A Virtual Private Network (VPN) enables you to extend the functionality of your private network to a remote network by using the Internet as the backbone. VPNs can be used in several different scenarios. ISA Server uses Windows 2000's Routing and Remote Access service to manage VPNs and offers wizards to configure VPNs in two of the most popular scenarios:
A branch office connecting to another branch office
Employees connecting to the corporate network remotely
A VPN enables users to exchange information between two computers as if they were connected via a point-to-point link. Even though these computers can be located in remote sites, the information exchanged is encrypted and therefore secure. For example, let's assume that your Human Resources (HR) director, Shannon, wants to be able to work from home. With a VPN, you could allow her to access your corporate network via her Internet connection at home by creating a virtual "tunnel," as shown in Figure 3.12. First Shannon will use her modem to connect to her ISP. Then she will make a second connection to create a VPN tunnel to the corporate network. Once connected to the network, Shannon will be able to perform most of the tasks that she normally does while she is on the corporate network at work. She will be able to access the HR database, print to the network printers, access files in her home folder, and surf the Internet. Because Shannon handles confidential employee information, it is imperative that the data traveling between her home computer and the corporate network is secure. Creating a virtual tunnel encrypts data traveling inside the tunnel and offers the level of security that she needs.
Figure 3.12 A VPN tunnel from home to corporate network through an ISP.
In addition to the users, entire networks, such as branch offices, can access your corporate network via a VPN. Again, data is encrypted between both ends of the VPN tunnel; therefore all communication is secure. For example, if you have offices in Seattle and San Francisco and you want to use the Internet as a secure tunnel between the two offices, you can set up an ISA Server in both cities and create a virtual tunnel between them, as shown in Figure 3.13.
Figure 3.13 VPN tunnel between two offices across the Internet.
For additional reading, check out my article "VPN Deployment Using Windows 2000" on the Microsoft TechNet CD, or online at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/profwin/pw0201.asp. The article covers configuring a VPN server, levels of encryption supported by VPNs, and the PPTP and L2TP packet structure.
PPTP, L2TP, and IPSec
In order to create VPNs that are secure, ISA Server supports the use of several protocols that will help you develop your VPN infrastructure. ISA server uses Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) to create VPNs across TCP/IP-based networks. The use of IP Security protocol (IPSec) is also supported to help ensure secure data transfer across the Internet, or between computers within a local area network. Let's look at these protocols in more depth.
PPTP is an extension to the Point-to-Point Protocol (PPP) and supports multiple protocols that will communicate over the Internet. A PPTP tunnel encapsulates IP, IPX/SPX and NetBEUI protocols inside PPP datagrams. This means that you can use a NetBEUI application on a server across the Internet, even though NetBEUI is not a routable protocol and therefore cannot be used to communicate directly on the Internet. PPTP doesn't require any dial-up connections. For example, if you already have a T1 or DSL connection to the Internet, you simply create a PPTP tunnel. In a typical scenario, a home user can dial into the ISP's server with a modem, which will connect the user to the Internet, and then create a second connection using PPTP and establish a VPN.
As mentioned earlier, PPTP can encrypt data passing through the VPN tunnel. It uses Microsoft Point-to-Point Encryption (MPPE) to encrypt data either with the default 40-bit encryption, or the stronger 128-bit encryption. Installing Windows 2000 Service Pack 2 on Windows 2000 computers will automatically upgrade the encryption level to 128-bit.
If you want MPPE to encrypt data, use MS-CHAP, MS-CHAP v2, or EAP/TLS authentication. MS-CHAP v2 and EAP/TLS support mutual authentication; therefore, if these protocols are the only protocols configured, make sure that both the server and the clients support them. The connection will be disconnected if, for example, the server doesn't identify itself to the client.
L2TP is a combination of Layer 2 Forwarding (L2F) and PPTP. It provides similar functionality as PPTP to establish VPN connections. Although configuring PPTP on the server is much simpler, L2TP offers a higher level of security. With PPTP, you can use MPPE to encrypt data. With L2TP, you use IPSec to encrypt data. When using L2TP, you need to ensure that both the VPN client and the VPN server support L2TP and IPSec. In addition, keep in mind that only Windows 2000 and Windows XP support L2TP and IPSec; Windows NT and Windows 9x don't.