In last few releases, we have added plenty of “cool” features in RAS – like NAP based health check, SSTP based SSL tunnel, IPv6 support in Vista SP1/WS08 and IKEv2 based IPSec tunnel in Windows 7/WS08 R2.
As a result, we have seen a lot of interesting questions from you- about various design and deployment choices that exists, which one to choose what, when etc.
In the next few posts, I will walk you through some of the questions that comes in when you designing your remote access solution. The answer to these questions will help you to make informed decisions and make correct choices when deploying RAS based remote access solution.
Once I finish on these posts on the design side, I will go through configuration and day-to-day management of RAS.
As always, I will love to hear back from you – your comments/thoughts/need for more articles, etc.
So lets start the journey. Here is my first post on this topic
VPN based remote access solution is used to provide access to users connecting network resources over public network. For example, all sizes of companies deploy VPN server at their edge. The employees who work@home or on road connect to the VPN server from their PCs/laptops over Internet. This process establishes a VPN tunnel that virtually places their client PCs/laptops inside intranet and they can now access the intranet resources.
A remote access solution includes multiple devices– the remote access client devices (PCs, laptops, smart mobile), the remote access server or VPN gateway, network policy server (Radius server), authentication directory or database (Active directory), DHCP server and DNS server.
My coming posts will be broken in different sections that will assist you in choosing between the various options that may exist in your deployment scenarios and answer some of the important design questions that you may have while choosing those options:
Few definitions which I will be referring in my coming posts:
DHCP Relay Agent
A VPN server acts as an IP router – forwarding IP packets between VPN clients and rest of intranet machines. To forward DHCP inform requests (for parameters like DNS server address) originated by VPN clients towards the DHCP server on intranet side, DHCP relay agent need to be enabled on VPN server. DHCP relay agent and VPN client supports both the IPv4 and IPv6 transport.
Machines sitting on private network side – behind VPN server – that are accessed by VPN client over the VPN tunnel – like file servers, web servers, business application servers etc.
Machines facing public internet – like the VPN servers.
Technology that enables remote access users to access their remote network – using different technologies like dial-up, VPN etc
Remote access user
User that accesses the remote network using VPN client
Routing and Remote Access Service – a server role that is part of Network Policy and Access server role inside Windows based server.
Virtual Private Network – technology that enables remote access users to access their remote network (like office network) over a public network (like Internet)
Client software that enables remote access user to connect to their remote network – initiator or originating endpoint of VPN tunnel
Server software (e.g. RRAS server) that enables remote access user to connect to their remote network – terminating endpoint of the VPN tunnel.
Here are the references to other relevant posts
Remote Access Design Guidelines – Part 2: VPN client software selection
Remote Access Design Guidelines – Part 3: Tunnel selection, Authentication, Authorization and Accounting
Remote Access Design Guidelines – Part 4: IP Routing and DNS
Remote Access Design Guidelines – Part 5: Where to place RRAS server
Senior Program Manager
[This posting is provided “AS IS” with no warranties, and confers no rights.]