Overview of Remote Site Connectivity

Many organizations have offices located in different geographical locations, requiring remote site connectivity. You can use the Windows Server 2003 Routing and Remote Access service to deploy a cost-effective and secure site-to-site solution.

Traditionally, organizations have used wide area network (WAN) site-to-site connection technologies, such as T-Carrier or Frame Relay, to connect remote sites across a private data network. However, these private lines are expensive. For example, the prices for T-Carrier services are based on both bandwidth and distance, which makes the connections relatively costly. In addition, T-Carrier typically requires a dedicated infrastructure, including a Channel Service Unit/Data Service Unit (CSU/DSU) and line-specific routers at each end of the connection.

In contrast, you can integrate the Windows Server 2003 Routing and Remote Access service solution into your organization's current network by using existing servers. With the site-to-site connections provided by the Routing and Remote Access service, you have two alternatives to conventional WAN links: a site-to-site dial-up connection or a site-to-site VPN connection. If you deploy a Routing and Remote Access solution to replace an existing WAN connection, or to implement a new connection, you can optimize cost savings by tailoring your connection type to your traffic volume. You can also customize security to fit your organization's requirements.

Before you begin the design process to introduce a new site-to-site connection into your network, or modify an existing connection, inventory your existing hardware and software, and create or update a map of your current network. Updating your inventory and network configuration information facilitates both the design and the deployment phases. For a guide to conducting inventories and creating a network map, see "Planning for Deployment" in Planning, Testing, and Piloting Deployment Projects of this kit.

Remote Site Connectivity Process

To begin the design process for deploying a site-to-site connection, choose the remote site connection type and its configuration options that are most appropriate, and decide which security features to use to protect that connection. Next, decide how you want to integrate the remote site connection into your existing network infrastructure. Finally, prepare the servers that you plan to configure as routers. After you complete these design decisions, you are ready to deploy your remote site connection. The flowchart in Figure 10.1 outlines this process.

Figure 10.1: Connecting Remote Sites

Remote Site Connectivity Background

You can design and deploy a remote site connection that is optimal for your organizational and network environment by using the connectivity, security, and network configuration options provided by the Routing and Remote Access service.

The following sections describe three typical remote site connection solutions — a Point-to-Point Tunneling Protocol (PPTP) VPN connection, a Layer Two Tunneling Protocol over Internet Protocol security (L2TP/IPSec) VPN connection, and a dial-up connection. For detailed information about each connection type and the range of available configuration and security options, see "Choosing the Remote Site Connection Type" and "Choosing Security Features" later in this chapter.

PPTP VPN Solution

Organizations with moderate to heavy traffic between a branch office and a main office and existing connections to the Internet might choose a PPTP-based site-to-site connection. In the example shown in Figure 10.2, a firewall creates a perimeter network at each end of the Internet tunnel. Windows Server 2003 also supports VPN functionality without the use of a firewall.

Figure 10.2: One-Way Initiated On-Demand Dial-up PPTP VPN Solution

Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2), which provides a high-security protocol for password authentication, is a highly recommended method for authentication and encryption key generation for a site-to-site connection. Alternatively, you can use Extensible Authentication Protocol-Transport Layer Security Protocol (EAP-TLS), which provides an even stronger user-level authentication than the password-based MS-CHAP v2.

The main office site must have a permanent WAN link to its local Internet service provider (ISP), but the branch office site can use a dial-up WAN link to its local ISP. An on-demand connection that disconnects when the connection is idle ensures that the connection is not active when not in use. Reciprocal replication ensures that replication between domain controllers in separate sites takes place over the one-way initiated on-demand connection. Figure 10.2 depicts this solution.

L2TP/IPSec VPN Solution

Organizations that need maximum security to support substantial two-way traffic between a large branch office and a headquarters office might choose an L2TP/IPSec VPN solution. A firewall creates a perimeter network at each end of the Internet tunnel. A persistent connection, enabled by a dedicated link to the ISP at both sites, allows around-the-clock traffic.

The recommended method for the computer-level authentication provided by L2TP/IPSec is the exchange of computer certificates by the calling and answering endpoints, which requires a certificate infrastructure provided by the certification authority (CA) server. EAP-TLS provides stronger user-level authentication than does the password-based MS-CHAP v2, because it requires a user certificate on the calling endpoint and a computer certificate on the answering endpoint. L2TP/IPSec uses IPSec as its encryption method. For a persistent connection, replication takes place across the site link at specified intervals — you do not need to configure reciprocal replication as you do for a one-way initiated on-demand connection. The example in Figure 10.3 depicts this solution.

Figure 10.3: Persistent Two-Way Initiated L2TP/IPSec VPN Solution

Dial-up Solution

Organizations with moderate traffic between a branch and a main office might choose to replace an existing leased WAN link with a dial-up WAN link or use a dial-up WAN link to create a new connection. Figure 10.4 shows an example of a site-to-site connection that uses an ISDN dial-up link. One common situation in which you might deploy a dial-up link is as a backup solution when a VPN link provides your primary connection. For more information about when to use a dial-up connection, see "Choosing a Dial-up or VPN Connection" later in this chapter.

Figure 10.4: One-Way Initiated On-Demand Dial-up Solution

A one-way initiated on-demand dial-up connection disconnects when the connection is idle for a specified period of time and thus provides efficient access for branch office users who need only intermittent access to the main office. A dial-up connection typically uses MS-CHAP v2as the user authentication method to authenticate the calling router together with Microsoft Point-to-Point Encryption (MPPE) for data encryption. Configuring reciprocal replication enables replication between domain controllers in separate sites over a one-way initiated on-demand connection. Figure 10.4 depicts this solution.