Microsoft Corporation Microsoft Windows Server 2003 Deployment Kit(c) Deploying Network Services 2003

With a secure network architecture based on Windows Server 2003 in place, the first step in designing a remote access server solution is deciding whether to provide network access to remote clients by using dial-up networking, a VPN solution, or a combination of both. Figure 8.2 shows the placement of this design decision in the process for designing and deploying dial-up and VPN remote access servers.

Figure 8.2: Choosing Dial-up or VPN

Each method for providing remote access has advantages and disadvantages that you must weigh based on the needs of your organization. A dial-up networking solution provides a secure data path over a circuit-switched connection, and it provides the convenience of direct dial-up connectivity to your network for mobile users. In contrast, a VPN solution, by using the Internet as a connection medium, saves the cost of long-distance phone service and hardware costs. To mitigate the public nature of the Internet, VPNs use a variety of security technologies, including tunneling, encryption, and authentication.

Using Dial-up Networking for Remote Access

In a dial-up networking solution, remote users call in to a remote access server on your network. Dial-up lines are inherently more private than a solution that uses a public network such as the Internet. However, with dial-up networking, your organization faces a large initial investment and continuing expenses throughout the life cycle of the solution. These expenses include:

• Hardware purchase and installation. Dial-up networking requires an initial investment in modems or other communication hardware, server hardware, and phone line installation.

• Monthly phone costs. Each phone line that is used for remote access increases the cost of dial-up networking. If you use toll-free numbers or the callback feature to defray long distance charges for your users, these costs can be substantial. Most businesses can arrange a bulk rate for long distance, which is preferable to reimbursing users individually at their more expensive residential rates.

• Ongoing support. The number of remote access users and the complexity of your remote access design significantly affect the ongoing support costs for dial-up networking. Support costs include network support engineers, testing equipment, training, and help desk personnel to support and manage the deployment. These costs represent the largest portion of your organization's investment.

Figure 8.3 shows an example of a simple dial-up remote access networking design.

Figure 8.3: Dial-up Remote Access Design

Providing Remote Access over a VPN

In a VPN solution for remote access, users connect to your corporate network over the Internet. VPNs use a combination of tunneling, authentication, and encryption technologies to create secure connections. To ensure the highest level of security for a VPN deployment, use Layer Two Tunneling Protocol with Internet Protocol security (L2TP/IPSec).

Many organizations with extensive remote access requirements implement a VPN solution. VPNs reduce remote access expenses by using the existing Internet infrastructure. You can use a VPN to partially or entirely replace your centralized, in-house, dial-up remote access infrastructure and legacy services.

VPNs offer two primary benefits:

• Reduced costs. Using the Internet as a connection medium saves long-distance phone expenses and requires less hardware than a dial-up networking solution does.

• Sufficient security. Authentication prevents unauthorized users from connecting. Strong encryption methods make it extremely difficult for a hacker to interpret the data sent across a VPN connection.

Figure 8.4 shows an example of a simple VPN remote access networking design.

Figure 8.4: VPN Remote Access Design