Another possibility for remote connections to the company network involves the use of a Virtual Private Network (VPN) . A VPN is a secure, dedicated, point-to-point connection over a public IP internetwork, such as the Internet. Using a VPN means that you don't have to configure the RAS server with a modem pool or other WAN connection type. The RAS server just needs to be connected to the Internet, and the remote client will connect to the company network by tunneling through the Internet.
A VPN connection has both a client and server side (as do remote access dial-up connections). The tunnel server provides the server side of the connection. Most network operating systems provide support for VPNs in their remote access software. The VPN client is referred to as the tunnel client and will need remote access software configured to connect to a VPN tunnel server. The actual connection between the server and the client is referred to as the tunnel .
VPN connections or tunnels are managed by the Point-to-Point Tunneling Protocol (PPTP) . PPTP is an extension of the PPP protocol and provides for the encapsulation of the data that moves between the remote client and the RAS server over the Internet. Basically, your data frames (such as Ethernet frames) are encapsulated by PPP and then encapsulated again by PPTP. This means that any frame types can be transmitted over the Internet between the remote client and the RAS server. When encapsulated data frames reach their destination, they are "unencapsulated," meaning the PPP and PPTP "baggies" are stripped from the data frames .
Configuring a Tunnel Server
A number of network operating systems provide support for VPN remote access. In some cases, the Remote Access Service that is configured for remote dial-up connections can also be configured for VPN. For example, the Windows Server 2003 Routing and Remote Access snap-in provides a wizard (just like it does for dial-up connections) that can be used to quickly configure the VPN.
Figure 17.7 shows the Windows Server 2003 wizard for configuring VPNs. The NIC that provides the connection to the Internet for the server must be specified as the connection for incoming VPN connections.
Figure 17.7. Network operating systems such as Windows Server 2003 also provide remote access to the network via VPN.
The remote access server can also be configured to supply IP addresses to VPN clients that connect to the RAS server (or the RAS server will allow the network DHCP server to assign appropriate addresses). Such an IP address is actually assigned to the PPP virtual adapter that is created on the tunnel client (once it has been configured for VPN). This assigned IP address does not mess up the IP address that has been assigned to the client's dial-up adapter by the ISP used by the client to connect to the Internet. The client will actually be simultaneously connecting to two different IP networks because of the VPN tunnel (one network being the ISP's network; the other being the Windows network that the client is connecting to via the VPN).
Configuring a Tunnel Client
Once the tunnel server is configured on the network (and connected to the Internet), the tunnel client needs to be set up. The client needs to be outfitted with a modem or some other connectivity medium and have an account with an ISP for a connection to the Internet.
The tunnel client is configured using the dial-up client software provided by the client's operating system. For example, on a Windows 2000 VPN tunnel client, the VPN connection (and the addition of PPTP to the computer's protocol list) is handled by the Network Connection Wizard (in the same manner as a dial-up connection is created). During the configuration process of the client, the IP address of the tunnel server (the RAS server on the network) must be specified, as shown in Figure 17.8.
Figure 17.8. The IP address of the tunnel server must be specified when the tunnel client is being configured.
Once the tunnel client is configured, it's just a matter of double-clicking the VPN connection icon that is created during the client setup (on the client computer, it is found in the Network Connections window of the Control Panel). The username and password of the tunnel client are verified by the tunnel server when the connection is requested by the remote client.
Monitoring VPN Connections
Once the tunnel client has connected to the tunnel server, the VPN connection can be used to move data between the two computers. In essence, the tunnel client is now connected to the network just like any other LAN clients are connected. The user will have access to any network resources that she has the appropriate privileges for.
Remote access servers that provide VPN support also supply you with the ability to monitor remote connections (as do remote access servers that supply dial-in access). Not only can you view the number of total connections but you can view statistics related to each individual connection such as the time connected and the activity (such as the amount of data moved) that has taken place on the connection.
Both dial-up and VPN connections allow you to expand your network beyond the confines of your LAN infrastructure. This allows you to accommodate employees on the road, employee telecommuters, and employees working at remote corporate sites.