Choosing the Remote Site Connection Type | Microsoft Corporation Microsoft Windows Server 2003 Deployment Kit(c) Deploying Network Services 2003

The first set of decisions that you need to make when designing remote site connectivity are about the connection type. The flowchart in Figure 10.5 shows the tasks required when choosing connection type options.

click to expand
Figure 10.5: Choosing a Remote Site Connection Type

Choosing a Dial-up or VPN Connection

When considering your connection type options, your first decision is whether to use a dial-up (non-VPN) connection or a VPN connection.

Dial-up Connections

Routing and Remote Access connections that run over a physical device (such as an ISDN adapter or analog modem) that is installed on both the calling and answering routers are known as dial-up connections. These connections differ from traditional WAN links in that they use existing telephone lines instead of leased lines. A dial-up connection differs from a VPN connection in that it does not cross the Internet.

Using existing phone lines can substantially reduce connection costs, especially where traffic volume between sites is low. Instead of paying for a permanent WAN connection 24 hours a day, you can configure the link to disconnect when no traffic crosses the connection for a specified period of time. For example, customers who use ISDN typically pay by the minute or by the byte, so configuring the call to hang up when the connection is idle reduces cost.

To keep data transmission secure, a dial-up connection uses private, dedicated lines or circuits across a carrier's network. In addition, the connection uses Point-to-Point Protocol (PPP) user authentication and MPPE for data encryption.

An organization might choose to deploy a dial-up connection if it has a small branch office that needs an occasional dial-up connection to a main office. For a dial-up link used as the main site-to-site connection, using ISDN is a viable option.

A larger organization that uses a VPN connection might also deploy an ISDN dial-up connection as a backup solution in case the Internet connection in either site is ever unavailable. You can use a Public Switched Telephone Network (PSTN) dial-up link as the backup if the primary link is Frame Relay with a committed information rate (CIR) of 56 Kbps. If the link for which you need a backup is faster than 56 Kbps CIR, using a PSTN dial-up connection as the backup is not feasible, because users accustomed to a faster connection will perceive the dial-up connection as too slow or inoperable. If the primary link is faster than 56 Kbps, instead use a synchronous circuit solution, such as ISDN or a leased-line circuit, for the backup.

In either of these situations, a dial-up connection provides a solution that is easy to deploy and cost-effective.

VPN Connections

Routing and Remote Access connections that cross the Internet (or other shared network) are known as virtual private network (VPN) connections. A VPN connection typically uses a physical link to a local ISP. A VPN-based answering router always uses a permanent WAN link to an ISP, such as a T-Carrier, Frame Relay, DSL, or cable modem link. The answering router's permanent link to the Internet ensures that the router is available whenever a calling router attempts to establish a connection. This link requires a static IP address, which is assigned by your local ISP (or by InterNIC), on the answering router's Internet-connected interface. However, a VPN-based calling router might use a permanent WAN link to an ISP, or it might use a temporary link (such as a modem or adapter) to the ISP.

When traffic volume is high or permanent connectivity across long distances is required, using a VPN connection to transport data across the Internet is more cost-effective than using a dedicated WAN line or a dial-up connection.

To keep data transmission secure, a VPN connection uses PPP user authentication, routes packets encapsulated in a secure tunnel across the Internet, and uses MPPE or IPSec encryption to protect the data portion of the packet. This virtual point-to-point connection emulates a dedicated, private, physical point-to-point connection but lets you replace long-distance WAN links with local WAN links to your nearby ISP. The ISP does not install any VPN software on its equipment, nor is any VPN software installed on the intermediate routers that a VPN data packet crosses.

If you choose a VPN connection in which the calling router uses a temporary link to connect to its local ISP, the temporary link can be either a dial-up link or a PPP over Ethernet (PPPoE) link. The calling router first establishes the dial-up or PPPoE link to the ISP and then establishes the VPN tunnel across the Internet to the answering router. Many broadband ISPs use PPPoE. PPPoE links to the ISP are faster than dial-up links.

An example of an organization that might choose to deploy a VPN connection is a large enterprise with several large satellite offices that each need secure connection for high-volume traffic across the Internet to a headquarters office.

Choosing PPTP or L2TP/IPSec

If you choose a VPN site-to-site connection, you must next decide whether to use PPTP or L2TP/IPSec as the VPN technology. Table 10.1 lists some of the factors you need to consider in order to determine whether to deploy a PPTP or an L2TP/IPSec solution. For more information about the security options (user authentication, certificates, and encryption) described briefly in the table, see "Choosing Security Features" later in this chapter.

