"Make sure that VPNs are terminated in hardware, with hardware-based crypto," suggests Alan Zeichick, editor-in-chief of SD Times (SD stands for Software Development) and editorial director of Software Test & Performance. Encryption and decryption are a major drag on a general-purpose Windows server microprocessor, such as an Intel Pentium 4 or a Xeon. Pushing that workload onto a hardware VPN appliance reduces the drag it would put on a software-based gateway server.
"And be sure to spec out your VPN gateway hardware based on the number of VPNs that it can handle," notes Zeichick. "That's a limiting factor, based on the amount of CPU time it takes to handle the crypto. A lot of VPNs, even if they're low-bandwidth, can swamp your gateway processor and muck up all your traffic." Of course, as with other hardware that bandwidth makes a bed on, the word for the day is, "Don't scrimp."
Finally, Zeichick says, "Never use a Windows server to host more than one or two VPNs. Such VPNs might be used, for example, for emergency remote access by a sysadmin to 'back door' into the network to resolve problems without having to go to the local facilities at 2 a.m." But Zeichick advises caution, due to the security risks.