Remote access VPN design considerations

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Remote access VPN design considerations

To prevent problems, you should consider the following design issues before you implement remote access VPN connections:

• Choosing between PPTP-based connections or L2TP/IPSec connections

• Installing certificates

• Configuring firewall packet filters

• Creating a remote access policy for remote access VPN connections

• Using an IAS server

• Using Connection Manager

For more information, see Remote access VPN connection.

Note

• On Windows Server 2003, Web Edition, and Windows Server 2003, Standard Edition, you can create up to 1,000 Point-to-Point Tunneling protocol (PPTP) ports, and you can create up to 1,000 Layer Two Tunneling protocol (L2TP) ports. However, Windows Server 2003, Web Edition, can accept only one virtual private network (VPN) connection at a time. Windows Server 2003, Standard Edition, can accept up to 1,000 concurrent VPN connections. If 1,000 VPN clients are connected, further connection attempts are denied until the number of connections falls below 1,000.

Choosing between PPTP-based connections or L2TP/IPSec connections

A VPN server running Windows Server 2003 provides support for both Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP). When choosing between PPTP-based and L2TP/IPSec remote access VPN solutions, consider the following:

• PPTP can be used with a variety of Microsoft clients including Windows 95 (with the Dial-up Networking Upgrade 1.3 and later), Windows 98, Windows Millennium Edition, Windows NT 4.0, Windows 2000, and Windows XP. PPTP does not require a public key infrastructure (PKI) to issue computer certificates. By using encryption, PPTP-based VPN connections provide data confidentiality (captured packets cannot be interpreted without the encryption key). PPTP-based VPN connections, however, do not provide data integrity (proof that the data was not modified in transit) or data origin authentication (proof that the data was sent by the authorized user).

• L2TP can only be used with client computers running Windows 2000 or Windows XP. L2TP supports either computer certificates or a preshared key as the authentication method for Internet Protocol security (IPSec). Computer certificate authentication, the recommended authentication method, requires a PKI to issue computer certificates to the VPN server computer and all VPN client computers. By using IPSec, L2TP/IPSec VPN connections provide data confidentiality, data integrity, and data authentication.

Installing certificates

In order to create L2TP/IPSec remote access VPN connections using computer certificate authentication for IPSec, you must install computer certificates, also known as machine certificates, on the VPN client and the VPN server. For more information, see Network access authentication and certificates and Computer certificates for L2TP/IPSec VPN connections.

Configuring firewall packet filters

If you have a firewall, you must configure packet filters on the firewall to allow traffic between VPN clients on the Internet and the VPN server. For more information, see VPN servers and firewall configuration.

Creating a remote access policy for remote access VPN connections

By using remote access policies, you can create a policy that requires remote access VPN connections to use a specific authentication method and encryption strength.

For example, you can create an Active Directory group called VPN Users whose members are the user accounts of the users creating remote access VPN connections across the Internet. Then, you create a policy with two conditions on the policy: NAS-Port-Type is set to Virtual (VPN) and Windows-Group is set to VPN Users. Finally, you configure the profile for the policy to select a specific authentication method and encryption strength.

For more information, see Introduction to remote access policies.

Using an IAS server

If you have multiple VPN servers running Windows Server 2003 , you need to configure remote access policies and logging for each VPN server. If you want to take advantage of centralized remote access policies and logging, you can configure the VPN servers as Remote Authentication Dial-In User Service (RADIUS) clients to a single computer (a RADIUS server) running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition; and Internet Authentication Service (IAS).

You should also use an IAS server if you have VPN servers running Windows NT 4.0 with the Routing and Remote Access Service (RRAS), and you want to take advantage of remote access policies available in products in the Windows Server 2003 family. You cannot configure VPN servers running Windows NT 4.0 as RADIUS clients. You must upgrade a VPN server running Windows NT 4.0 to a VPN server running Windows NT 4.0 and RRAS.

For more information, see Using RADIUS for multiple remote access servers.

Using Connection Manager

For a large remote access VPN deployment, you can use Connection Manager and the Connection Manager Administration Kit to provide a custom dialer with preconfigured VPN connections to all remote access clients across your organization.

For more information about Connection Manager, see Connection Manager Administration Kit. For information about implementing VPN support with the Connection Manager Administration Kit, see Implementing VPN support.