Connect Remote Clients to a Network by Using VPN
Updated: April 30, 2010
Applies To: Windows Server 2008, Windows Server 2008 R2
Users working at home or at another remote location need access to the files and resources on a company's network. By using the virtual private network (VPN) connection method, a remote user can establish a secure connection over the Internet to a VPN server running RRAS on Windows Server. From the user's perspective, the VPN is a point-to-point connection between the local computer (the VPN client) and the remote network through a gateway (the VPN server). The exact infrastructure of the shared or public network is irrelevant because it appears logically as if the data is sent over a dedicated private link.
Organizations can also use VPN connections to establish routed connections between geographically separated offices or with other organizations over a public network such as the Internet while maintaining secure communications. A routed VPN connection across the Internet logically operates as though it were a dedicated WAN link. For more information, see Connect Multiple Remote Sites.
The following illustration shows the logical equivalent of a VPN connection.
A VPN connection emulates a point-to-point connection. Data is encapsulated, or wrapped, with an additional IP header that provides routing information to reach the VPN server. When encapsulated network traffic crosses the public network between the client and VPN server, or between two VPN servers, we say that it is traversing a tunnel through the public network.
To help secure a VPN connection, data is encrypted before it is encapsulated. Intercepted packets are unintelligible without the encryption keys.
VPN connections are created, managed, and terminated by using special protocols called tunneling protocols. Both the VPN client and the VPN server must support the same tunneling protocol to successfully create a VPN connection. A VPN server running RRAS on Windows Server 2003 or later can use Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP). RRAS servers running Windows Server 2008 or later can also use Secure Socket Tunneling Protocol (SSTP). RRAS servers running Windows Server 2008 R2 can also use Internet Key Exchange version 2 (IKEv2). For more information, such as the encapsulation and encryption methods used and the client versions supported by each tunneling protocol, see Appendix C: VPN Tunneling Protocols.