To start with you need to decided on VPN client and VPN server :). Lets say you are using inbuilt VPN client in Windows 98/2000/2003/XP and Windows 2000/2003 Server running RRAS.
Now lets break-up remote access requirement into following factors:
1) VPN Client: Your remote access users can use the in-built "new connection wizard" to create a VPN client connection OR can use the connection manager (CM) connection profile (using CMAK) on Windows based PCs.
2) VPN server: The main factors are:
2.1) IP addressing: RRAS server normally will be having a public interface (towards Internet) and a private interface (towards corporate network) and associated IP addresses with it. Apart from this, it needs an IP address pool that will be used to assign the IP addresses to VPN client after the tunnel is up. This IP address pool can be configured statically on the RRAS server or obtained via DHCP server. This IP address pool should be approachable by LAN clients (behind RRAS server) by adding appropriate routes.
2.2) Type of tunnel and authentication/encryption: PPTP vs L2TP/IPsec (see http://blogs.technet.com/rrasblog/archive/2005/12/30/416666.aspx for further details on which one to use). User authentication can be done against local d/b on RRAS server (very small deployment) as well as Active directory (AD) based domains.
2.3) Remote access policy: The remote access policy can be used to enforce the fine-grained policies (like time of the day, encryption/authentication strength, etc) to the remote access connections. This can be configured locally on RRAS server or can be done on a radius server (like IAS or 3rd party radius server).
2.4) Filtering: There can be a firewall before, on or after VPN server. RRAS server supports 5-tuple static filters to add simple filters (e.g. allow only VPN traffic to pass through and drop rest) on public interface as well as per PPP interface. Note: There are two things to protect here - one is the VPN server box itself and second is the traffic passing inside the VPN tunnel (i.e. forwarding traffic to/from remote access clients).
2.5) Enable Optional features: (refer to http://blogs.technet.com/rrasblog/archive/2006/02/15/419589.aspx for further details)
So as you can see above, there are a lot of factors to consider before deploying a VPN based remote access, but I won't call it complex, but rather challenging 🙂 - as each deployment has its own network topology and security requirements. But the best part is RRAS pretty much covers small organization requirements to very large orgs requirements - so you have reached the right place for your remote access requirements :)).
For further queries, refer to plethora of documents at
Also you can reach us by sending your queries at following newsgroup:
Have a happy remote access journey
Lead Program Manager
RRAS, Windows Enterprise Networking
"This posting is provided "AS IS" with no warranties, and confers no rights."