Remote Access Design Guidelines – Part 2: VPN client software selection

  • Article

Hello Customers,

In this post, I will walk through the different ways in which you can enable VPN functionality on the remote access devices (desktops, laptops used by your remote access users).

Lets look at the various choices:

2.1 Operating Systems

The remote access users in your organization will normally be running different operating systems on their remote access devices (like PCs and laptops). The choice of operating system governs few important decisions regarding remote access deployment - mainly the VPN tunnel selection and the authentication protocol selection – as defined further in next few posts.

2.2 VPN Client Selection

There are three types of VPN client software that runs on Windows OS using Windows VPN stack (i.e. PPTP, L2TP, SSTP or IKEv2 VPN tunnel):

  • In-built (or in-the-box) VPN client - created by end user using “Setup a connection or network” wizard inside “Network and Sharing Center” in Vista/Windows7.
  • Connection Manager (CM) client created using Connection Manager Administration Kit (CMAK) software on the RRAS server. A CM client is created by the remote access server administrator and then shared to the end users via email or file/web server.
  • 3rd party VPN client software that has its own provisioning mechanism and user interface - however runs** on top of the VPN stack of Windows OS. These clients can connect to Windows based RRAS servers or their own 3rd party VPN servers. The functionality exposed by this type of VPN client varies from vendor to vendor and hence is kept outside the scope of this post.

** Please note: There are a lot of 3rd party VPN clients which works on top of Windows OS but uses its own VPN client stack (like IPSEC X Auth based, SSL network connector driven) instead of Windows VPN stack. Hence all these clients are kept outside the scope of this post.

The following table summarizes the feature set between in-built VPN client and connection manager VPN client:

Feature

In-Built VPN client

CM VPN client

Creation

On the client device – using ``Network and Sharing Center” – usually done by end users

On network side – using CMAK tool – usually done by administrators

Change

Entire configuration can be changed by end user – using VPN client ``Properties”

Minimal configuration change possible by end user – using CM.

However administrator can change the profile – using CMAK and then send back to end users

IPV4, IPV6 Support

Both

Both

Authentication & Tunnel Selection

All

All – though tunnel selection order is fine-grained in CMAK – with additional options of PPTP first, L2TP first and SSTP first.

NAP Support

Supported

Supported

Multiple VPN servers

Partially allowed – only one host name*** or IP address of VPN server can be configured.

Allows a list of VPN servers to be provisioned and end user can select one from the drop-down

IP Routes

Ability to select default route addition on client machine after VPN interface comes up

Allows a list of IP routes (including default route) to be provisioned on client machine after VPN interface comes up

Web Proxy Address

Not allowed – user need to explicitly configure intranet web proxy address inside IE for the VPN interface

Allows web proxy address to be provisioned inside CM package. This will be configured inside IE after VPN interface comes up

Customization

Not allowed

Allows icons, help message text, pre connect and post connect code to be added to the VPN package

*** A DNS name can represent a set of VPN servers if deployed using DNS round-robin as discussed in a subsequent section. Hence the in-built VPN client does support multiple VPN servers using single hostname. And CM based client goes one step further allowing a list of VPN server names/IP address to be provisioned by admin of which end user can select one of them using CM client properties. However please note: in case of failure of connectivity to one server, the CM client doesn’t fallback or tries the next one.

2.3 Further Readings

Here are the references to other relevant posts

Remote Access Design Guidelines – Part 1: Overview

Remote Access Design Guidelines – Part 3: Tunnel selection, Authentication, Authorization and Accounting

Remote Access Design Guidelines – Part 4: IP Routing and DNS

Remote Access Design Guidelines – Part 5: Where to place RRAS server

With Regards,

Samir Jain

Senior Program Manager

Windows Networking

[This posting is provided “AS IS” with no warranties, and confers no rights.]