Choosing an On-Demand or Persistent Connection

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can configure the calling router for any of the connection types — dial-up, PPTP VPN, or L2TP/IPSec VPN — with either an on-demand or a persistent connection. Table 10.3 describes and compares these connection type options.

Table 10.3   Comparing On-Demand and Persistent Connections

Connection Type Description Use

On-demand connection

Establishes a connection when traffic is forwarded, and it terminates the connection when the link is not used for a specified period of time.

Use an on-demand connection if using the communications link incurs per-minute charges.

For an on-demand VPN connection, the initiating router can use either a permanent or a dial-up link to the Internet. The answering router must have a permanent link to the Internet to ensure that it is available when a calling router attempts to establish a connection.

Persistent connection

Sustains a connection for 24 hours a day.

Use a persistent connection in the following circumstances:

  • When the cost of the connection is based on a flat fee, such as for a link to a local ISP for each site when sites are located in separate cities or for a connection between different sites within the same city.

  • When data traffic is time-sensitive. For example, if you support mainframe terminal connectivity between sites, if the terminals must wait for an on-demand VPN connection to be activated, the connection attempt will time out before the session can be launched.

For a persistent VPN connection, both the calling and the answering router must use a permanent link to the Internet.

For on-demand connections, to prevent the calling router from establishing unnecessary connections, you can use demand-dial filtering and dial-out hours:

  • Demand-dial filters. To prevent a VPN calling router from initiating unnecessary connections, you can configure demand-dial filters to specify the types of IP traffic for which the router will or will not create a demand-dial connection. You can identify traffic to accept or reject based on source and destination addresses of incoming traffic and the protocol in use. It is recommended that you match the demand-dial filters to the IP packet filters configured on the demand-dial interface. If there is specific traffic that is not allowed across the demand-dial interface when it is connected, that same traffic should not be allowed to initiate a demand-dial connection using that interface. For example, if you have a packet filter that prevents ICMP traffic from being sent across the demand-dial interface, then you should configure a demand-dial filter to prevent ICMP traffic from initiating the demand-dial connection. For more information about matching demand-dial filters to IP packet filters, see "Integrate the VPN Server into a Perimeter Network" and "Configure IP Packet Filters and Demand-Dial Filters" later in this chapter.

  • Dial-out hours. To prevent a dial-up or VPN calling router from initiating unnecessary connections, you can configure dial-out hours to specify the hours during which a calling router is either permitted to make a site-to-site connection or denied the connection. You can also configure remote access policies on the answering router to restrict the time periods when incoming demand-dial connections are allowed.