Choose an On-Demand or Persistent Connection

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

You can configure the calling router for any of the connection types — dial-up, PPTP VPN, or L2TP/IPsec VPN — with either an on-demand or a persistent connection. The following table describes and compares these connection type options.


Connection Type Description Use

On-demand connection

Establishes a connection when traffic is forwarded, and it terminates the connection when the link is not used for a specified period of time.

Use an on-demand connection if using the communications link incurs per-minute charges.

For an on-demand VPN connection, the calling router can use either a permanent or a dial-up link to the Internet. The answering router must have a permanent link to the Internet to ensure that it is available when a calling router attempts to establish a connection.

Persistent connection

Sustains a connection for 24 hours a day.

Use a persistent connection in the following circumstances:

  • When the cost of the connection is based on a flat fee, such as for a link to a local ISP for each site when sites are located in separate cities or for a connection between different sites within the same city.

  • When data traffic is time-sensitive. For example, if you support mainframe terminal connectivity between sites, if the terminals must wait for an on-demand VPN connection to be activated and the connection attempt times out before the session can be launched.

For a persistent VPN connection, both the calling and the answering router must use a permanent link to the Internet.

For on-demand connections, to prevent the calling router from establishing unnecessary connections, you can use demand-dial filtering and dial-out hours:

  • Demand-dial filters. To prevent a VPN calling router from initiating unnecessary connections, you can configure demand-dial filters to specify the types of IP traffic for which the router will or will not create a demand-dial connection. You can identify traffic to accept or reject based on source and destination addresses of incoming traffic and the protocol in use.

    We recommend that you match the demand-dial filters to the IP packet filters configured on the demand-dial interface. If there is specific traffic that is not allowed across the demand-dial interface when it is connected, that same traffic should not be allowed to initiate an outbound demand-dial connection using that interface. For example, if you have a packet filter that prevents ICMP traffic from being sent across the demand-dial interface, then you should also configure a demand-dial filter to prevent ICMP traffic from initiating the demand-dial connection. For more information about matching demand-dial filters to IP packet filters, see Integrate the Remote Site Connection into Your Network in this guide, and Configure IP Packet Filters and Demand-Dial Filters in the RRAS Deployment Guide.

  • Dial-out hours. To prevent a dial-up or VPN calling router from initiating unnecessary connections, you can configure dial-out hours to specify the hours during which a calling router is either permitted to make a site-to-site connection or denied the connection. You can also configure network policies on the answering router to restrict the time periods when incoming demand-dial connections are allowed.

Community Additions