Virtual private network (VPN) deployments have many services and functions that need to work together smoothly and cleanly so that remote access users can be identified and authorized; tunnels can be built, maintained, and managed for hundreds of users; routing can control all traffic to and from the gateway; and while all these things are going on, performance and security can be maintained. This is no small feat, and numerous components must be set up to make the VPN system operate properly. To make the right decisions when deploying Windows remote access VPN connections, you must understand all the components involved. In Chapter 2, “VPN Overview", we discussed two types of VPN scenarios that are common deployments: remote access, where many clients have access to a single gateway to internal resources, and site-to-site, where two networks need to have a private channel to communicate over the Internet. In this chapter, we’ll describe the components of remote access VPN connections and their associated design points.
Typically, when an administrator is developing a VPN solution, they are either working on a remote access solution or a site-to-site solution—rarely, if ever, will they be doing both at the same time. To make this book easier to use, throughout the book you will find that we separated the processes of remote access implementation and site-to-site implementation. Therefore, just as we give you an overview of remote access components in this chapter, we will provide an overview of site-to-site VPN components in Chapter 8, “Site-to-Site VPN Components and Design Points.”
Figure 5-1 shows the components of Windows remote access VPNs.
Figure 5-1: Components of Windows remote access VPNs.
The main components are:
Internet network infrastructure
VPN server, otherwise known as the gateway
Intranet network infrastructure
Authentication, authorization, and accounting (AAA) infrastructure, handled by IAS