Remote Access Design Guidelines – Part 1: Overview
Hello Customers,
In last few releases, we have added plenty of “cool” features in RAS – like NAP based health check, SSTP based SSL tunnel, IPv6 support in Vista SP1/WS08 and IKEv2 based IPSec tunnel in Windows 7/WS08 R2.
As a result, we have seen a lot of interesting questions from you- about various design and deployment choices that exists, which one to choose what, when etc.
In the next few posts, I will walk you through some of the questions that comes in when you designing your remote access solution. The answer to these questions will help you to make informed decisions and make correct choices when deploying RAS based remote access solution.
Once I finish on these posts on the design side, I will go through configuration and day-to-day management of RAS.
As always, I will love to hear back from you – your comments/thoughts/need for more articles, etc.
So lets start the journey. Here is my first post on this topic
1.1 Overview
VPN based remote access solution is used to provide access to users connecting network resources over public network. For example, all sizes of companies deploy VPN server at their edge. The employees who work@home or on road connect to the VPN server from their PCs/laptops over Internet. This process establishes a VPN tunnel that virtually places their client PCs/laptops inside intranet and they can now access the intranet resources.
A remote access solution includes multiple devices– the remote access client devices (PCs, laptops, smart mobile), the remote access server or VPN gateway, network policy server (Radius server), authentication directory or database (Active directory), DHCP server and DNS server.
My coming posts will be broken in different sections that will assist you in choosing between the various options that may exist in your deployment scenarios and answer some of the important design questions that you may have while choosing those options:
- Which VPN client software to use on the remote access devices?
- Which VPN tunnel and authentication protocol to use?
- How to enforce different authorization policies?
- How to enforce health check of the remote access user devices before providing access to the network? How to restrict the unhealthy clients to a quarantine zone?
- What should be the IP subnet that should be allocated to VPN clients? How will the IP routing happen between VPN clients and rest of the network? How will the VPN clients access Internet?
- Where to place the firewall on the VPN server side. Which TCP/UDP ports must be opened to allow VPN tunnels to come in?
- How to provide a high availability solution to the remote access server?
1.2 Definition
Few definitions which I will be referring in my coming posts:
Term |
Description |
DHCP Relay Agent |
A VPN server acts as an IP router – forwarding IP packets between VPN clients and rest of intranet machines. To forward DHCP inform requests (for parameters like DNS server address) originated by VPN clients towards the DHCP server on intranet side, DHCP relay agent need to be enabled on VPN server. DHCP relay agent and VPN client supports both the IPv4 and IPv6 transport. |
Intranet |
Machines sitting on private network side – behind VPN server – that are accessed by VPN client over the VPN tunnel – like file servers, web servers, business application servers etc. |
Internet |
Machines facing public internet – like the VPN servers. |
Remote Access |
Technology that enables remote access users to access their remote network – using different technologies like dial-up, VPN etc |
Remote access user |
User that accesses the remote network using VPN client |
RRAS |
Routing and Remote Access Service – a server role that is part of Network Policy and Access server role inside Windows based server. |
VPN |
Virtual Private Network – technology that enables remote access users to access their remote network (like office network) over a public network (like Internet) |
VPN client |
Client software that enables remote access user to connect to their remote network – initiator or originating endpoint of VPN tunnel |
VPN server |
Server software (e.g. RRAS server) that enables remote access user to connect to their remote network – terminating endpoint of the VPN tunnel. |
1.3 Further Readings
Here are the references to other relevant posts
Remote Access Design Guidelines – Part 2: VPN client software selection
Remote Access Design Guidelines – Part 4: IP Routing and DNS
Remote Access Design Guidelines – Part 5: Where to place RRAS server
With Regards,
Samir Jain
Senior Program Manager
Windows Networking
[This posting is provided “AS IS” with no warranties, and confers no rights.]