Table 10.1: Comparing a PPTP Solution with an L2TP/IPSec Solution
Factor	Using PPTP	Using L2TP/IPSec
Windows version	PPTP is supported by Windows Server 2003, as well as the Microsoft Windows 2000 Server operating system, and the Microsoft Windows NT version 4.0 operating system with the Routing and Remote Access Service (RRAS). Most third-party VPN routers also support PPTP.	L2TP/IPSec is supported by Windows Server 2003 and Windows 2000 Server (with the Routing and Remote Access service). Most third-party VPN routers also support L2TP/IPSec.
User authentication	EAP-TLS or MS-CHAP v2 is recommended.	EAP-TLS or MS-CHAP v2 is recommended.
Certificates	PPTP requires certificates only when using EAP-TLS for user authentication, in which case a user certificate for the calling router and a computer certificate for the authenticating server of the answering router are required.	Using EAP-TLS user authentication with L2TP/IPSec requires a user certificate for the calling router and a computer certificate for the authenticating server of the calling router. For computer-level authentication, L2TP/IPSec supports computer certificates or preshared keys as the authentication method for IPSec. Computer certificate authentication is recommended and requires a computer certificate on both the calling and answering routers.
Encryption	For a PPTP-based VPN connection, choosing either EAP-TLS or MS-CHAP v2 for user authentication provides MPPE for data encryption. MPPE provides data confidentiality (encryption); that is, captured packets cannot be interpreted without the encryption key.	L2TP/IPSec generates its encryption keys by using IPSec. IPSec provides data confidentiality (encryption), replay protection, data integrity, and data origin authentication.
NATs	In most cases, you can locate PPTP-based calling routers behind a network address translator (NAT), so you can configure a small or home office (SOHO) network to share a single connection to the Internet. Most NATs include a NAT editor that can accurately translate PPTP-tunneled data.	With Windows Server 2003-based calling or answering routers, you can use IPSec NAT traversal (NAT-T) to create L2TP/IPSec connections across NATs. Using NAT-T requires running Windows Server 2003 on both the calling and answering routers. With NAT-T, hosts that are hidden behind a NAT can use IPSec to connect to a remote site.
Ease of deployment	When using MS-CHAP v2 (or MS-CHAP) for user authentication, PPTP is cost-effective and easier to deploy than L2TP/IPSec with computer certificates.	When you use computer certificates as the authentication method, L2TP/IPSec requires a certificate infrastructure and, therefore, requires more administrative overhead to deploy and maintain than does PPTP used with password-based MS-CHAP v2. For optimal security, using certificates is the recommended method. Using preshared keys as the authentication method, L2TP/IPSec requires less administrative overhead (for initial setup but not for long-term administration) than using L2TP/IPSec with certificates but more administrative overhead than using PPTP. To ensure security, do not use preshared keys. ^[1]
^[1]For more information about the advantages of computer certificates over preshared keys, see "Choosing Computer Certificates or Preshared Keys for Computer-Level Authentication" later in this chapter.

Using Both a PPTP Connection and an L2TP/IPSec Connection

You can deploy both a PPTP solution and an L2TP/IPSec solution at the same time. By default, a VPN router running Windows Server 2003 simultaneously supports both connection types. A VPN router running Windows 2000 Server supports both connection types if the router is not behind a NAT; however, Windows 2000 Server supports only PPTP — but not L2TP/IPSec — across a NAT.

You might want to use PPTP for some site-to-site connections and L2TP/IPSec for others. Table 10.2 lists some situations in which you might use PPTP or L2TP/IPSec for different connections on the same network.

Table 10.2: Using PPTP and L2TP/IPSec for Different VPN Connections on the Same Network
VPN Connection Type	Typical Uses
PPTP	To connect from calling routers that are running Windows NT 4.0 with RRAS. To connect from routers that are running Windows Server 2003 or Windows 2000 Server that do not have an installed computer certificate. To establish a VPN connection when you want to place Windows 2000 Server-based routers behind a Routing and Remote Access NAT or a third-party NAT.
L2TP/IPSec	To connect from calling routers running Windows Server 2003 or Windows 2000 Server that have an installed computer certificate. To enable hosts that are hidden behind a NAT (because they use private addresses) to use IPSec to connect to a remote site. This is possible because NAT-T, which is enabled by default on Windows Server 2003-based computers, can create L2TP/IPSec connections across a NAT. To provide the highest security solution available. To connect from calling routers running Windows Server 2003 that use preshared keys (not recommended for security reasons).

