Remote Access Design Guidelines – Part 1: Overview

Hello Customers,

In last few releases, we have added plenty of “cool” features in RAS – like NAP based health check, SSTP based SSL tunnel, IPv6 support in Vista SP1/WS08 and IKEv2 based IPSec tunnel in Windows 7/WS08 R2.

As a result, we have seen a lot of interesting questions from you- about various design and deployment choices that exists, which one to choose what, when etc.

In the next few posts, I will walk you through some of the questions that comes in when you designing your remote access solution. The answer to these questions will help you to make informed decisions and make correct choices when deploying RAS based remote access solution.

Once I finish on these posts on the design side, I will go through configuration and day-to-day management of RAS.

As always, I will love to hear back from you – your comments/thoughts/need for more articles, etc.

So lets start the journey. Here is my first post on this topic

1.1 Overview

VPN based remote access solution is used to provide access to users connecting network resources over public network. For example, all sizes of companies deploy VPN server at their edge. The employees who work@home or on road connect to the VPN server from their PCs/laptops over Internet. This process establishes a VPN tunnel that virtually places their client PCs/laptops inside intranet and they can now access the intranet resources.

A remote access solution includes multiple devices– the remote access client devices (PCs, laptops, smart mobile), the remote access server or VPN gateway, network policy server (Radius server), authentication directory or database (Active directory), DHCP server and DNS server.

My coming posts will be broken in different sections that will assist you in choosing between the various options that may exist in your deployment scenarios and answer some of the important design questions that you may have while choosing those options:

  • Which VPN client software to use on the remote access devices?
  • Which VPN tunnel and authentication protocol to use?
  • How to enforce different authorization policies?
  • How to enforce health check of the remote access user devices before providing access to the network? How to restrict the unhealthy clients to a quarantine zone?
  • What should be the IP subnet that should be allocated to VPN clients? How will the IP routing happen between VPN clients and rest of the network? How will the VPN clients access Internet?
  • Where to place the firewall on the VPN server side. Which TCP/UDP ports must be opened to allow VPN tunnels to come in?
  • How to provide a high availability solution to the remote access server?
1.2 Definition

Few definitions which I will be referring in my coming posts:

Term

Description

DHCP Relay Agent

A VPN server acts as an IP router – forwarding IP packets between VPN clients and rest of intranet machines. To forward DHCP inform requests (for parameters like DNS server address) originated by VPN clients towards the DHCP server on intranet side, DHCP relay agent need to be enabled on VPN server. DHCP relay agent and VPN client supports both the IPv4 and IPv6 transport.

Intranet

Machines sitting on private network side – behind VPN server – that are accessed by VPN client over the VPN tunnel – like file servers, web servers, business application servers etc.

Internet

Machines facing public internet – like the VPN servers.

Remote Access

Technology that enables remote access users to access their remote network – using different technologies like dial-up, VPN etc

Remote access user

User that accesses the remote network using VPN client

RRAS

Routing and Remote Access Service – a server role that is part of Network Policy and Access server role inside Windows based server.

VPN

Virtual Private Network – technology that enables remote access users to access their remote network (like office network) over a public network (like Internet)

VPN client

Client software that enables remote access user to connect to their remote network – initiator or originating endpoint of VPN tunnel

VPN server

Server software (e.g. RRAS server) that enables remote access user to connect to their remote network – terminating endpoint of the VPN tunnel.

1.3 Further Readings

Here are the references to other relevant posts

Remote Access Design Guidelines – Part 2: VPN client software selection

Remote Access Design Guidelines – Part 3: Tunnel selection, Authentication, Authorization and Accounting

Remote Access Design Guidelines – Part 4: IP Routing and DNS

Remote Access Design Guidelines – Part 5: Where to place RRAS server

With Regards,

Samir Jain

Senior Program Manager

Windows Networking

[This posting is provided “AS IS” with no warranties, and confers no rights.]

Comments

  • Anonymous
    January 01, 2003
    Hello Customers, In my last few articles , I discussed about the design guidelines to consider before

  • Anonymous
    March 17, 2009
    You Said: DHCP relay agent can be IPv4 or IPv6 – depending upon IPv4 or IPv6 protocol is enabled on top of VPN client. I think you meant: DHCP relay agent and VPN client supports both the IPv4 and Ipv6 transport.

  • Anonymous
    March 18, 2009
    Joe Klein wrote: "DHCP relay agent can be IPv4 or IPv6 – depending upon IPv4 or IPv6 protocol is enabled on top of VPN client. I think you meant: DHCP relay agent and VPN client supports both the IPv4 and Ipv6 transport." SAMIRJ wrote: You are right - I will fix the same as it is confusing :). Thanks for pointing that out