address: the-ip-address-of-the-VPN-server's-DNS-server
Non-authoritative answer:
Name: star.slashdot.org
Address: 216.34.181.48
If you get back something nasty like this then the remote DNS server isn't configured to resolve Internet names.
*** the-name-of-the-VPN-server's-DNS-server can't find star.slashdot.org: Non-existent domain
If you get back something like this then the VPN server doesn't have a valid DNS server specified:
C:\>nslookup star.slashdot.org
Server: [the-ip-address-of-the-VPN-server's-DNS-server]
Address: the-ip-address-of-the-VPN-server's-DNS-server
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to [the-ip-address-of-the-VPN-server's-DNS-server] timed-out
I guess I shouldn't just leave this unanswered forever when I have in fact solved the problem.
When I was hired, I was told that the LAN was "running out of scope". The network had a 24-bit subnet mask and uses DHCP for client addressing. The DHCP server wasn't set to check DNS before handing out addresses. DNS wasn't set to scavenge old records. RRAS was set to get addresses for VPN clients from DHCP, and by default it grabs blocks of 10. So it would grab blocks of 10 and start handing them out to clients, but as our address space ran out, some of them were "good" and some were already registered to other clients in DNS. I shortened the subnet mask to 22-bit and the problem was solved.
Best Answer
The PPTP protocol uses GRE (Generic Routing Encapsulation) for transporting the payload data. The GRE protocol unlike tcp/udp/etc has no ports that can be used to uniquely identify packets from each other that cross a NAT.
The PPTP protocol does use the optional Key header to store a length, call id, and sequence number. But some NAT implementations simply don't have the required code to dig into the GRE headers and extract the call id from the key header. This means that they simply use the destination IP addresses to distinguish one packet from another.
I just scanned through the PPTP RFCs, and I didn't see any place where multiple sessions per IP was specifically mentions as not being possible, so my though is that the docs for that PPTP implementation just put the comment in their because of the common difficulty with PPTP and NAT.