If you use both a PPTP and an L2TP/IPSec solution, you can create separate remote access policies that define different connection parameters for each connection type. For example, if you have PPTP VPN connections to two branch offices whose calling routers run Windows NT 4.0 with RRAS, you might want to create a more restrictive remote access policy for those connections than the remote access policy that you create for an L2TP/IPSec VPN connection to a branch office whose calling routers run Windows Server 2003 and use computer-level authentication. For more information about creating remote access policies for a site-to-site connection, see "Configure a Remote Access Policy" later in this chapter.

Choosing an On-Demand or Persistent Connection

You can configure the calling router for any of the connection types — dial-up, PPTP VPN, or L2TP/IPSec VPN — with either an on-demand or a persistent connection. Table 10.3 describes and compares these connection type options.

Table 10.3: Comparing On-Demand and Persistent Connections
Connection Type	Description	Use
On-demand connection	Establishes a connection when traffic is forwarded, and it terminates the connection when the link is not used for a specified period of time.	Use an on-demand connection if using the communications link incurs per-minute charges. For an on-demand VPN connection, the initiating router can use either a permanent or a dial-up link to the Internet. The answering router must have a permanent link to the Internet to ensure that it is available when a calling router attempts to establish a connection.
Persistent connection	Sustains a connection for 24 hours a day.	Use a persistent connection in the following circumstances: When the cost of the connection is based on a flat fee, such as for a link to a local ISP for each site when sites are located in separate cities or for a connection between different sites within the same city. When data traffic is time-sensitive. For example, if you support mainframe terminal connectivity between sites, if the terminals must wait for an on-demand VPN connection to be activated, the connection attempt will time out before the session can be launched. For a persistent VPN connection, both the calling and the answering router must use a permanent link to the Internet.

For on-demand connections, to prevent the calling router from establishing unnecessary connections, you can use demand-dial filtering and dial-out hours:

Demand-dial filters. To prevent a VPN calling router from initiating unnecessary connections, you can configure demand-dial filters to specify the types of IP traffic for which the router will or will not create a demand-dial connection. You can identify traffic to accept or reject based on source and destination addresses of incoming traffic and the protocol in use. It is recommended that you match the demand-dial filters to the IP packet filters configured on the demand-dial interface. If there is specific traffic that is not allowed across the demand-dial interface when it is connected, that same traffic should not be allowed to initiate a demand-dial connection using that interface. For example, if you have a packet filter that prevents ICMP traffic from being sent across the demand-dial interface, then you should configure a demand-dial filter to prevent ICMP traffic from initiating the demand-dial connection. For more information about matching demand-dial filters to IP packet filters, see "Integrate the VPN Server into a Perimeter Network" and "Configure IP Packet Filters and Demand-Dial Filters" later in this chapter.
Dial-out hours. To prevent a dial-up or VPN calling router from initiating unnecessary connections, you can configure dial-out hours to specify the hours during which a calling router is either permitted to make a site-to-site connection or denied the connection. You can also configure remote access policies on the answering router to restrict the time periods when incoming demand-dial connections are allowed.

Choosing a One-Way or Two-Way Initiated Connection

You can set up a site-to-site connection so that it can be initiated from only one location, or you can configure a connection that can be initiated from either side of the dial-up or VPN connection. Table 10.4 describes and compares these options.

Table 10.4: Comparing One-Way and Two-Way Initiated Connections
Connection Type	Description	Use
One-way initiated connection	A one-way initiated connection is one in which one site contains only an answering router and the other site contains only a calling router.	Use an on-demand or persistent one-way initiated connection when users at a branch office need to connect to a headquarters office but not vice versa. Use a persistent one-way initiated connection when you have 10 or more branch offices and users at each site need to access the other sites. When you use a two-way initiated connection for 10 or more connections, performance is too slow.
Two-way initiated connection	A two-way initiated connection is one in which a router at each site can function as both the answering router and as the calling router.	Use a two-way initiated connection when users at both locations need to access resources or people in the other location and you have 10 or fewer connections (if you have 10 or more connections, use a one-way initiated persistent connection).

For both a one-way and a two-way initiated connection, use the properties of the router in the Routing and Remote Access snap-in to configure both the calling and the answering router as a local area network (LAN) router and as a demand-dial router.