Checklist: Implementing a Site-to-Site Connection Design
Updated: April 30, 2010
Applies To: Windows Server 2008, Windows Server 2008 R2
To connect remote networks by using a VPN site-to-site connection, you must identify which design options you need to deploy. If you are connecting existing networks, some elements that make up the infrastructure may already be in place. For example, each network may have a domain controller or the servers that you plan to connect may already be joined to the domain. Such tasks are identified in the checklist as optional.
Note
Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
.gif)
Checklist:
Implementing a VPN Site-to-Site Connection Design
| Task | Reference | |
|---|---|---|
.gif) |
Review key concepts and design considerations for a VPN site-to-site connection. |
|
|
(Optional) Deploy a domain controller for the branch office site. |
|
|
(Optional) Use certificates to enable and manage user- and computer-level authentication. |
|
|
(Optional) Deploy an NPS server if you plan to use the same server to authenticate users and the routers that initiate and answer connection requests. |
|
|
Configure the WAN interface through which the connection is made to each remote site. |
|
|
Configure the intranet interface that connects each demand-dial router to its respective private network. |
|
|
(Optional) Join the calling and answering routers to the Active Directory domain. |
|
|
(Optional) Place the calling and answering routers in a perimeter network at their respective sites. |
|
|
(Optional) If you plan to use L2TP/IPsec authentication, install a computer certificate on the router at each end of the VPN tunnel. |
|
|
(Optional) If you plan to use EAP-TLS for user authentication, install computer and user certificates on the routers at each end of the VPN tunnel. |
|
|
Enable the routing and remote access service and configure the demand-dial interface for each remote site connection. |
|
|
On each router, create a user account whose name exactly matches the demand-dial interface of the remote router. |
|
|
Specify a set of conditions that the calling router must meet before its connection request is authorized by the answering router. |
|
|
Configure the connection to be always available (persistent), or specify a period of time that the connection can remain idle before it is disconnected. |
|
|
Create static routes on the router at each end of the VPN tunnel to provide access to locations on its respective private network. |
|
|
(Optional) Configure RIP on the router interfaces. |
|
|
(Optional) Enable users to access the Internet through the calling router at their location. |
|
|
(Optional) Configure the router at each end of the VPN tunnel to support IP multicast applications. |
|
|
Choose different providers for authentication and accounting. |
|
|
Change the authentication method on the answering router. |
|
|
Customize the default port settings. |
|
|
Specify when the calling router can initiate a connection and when the answering router can accept a connection. |
|
|
(Optional) Configure filters that allow only specific types of traffic to cross the VPN tunnel, and specify which types of traffic can initiate a site-to-site connection. |
|
|
Confirm that each router has permission to initiate an on-demand connection, and then initiate a connection from the calling router. |
|
|
(Optional) Configure and verify Active Directory replication between the branch office network and the corporate network. |
|
|
Verify that the connection works in each direction as expected. |
.gif)