A common illusion about VPN clients is that they are workstations connected to the enterprise network on the VPN network. This type of workstation must be a VPN Client, but it is not the only VPN Client. A VPN Client can be a computer or a router. What type of VPN Client does your network need depends on your company's specific needs.
For example, if you happen to have a branch office that is not directly connected to the company office, using a router as a VPN Client may be a good choice for you. By doing so, you can use a single connection to connect the entire branch office to the company office. You do not need to establish a separate connection for each PC.
On the other hand, if you have employees who often go on a business trip who need to visit the company's network during the trip, it may be advantageous if you set the laptops of these employees as VPN clients.
Technically, any operating system can act as a VPN Client as long as PPTP, L2TP, or IPSec protocols are supported. For Microsoft, this means that you can use Windows NT 4.0, 9X, ME, 2000, and XP operating systems. Although all these operating systems can be used as clients technically, we recommend that you stick to Windows 2000 or Windows XP, because these operating systems support L2TP and PSec protocols.
VPN Server
The VPN Server can be used as a connection point of the VPN Client. Technically, you can use Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, and other operating systems as a VPN Server. However, to ensure security, I think you should use the Windows Server 2003 operating system.
One of the biggest misunderstandings about the VPN Server is that all the work on the VPN Server is done by yourself. My friends told me countless times that they wanted to buy a VPN Server. They didn't realize that the VPN Server is just one of the necessary components.
The VPN Server itself is very simple. The VPN Server is an enhanced 'windows 2003 Server' Server that executes Routing and Remote Access Service tasks. Once a request for access to the VPN network is approved, the VPN Server simply acts as a router to provide access from the private network to the VPN Client.
ISA Server
One of the additional requirements of the VPN Server is that you need a RADIUS (Remote Authentication Dial-In User Service) server. Remote Authentication Dial-in is a mechanism by Internet service providers to identify users when they try to establish an Internet connection.
The reason you need to use the RADIUS server is that you need some identification mechanisms to identify the users entering your network through the VPN connection. Your domain name controller cannot complete this task. It is not a good idea to expose the domain name controller to the outside world even if your domain name controller is competent for this task.
The question is, where do you get this RADIUS server? Microsoft has its own version of RADIUS named "Internet identity recognition service", which is abbreviated as IAS. The Windows Server 2003 operating system includes the IAS function. This is good news. Bad messages are caused by security reasons. You cannot run ISA as a route or Remote Access Service (RRAS) on the same computer. Even if I can do this, I cannot be sure that I am in the virtual service?
Firewall
Other components required by your VPN are a good firewall. Indeed. Your VPN Server accepts connections from the external world, but this does not mean that the external world needs full access to the VPN Server. You must use a firewall to block any unused ports.
The basic requirement for establishing a VPN connection is that the IP address of the VPN Server must be accessible over the Internet, and the VPN communication must be able to access the VPN Server through your firewall. However, there is also an alternative component. You can use this component to make your VPN Server safer.
If you pay great attention to security issues (and you have the budget), you can place an ISA Server between the ISA Server and your firewall and VPN Server. This idea is that you can set a firewall to direct all VPN-related communications to the ISA server instead of the VPN Server. The ISA server then acts as a VPN proxy server.
The VPN Client and the VPN Server only communicate with the ISA Server. They never communicate with each other directly. This means that the ISA Server is protecting the VPN Server and does not allow direct access to the VPN Server, thus adding a protective layer for the VPN Server.
Select a tunnel protocol
When a VPN Client accesses a VPN Server, It accesses the server through a virtual tunnel. A tunnel is actually a secure channel through an insecure media (usually the Internet. However, the tunnel is not changed by magic. A tunnel protocol is required.
I have previously mentioned that older Windows clients can connect to a VPN network through the PPTP (Point-to-Point Tunneling Protocol) protocol. However, I recommend using newer client software such as Windows 2000 and Windows XP because they support L2TP (layer-2 Tunneling Protocol ). The fact is that either of these two protocols can work and the client supports these protocols. However, each protocol has its advantages and disadvantages. Choosing a tunnel protocol that suits your organization is one of the most important decisions you should make when planning a VPN network.
Compared with PPTP, the biggest advantage of L2TP is that it relies on IPSec. IPSec encrypts data and also provides data identification. This means that IPSec proves that this data was indeed stolen by the sender (3) and the sender swited at the tomb to prevent replay attacks. A replay attack means that a hacker captures an identity packet and resends the packet later to gain access to the system.
L2TP also provides more powerful identity recognition functions than PPTP. L2TP can recognize both users and computers. Data Packets exchanged during user-level identity recognition are always encrypted.
Although L2TP may be the choice of Tunneling Protocol, PPTP also has some advantages over L2TP. One of the advantages I have mentioned is compatibility. PPTP is more compatible with other Windows systems than L2TP. If you have some VPN users who are still using earlier Windows operating systems, you have no choice except PPTP.
Another advantage of PPTP over L2TP is that L2TP is based on IPSec. In the advantages of L2TP section, it is a good thing to say that IPSec prefers L2TP. However, using IPSec has a major defect. IPSec requires that your network have an authentication center.
The good news is that Windows Server 2003 has its own authentication center. The authentication center settings are relatively simple. The bad news is that from the security point of view, the authentication center is not something you want to deal. The only way to maintain the integrity of the authentication center is to run the authentication center on a dedicated server with the maximum security protection. This means that you must invest in an additional server, an additional Windows server software license, and an additional management burden related to adding a server to your network.
However, according to my opinion, the extra cost and management burden are worthwhile. L2TP provides better security than PPTP. In addition, you can also use the authentication center to do other things, such as using IPSec to encrypt local communication.
Identity Authentication Protocol
When talking about the protocol, I need some time to talk about the identity authentication protocol. During VPN setup, the system requires you to select an authentication protocol. Most people will select the MS-CHAP v2 option. MS-CHAP is a relatively secure option that is compatible with VPN clients running any version of Windows operating systems created over the past 10 years. The biggest advantage of MS-CHAP is ease of setup.
If you plan to use L2TP and want better security, you should choose EAP-TLS as your identification protocol. Only clients running Windows 2003 or Windows XP operating systems support EAP-TLS protocols. In addition, you must set up a VPN Server before the authentication center can authenticate users.
The EAP-TLS protocol settings are complex and will work better if the end user has obtained a smart card. However, EAP-TLS protocols do offer you the best security. Simply put, MS-CHAP is a password-based protocol. The EAP-TLS is a certificate-based protocol.
Conclusion
Before creating a VPN, you need to do a lot of planning work. In this article, I talked about the planning required to design a VPN and some decisions you must make.
Related Articles]
- How to Build KMS for Microsoft activation Server
- DHCP server management tutorial
- Tutorial on setting up and configuring an SSH server to ensure data security