Internet-based VPNs

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Internet-based VPNs

By using an Internet-based VPN connection, you can avoid long-distance and 1-800 telephone charges while taking advantage of the global availability of the Internet.

Remote access over the Internet

Rather than making a long distance or 1-800 call to a corporate or outsourced network access server (NAS), a remote access client can call a local ISP. By using the established physical connection to the local ISP, the remote access client initiates a VPN connection across the Internet to the organization's VPN server. Once the VPN connection is created, the remote access client can access the resources of the private intranet.

The following illustration shows remote access over the Internet.

For more information on deploying remote access VPN connections across the Internet, see Deploying VPNs for Remote Access. For an example implementation of a remote access VPN connection across the Internet, see Virtual Private Network Implementation Examples.

Connecting networks over the Internet

When networks are connected over the Internet, a router forwards packets to another router across a VPN connection. This is known as a router-to-router VPN connection. To the routers, the VPN operates as a data-link layer link.

The following illustration shows connecting networks over the Internet.

Using dedicated WAN links

Rather than using an expensive long-distance dedicated WAN link between branch offices, the branch office routers are connected to the Internet by using local dedicated WAN links to a local ISP. A router-to-router VPN connection is then initiated by either router across the Internet. Once connected, routers can forward directed or routing protocol traffic to each other by using the VPN connection.

Using dial-up WAN links

Rather than making a long distance or 1-800 call to a corporate or outsourced NAS, a branch office router can call a local ISP. By using the established connection to the local ISP, a router-to-router VPN connection is initiated by the branch office router to the corporate office router across the Internet. The corporate office router acts as a VPN server and must be connected to a local ISP by using a dedicated WAN link.

It is possible to have both the corporate office and the branch office connected to the Internet by using a dial-up WAN link. However, this is only feasible if the ISP supports demand-dialing routing to customers--the ISP calls the customer router when an IP datagram is to be delivered to the customer. Demand-dial routing to customers is not widely supported by ISPs.

For more information on deploying router-to-router VPN connections across the Internet, see Deploying Router-to-Router VPNs. For an example implementation of router-to-router VPN connections across the Internet, see Virtual Private Network Implementation Examples.

Note

• On Windows Server 2003, Web Edition, and Windows Server 2003, Standard Edition, you can create up to 1,000 Point-to-Point Tunneling Protocol (PPTP) ports, and you can create up to 1,000 Layer Two Tunneling Protocol (L2TP) ports. However, Windows Server 2003, Web Edition, can accept only one virtual private network (VPN) connection at a time. Windows Server 2003, Standard Edition, can accept up to 1,000 concurrent VPN connections. If 1,000 VPN clients are connected, further connection attempts are denied until the number of connections falls below 1,000.