Remote Site Connectivity Background

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can design and deploy a remote site connection that is optimal for your organizational and network environment by using the connectivity, security, and network configuration options provided by the Routing and Remote Access service.

The following sections describe three typical remote site connection solutions — a Point-to-Point Tunneling Protocol (PPTP) VPN connection, a Layer Two Tunneling Protocol over Internet Protocol security (L2TP/IPSec) VPN connection, and a dial-up connection. For detailed information about each connection type and the range of available configuration and security options, see "Choosing the Remote Site Connection Type" and "Choosing Security Features" later in this chapter.

PPTP VPN Solution

Organizations with moderate to heavy traffic between a branch office and a main office and existing connections to the Internet might choose a PPTP–based site-to-site connection. In the example shown in Figure 10.2, a firewall creates a perimeter network at each end of the Internet tunnel. Windows Server 2003 also supports VPN functionality without the use of a firewall.

Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2), which provides a high-security protocol for password authentication, is a highly recommended method for authentication and encryption key generation for a site-to-site connection. Alternatively, you can use Extensible Authentication Protocol-Transport Layer Security Protocol (EAP-TLS), which provides an even stronger user-level authentication than the password-based MS-CHAP v2.

The main office site must have a permanent WAN link to its local Internet service provider (ISP), but the branch office site can use a dial-up WAN link to its local ISP. An on-demand connection that disconnects when the connection is idle ensures that the connection is not active when not in use. Reciprocal replication ensures that replication between domain controllers in separate sites takes place over the one-way initiated on-demand connection. Figure 10.2 depicts this solution.

Figure 10.2   One-Way Initiated On-Demand Dial-up PPTP VPN Solution

L2TP/IPSec VPN Solution

Organizations that need maximum security to support substantial two-way traffic between a large branch office and a headquarters office might choose an L2TP/IPSec VPN solution. A firewall creates a perimeter network at each end of the Internet tunnel. A persistent connection, enabled by a dedicated link to the ISP at both sites, allows around-the-clock traffic.

The recommended method for the computer-level authentication provided by L2TP/IPSec is the exchange of computer certificates by the calling and answering endpoints, which requires a certificate infrastructure provided by the certification authority (CA) server. EAP-TLS provides stronger user-level authentication than does the password-based MS-CHAP v2, because it requires a user certificate on the calling endpoint and a computer certificate on the answering endpoint. L2TP/IPSec uses IPSec as its encryption method. For a persistent connection, replication takes place across the site link at specified intervals — you do not need to configure reciprocal replication as you do for a one-way initiated on-demand connection. The example in Figure 10.3 depicts this solution.

Figure 10.3   Persistent Two-Way Initiated L2TP/IPSec VPN Solution

Dial-up Solution

Organizations with moderate traffic between a branch and a main office might choose to replace an existing leased WAN link with a dial-up WAN link or use a dial-up WAN link to create a new connection. Figure 10.4 shows an example of a site-to-site connection that uses an ISDN dial-up link. One common situation in which you might deploy a dial-up link is as a backup solution when a VPN link provides your primary connection. For more information about when to use a dial-up connection, see "Choosing a Dial-up or VPN Connection" later in this chapter.

A one-way initiated on-demand dial-up connection disconnects when the connection is idle for a specified period of time and thus provides efficient access for branch office users who need only intermittent access to the main office. A dial-up connection typically uses MS-CHAP v2as the user authentication method to authenticate the calling router together with Microsoft Point-to-Point Encryption (MPPE) for data encryption. Configuring reciprocal replication enables replication between domain controllers in separate sites over a one-way initiated on-demand connection. Figure 10.4 depicts this solution.

Figure 10.4   One-Way Initiated On-Demand Dial-up Solution