Choosing Dial-up or VPN
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
With a secure network architecture based on Windows Server 2003 in place, the first step in designing a remote access server solution is deciding whether to provide network access to remote clients by using dial-up networking, a VPN solution, or a combination of both. Figure 8.2 shows the placement of this design decision in the process for designing and deploying dial-up and VPN remote access servers.
Figure 8.2 Choosing Dial-up or VPN
Each method for providing remote access has advantages and disadvantages that you must weigh based on the needs of your organization. A dial-up networking solution provides a secure data path over a circuit-switched connection, and it provides the convenience of direct dial-up connectivity to your network for mobile users. In contrast, a VPN solution, by using the Internet as a connection medium, saves the cost of long-distance phone service and hardware costs. To mitigate the public nature of the Internet, VPNs use a variety of security technologies, including tunneling, encryption, and authentication.
Using Dial-up Networking for Remote Access
In a dial-up networking solution, remote users call in to a remote access server on your network. Dial-up lines are inherently more private than a solution that uses a public network such as the Internet. However, with dial-up networking, your organization faces a large initial investment and continuing expenses throughout the life cycle of the solution. These expenses include:
Hardware purchase and installation. Dial-up networking requires an initial investment in modems or other communication hardware, server hardware, and phone line installation.
Monthly phone costs. Each phone line that is used for remote access increases the cost of dial-up networking. If you use toll-free numbers or the callback feature to defray long distance charges for your users, these costs can be substantial. Most businesses can arrange a bulk rate for long distance, which is preferable to reimbursing users individually at their more expensive residential rates.
Ongoing support. The number of remote access users and the complexity of your remote access design significantly affect the ongoing support costs for dial-up networking. Support costs include network support engineers, testing equipment, training, and help desk personnel to support and manage the deployment. These costs represent the largest portion of your organization’s investment.
Figure 8.3 shows an example of a simple dial-up remote access networking design.
Figure 8.3 Dial-up Remote Access Design
Providing Remote Access over a VPN
In a VPN solution for remote access, users connect to your corporate network over the Internet. VPNs use a combination of tunneling, authentication, and encryption technologies to create secure connections. To ensure the highest level of security for a VPN deployment, use Layer Two Tunneling Protocol with Internet Protocol security (L2TP/IPSec).
Many organizations with extensive remote access requirements implement a VPN solution. VPNs reduce remote access expenses by using the existing Internet infrastructure. You can use a VPN to partially or entirely replace your centralized, in-house, dial-up remote access infrastructure and legacy services.
VPNs offer two primary benefits:
Reduced costs. Using the Internet as a connection medium saves long-distance phone expenses and requires less hardware than a dial-up networking solution does.
Sufficient security. Authentication prevents unauthorized users from connecting. Strong encryption methods make it extremely difficult for an attacker to interpret the data sent across a VPN connection.
Figure 8.4 shows an example of a simple VPN remote access networking design.
Figure 8.4 VPN Remote Access Design
Regardless of the approach that you choose, you can increase manageability of your remote access server solution by using IAS to centralize VPN or dial-up networking authentication, authorization, and accounting. For the Microsoft® Windows® 2000 Server family, IAS is a RADIUS server; for the Windows Server 2003 family, IAS is a RADIUS server and proxy. For information about designing and deploying IAS, see "Deploying Internet Authentication Service (IAS)" in this book.