In this post, I will walk through the different ways in which you can enable VPN functionality on the remote access devices (desktops, laptops used by your remote access users).
Lets look at the various choices:
The remote access users in your organization will normally be running different operating systems on their remote access devices (like PCs and laptops). The choice of operating system governs few important decisions regarding remote access deployment - mainly the VPN tunnel selection and the authentication protocol selection – as defined further in next few posts.
There are three types of VPN client software that runs on Windows OS using Windows VPN stack (i.e. PPTP, L2TP, SSTP or IKEv2 VPN tunnel):
** Please note: There are a lot of 3rd party VPN clients which works on top of Windows OS but uses its own VPN client stack (like IPSEC X Auth based, SSL network connector driven) instead of Windows VPN stack. Hence all these clients are kept outside the scope of this post.
The following table summarizes the feature set between in-built VPN client and connection manager VPN client:
In-Built VPN client
CM VPN client
On the client device – using ``Network and Sharing Center” – usually done by end users
On network side – using CMAK tool – usually done by administrators
Entire configuration can be changed by end user – using VPN client ``Properties”
Minimal configuration change possible by end user – using CM.
However administrator can change the profile – using CMAK and then send back to end users
IPV4, IPV6 Support
Authentication & Tunnel Selection
All – though tunnel selection order is fine-grained in CMAK – with additional options of PPTP first, L2TP first and SSTP first.
Multiple VPN servers
Partially allowed – only one host name*** or IP address of VPN server can be configured.
Allows a list of VPN servers to be provisioned and end user can select one from the drop-down
Ability to select default route addition on client machine after VPN interface comes up
Allows a list of IP routes (including default route) to be provisioned on client machine after VPN interface comes up
Web Proxy Address
Not allowed – user need to explicitly configure intranet web proxy address inside IE for the VPN interface
Allows web proxy address to be provisioned inside CM package. This will be configured inside IE after VPN interface comes up
Allows icons, help message text, pre connect and post connect code to be added to the VPN package
*** A DNS name can represent a set of VPN servers if deployed using DNS round-robin as discussed in a subsequent section. Hence the in-built VPN client does support multiple VPN servers using single hostname. And CM based client goes one step further allowing a list of VPN server names/IP address to be provisioned by admin of which end user can select one of them using CM client properties. However please note: in case of failure of connectivity to one server, the CM client doesn’t fallback or tries the next one.
Here are the references to other relevant posts
Remote Access Design Guidelines – Part 1: Overview
Remote Access Design Guidelines – Part 3: Tunnel selection, Authentication, Authorization and Accounting
Remote Access Design Guidelines – Part 4: IP Routing and DNS
Remote Access Design Guidelines – Part 5: Where to place RRAS server
Senior Program Manager
[This posting is provided “AS IS” with no warranties, and confers no rights.]
Hello Customers, In last few releases, we have added plenty of “cool” features in RAS – like NAP based