Export (0) Print
Expand All

Checklist: Implementing a Site-to-Site Connection Design

Published: April 30, 2010

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

To connect remote networks by using a VPN site-to-site connection, you must identify which design options you need to deploy. If you are connecting existing networks, some elements that make up the infrastructure may already be in place. For example, each network may have a domain controller or the servers that you plan to connect may already be joined to the domain. Such tasks are identified in the checklist as optional.

noteNote
Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.

Checklist Checklist:

Implementing a VPN Site-to-Site Connection Design

 

  Task Reference
Checkbox

Review key concepts and design considerations for a VPN site-to-site connection.

Conceptual topic Virtual Private Networking

Conceptual topic Connecting Remote Sites Design in the Routing and Remote Access Services Design Guide

Checkbox

(Optional) Deploy a domain controller for the branch office site.

Conceptual topic Deploy Active Directory

Checkbox

(Optional) Use certificates to enable and manage user- and computer-level authentication.

Conceptual topic Deploy a Certificate Infrastructure

Checkbox

(Optional) Deploy an NPS server if you plan to use the same server to authenticate users and the routers that initiate and answer connection requests.

Conceptual topic Deploy an NPS Server for RADIUS Authentication

Checkbox

Configure the WAN interface through which the connection is made to each remote site.

Conceptual topic Configure the WAN Adapter

Checkbox

Configure the intranet interface that connects each demand-dial router to its respective private network.

Conceptual topic Configure the Intranet Connection

Checkbox

(Optional) Join the calling and answering routers to the Active Directory domain.

Conceptual topic Join the Router to the Domain

Checkbox

(Optional) Place the calling and answering routers in a perimeter network at their respective sites.

Conceptual topic Place the Router in Your Perimeter Network

Checkbox

(Optional) If you plan to use L2TP/IPsec authentication, install a computer certificate on the router at each end of the VPN tunnel.

Conceptual topic Install Computer Certificates for L2TP/IPsec

Checkbox

(Optional) If you plan to use EAP-TLS for user authentication, install computer and user certificates on the routers at each end of the VPN tunnel.

Conceptual topic Install Computer and User Certificates for EAP-TLS

Checkbox

Enable the routing and remote access service and configure the demand-dial interface for each remote site connection.

Conceptual topic Configure the Routing and Remote Access Service and Demand-Dial Interfaces

Checkbox

On each router, create a user account whose name exactly matches the demand-dial interface of the remote router.

Conceptual topic Create User Accounts for the Site-to-Site Connection

Checkbox

Specify a set of conditions that the calling router must meet before its connection request is authorized by the answering router.

Conceptual topic Configure a Network Policy

Checkbox

Configure the connection to be always available (persistent), or specify a period of time that the connection can remain idle before it is disconnected.

Conceptual topic Configure a Persistent Connection or a Disconnect Interval

Checkbox

Create static routes on the router at each end of the VPN tunnel to provide access to locations on its respective private network.

Conceptual topic Configure Static Routes

Checkbox

(Optional) Configure RIP on the router interfaces.

Conceptual topic Configure RIP

Checkbox

(Optional) Enable users to access the Internet through the calling router at their location.

Conceptual topic Configure Internet Access Through the Calling Router

Checkbox

(Optional) Configure the router at each end of the VPN tunnel to support IP multicast applications.

Conceptual topic Configure IP Multicasting

Checkbox

Choose different providers for authentication and accounting.

Conceptual topic Configure the Authentication Provider

Checkbox

Change the authentication method on the answering router.

Conceptual topic Configure Authentication Methods

Checkbox

Customize the default port settings.

Conceptual topic Configure Ports in Routing and Remote Access

Checkbox

Specify when the calling router can initiate a connection and when the answering router can accept a connection.

Conceptual topic Configure Dial-out or Dial-in Hours

Checkbox

(Optional) Configure filters that allow only specific types of traffic to cross the VPN tunnel, and specify which types of traffic can initiate a site-to-site connection.

Conceptual topic Configure IP Packet Filters and Demand-Dial Filters

Checkbox

Confirm that each router has permission to initiate an on-demand connection, and then initiate a connection from the calling router.

Conceptual topic Initiate the Connection

Checkbox

(Optional) Configure and verify Active Directory replication between the branch office network and the corporate network.

Conceptual topic Configure Replication for Active Directory

Checkbox

Verify that the connection works in each direction as expected.

Conceptual topic Test Site-to-Site Connectivity

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft