When I started this job - the company was already using Windows PPTP along with a small Sonic Wall Router. I replaced the router with a CCR1009 when we went to VoIP. So it is fairly new. I am hoping it can support our latest need.
Our dear friends at Apple is getting rid of PPTP support in their new macOS/iOS in a few months stranding my Mac users from connecting to our VPN.

Can the Mikrotik do a reliable Client to Site VPN?
Can I use my Windows AD Authentication so they do not need another password?
What are the drawbacks?

If this is not the direction to go - what would you recommend without breaking the bank? (90 users)

Thanks for any guidance/setup instructions you can provide.

Yes it should work. We also have a CCR as PPTP server (and for other things).
For setup just follow the manual.
For AD authentication setup RADIUS on your domain controller and use RADIUS authentication on the CCR.

As I mentioned in my initial post - I have to replace PPTP since Apple is removing support in upcoming iOS10 and macOS Sierra.

What is the alternative that Apple supports?
L2TP/IPsec? I use that and it works OK on MikroTik. May require some manual config when the user is behind double NAT.
But I have no experience with Apple.

From my experience l2tp/ipsec works ok between a windows client and mt server although like pe1chl said, it can be tricky when behind NAT.
Can mac do OpenVPN? Personally i'd go with that with a dedicated server/vm for this purpose.
At least until ROS7

Anyone have any insight on using a Windows L2TP Server? I have it set up and clients can connect when at the office.
But remotely, I can not get the traffic to pass.
I have 2 DST-NAT Rules destination 70.x.x.x. (Public IP) for UDP 500,4500 to Windows Server 192.168.3.252.

What am I missing?

(Just adding the 2 rules GRE and UDP 1723 worked fine for PPTP which is still working on another server)

L2TP/IPsec server behind NAT? I would not dare to try it...

So - my choices are
PPTP - no as Apple devices no longer support it
L2TP - the protocol does not work for remote users behind a firewall
OpenVPN - requires more hardware

Oh - so no choices.

Migrate everything to IPv6 I would say....

Maybe I am missing something...

Why not just set up your VPN server on the CCR and then allow that specific traffic to "talk" to the server?

Apparently same issue. I ended up doing the L2TP on the Mikrotik. Only 1 client per location can log on at the same time. The second person bumps the first.
Does IPv6 solve this?
My provider, Cox, didn't give me any IPv6 addresses when they installed this year. Does that mean I do not have any assigned?

Do you have routers at the location that you manage? In that case, let the router setup the VPN, not the end systems.
Any provider that is keeping up with technology is giving you IPv6
(but most of them are not, they apparently do not exist for clients or for internet, but only for shareholders)

Do you have routers at the location that you manage? In that case, let the router setup the VPN, not the end systems.
Any provider that is keeping up with technology is giving you IPv6
(but most of them are not, they apparently do not exist for clients or for internet, but only for shareholders)

The networks are not mine to manage - usually hotels... sometimes in meeting rooms - but often working from their guestrooms.