Placing Remote Access Servers

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

In deciding where to place remote access servers on your network, consider firewall placement and the placement of other network resources. Place remote access servers close to the network resources that remote access clients need. These resources might include a CA, a RADIUS server, a domain controller, or file and application servers.

In a dial-up remote access design, servers usually are placed behind the firewall. Because a VPN design involves Internet connectivity, server placement relative to the firewall is a greater issue.

If you are designing a VPN remote access solution, choose between two options for server placement, each with different design requirements:

  • VPN server behind the firewall. The firewall is attached to the Internet, with the VPN server between the firewall and the intranet. This is the placement used in a perimeter network configuration, in which one firewall is positioned between the VPN server and the intranet, with another between the VPN server and the Internet.

  • VPN server in front of the firewall. The VPN server is connected to the Internet, with the firewall between the VPN server and the intranet.

VPN Server Behind the Firewall

The most common configuration for a VPN remote access design is to locate the VPN server behind a firewall. In this configuration, the firewall is connected to the Internet, and the VPN server is an intranet resource that is connected to the perimeter network. The VPN server has an interface on both the perimeter network and the intranet. The Internet firewall (the firewall between the Internet and the VPN server) filters all traffic from Internet clients. The intranet firewall (the firewall between the VPN server and the intranet) filters intranet traffic from VPN clients.

Placing a VPN server behind the firewall requires the following configuration:

  • Configure the Internet interface on the firewall with inbound and outbound filters that allow traffic to the VPN server. You can specify additional filters to allow traffic to the Web servers, File Transfer Protocol (FTP) servers, and other types of servers on the perimeter network.

  • For an added layer of security, configure the perimeter network interface on the VPN server with PPTP or L2TP/IPSec packet filters.

VPN Server in Front of the Firewall

Another option is to place the VPN server in front of the firewall, directly connected to the Internet. For inbound traffic, the VPN server decrypts the tunneled data and forwards it to the firewall. The firewall acts as a filter for intranet traffic, and it can prevent access to specific resources, scan data for viruses, perform intrusion detection, and carry out other functions.

To place a VPN server in front of the firewall, you must configure inbound and outbound filters on the VPN server to allow only VPN traffic to and from the IP address of the VPN server’s Internet interface.

Note

  • To enable access to services running on the VPN server, make sure that the network BIOS (NetBIOS) and DNS names of the VPN server’s Internet interface are not registered in the intranet namespaces. This is the default behavior for Windows Server 2003 VPN servers.