VPN Remote Access Design

Applies To: Windows Server 2008, Windows Server 2008 R2

This design uses RRAS on a Windows Server on the perimeter of the organization’s network to accept VPN connections from remote clients, and grants those clients authenticated access to the resources on the network.

When designing a VPN remote access connection, consider the following issues:

  • Choosing a tunneling protocol

  • Installing certificates

  • Configuring firewall packet filters

  • Determining routing for VPN remote access clients

  • Creating a network policy for remote access VPN connections

  • Using a RADIUS server

  • Using Connection Manager

Choosing a tunneling protocol

An RRAS VPN server running Windows Server 2008 R2 or Windows Server 2008 provides support for Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol (L2TP), and Secure Socket Tunneling Protocol (SSTP). Windows Server 2008 R2 adds support for Internet Key Exchange version 2 (IKEv2). When choosing between remote access VPN solutions, consider the following:

  • PPTP can be used with computers that are running Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. PPTP does not require a public key infrastructure (PKI) to issue computer certificates. By using encryption, PPTP-based VPN connections provide data confidentiality. PPTP-based VPN connections, however, do not provide data integrity (proof that the data was not modified in transit) or data origin authentication (proof that the data was sent by the claimed user). PPTP can be used to deploy client-to-server remote access or site-to-site VPN connections.

  • L2TP can be used with computers that are running Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. L2TP uses the facilities of Internet Protocol security (IPsec), and supports either computer certificates or a pre-shared key as the authentication method. Computer certificate authentication, the recommended authentication method, requires a PKI to issue computer certificates to the VPN server and all VPN clients. By using IPsec, L2TP/IPsec VPN connections provide data confidentiality, data integrity, and data authentication. L2TP can be used to deploy client-to-server remote access or site-to-site VPN connections.

    Unlike PPTP and SSTP, L2TP/IPsec enables computer authentication at the IPsec layer and user-level authentication at the PPP layer.

  • SSTP can be used with computers that are running Windows Vista with SP1 or later, Windows Server 2008, Windows 7, and Windows Server 2008 R2. By using Secure Sockets Layer (SSL), SSTP-based VPN connections provide data confidentiality, data integrity, and data authentication. SSTP can be used to deploy client-to-server remote access VPN connections; it cannot be used to deploy site-to-site VPN connections.

  • IKEv2 can be used with computers that are running Windows 7 and Windows Server 2008 R2. IKEv2 uses the facilities of IPsec and supports computer certificates as the authentication method. Computer certificate authentication requires a PKI to issue computer certificates to the VPN server computer and all VPN client computers. By using IPsec, IKEv2 VPN connections provide data confidentiality, data integrity, and data authentication. IKEv2 can be used to deploy client-to-server remote access VPN connections; it cannot be used to deploy site-to-site VPN connections.

For more information, see Appendix C: VPN Tunneling Protocols.

Installing certificates

To create L2TP/IPsec, SSTP, or IKEv2 remote access VPN connections, you must install computer or server certificates on the VPN client and the VPN server. For more information, see Appendix A: Computer Certificates for VPN Connections.

Configuring firewall packet filters

If you have a firewall, you must configure packet filters on the firewall to allow traffic to flow between VPN clients on the Internet and the VPN server. For more information, see Appendix B: VPN Servers and Firewall Configuration.

Determining routing for VPN remote access clients

Your remote access design must provide a method for routing packets from the remote access clients to the corporate intranet and the Internet — in some cases simultaneously, depending on the needs of the remote user. For more information, see Determining Routing for VPN Remote Access Clients.

Creating a network policy for remote access VPN connections

Network policies (formerly named remote access policies) are administered in Network Policy Server (NPS). For more information, see Create Policies for Dial-Up or VPN with a Wizard in the NPS Help.

Using a RADIUS server

If you have multiple VPN servers running Windows Server 2008 R2, you need to configure network policies and logging for each VPN server. If you want to take advantage of centralized network policies and logging, you can configure the VPN servers as Remote Authentication Dial-In User Service (RADIUS) clients, managed by a RADIUS server that is running NPS.

For more information, see Network Policy Server.

Using Connection Manager

For a large remote access VPN deployment, you can use Connection Manager and the Connection Manager Administration Kit to provide a custom dialer with preconfigured VPN connections to all remote access clients across your organization.

For more information about Connection Manager, see Connection Manager Administration Kit.