Checklist: Implementing a Site-to-Site Connection Design

Published: April 30, 2010

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

To connect remote networks by using a VPN site-to-site connection, you must identify which design options you need to deploy. If you are connecting existing networks, some elements that make up the infrastructure may already be in place. For example, each network may have a domain controller or the servers that you plan to connect may already be joined to the domain. Such tasks are identified in the checklist as optional.

Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.

Checklist Checklist:

Implementing a VPN Site-to-Site Connection Design


  Task Reference

Review key concepts and design considerations for a VPN site-to-site connection.

Conceptual topic Virtual Private Networking

Conceptual topic Connecting Remote Sites Design in the Routing and Remote Access Services Design Guide


(Optional) Deploy a domain controller for the branch office site.

Conceptual topic Deploy Active Directory


(Optional) Use certificates to enable and manage user- and computer-level authentication.

Conceptual topic Deploy a Certificate Infrastructure


(Optional) Deploy an NPS server if you plan to use the same server to authenticate users and the routers that initiate and answer connection requests.

Conceptual topic Deploy an NPS Server for RADIUS Authentication


Configure the WAN interface through which the connection is made to each remote site.

Conceptual topic Configure the WAN Adapter


Configure the intranet interface that connects each demand-dial router to its respective private network.

Conceptual topic Configure the Intranet Connection


(Optional) Join the calling and answering routers to the Active Directory domain.

Conceptual topic Join the Router to the Domain


(Optional) Place the calling and answering routers in a perimeter network at their respective sites.

Conceptual topic Place the Router in Your Perimeter Network


(Optional) If you plan to use L2TP/IPsec authentication, install a computer certificate on the router at each end of the VPN tunnel.

Conceptual topic Install Computer Certificates for L2TP/IPsec


(Optional) If you plan to use EAP-TLS for user authentication, install computer and user certificates on the routers at each end of the VPN tunnel.

Conceptual topic Install Computer and User Certificates for EAP-TLS


Enable the routing and remote access service and configure the demand-dial interface for each remote site connection.

Conceptual topic Configure the Routing and Remote Access Service and Demand-Dial Interfaces


On each router, create a user account whose name exactly matches the demand-dial interface of the remote router.

Conceptual topic Create User Accounts for the Site-to-Site Connection


Specify a set of conditions that the calling router must meet before its connection request is authorized by the answering router.

Conceptual topic Configure a Network Policy


Configure the connection to be always available (persistent), or specify a period of time that the connection can remain idle before it is disconnected.

Conceptual topic Configure a Persistent Connection or a Disconnect Interval


Create static routes on the router at each end of the VPN tunnel to provide access to locations on its respective private network.

Conceptual topic Configure Static Routes


(Optional) Configure RIP on the router interfaces.

Conceptual topic Configure RIP


(Optional) Enable users to access the Internet through the calling router at their location.

Conceptual topic Configure Internet Access Through the Calling Router


(Optional) Configure the router at each end of the VPN tunnel to support IP multicast applications.

Conceptual topic Configure IP Multicasting


Choose different providers for authentication and accounting.

Conceptual topic Configure the Authentication Provider


Change the authentication method on the answering router.

Conceptual topic Configure Authentication Methods


Customize the default port settings.

Conceptual topic Configure Ports in Routing and Remote Access


Specify when the calling router can initiate a connection and when the answering router can accept a connection.

Conceptual topic Configure Dial-out or Dial-in Hours


(Optional) Configure filters that allow only specific types of traffic to cross the VPN tunnel, and specify which types of traffic can initiate a site-to-site connection.

Conceptual topic Configure IP Packet Filters and Demand-Dial Filters


Confirm that each router has permission to initiate an on-demand connection, and then initiate a connection from the calling router.

Conceptual topic Initiate the Connection


(Optional) Configure and verify Active Directory replication between the branch office network and the corporate network.

Conceptual topic Configure Replication for Active Directory


Verify that the connection works in each direction as expected.

Conceptual topic Test Site-to-Site Connectivity

Community Additions