A VPN is a private, encrypted network connection that crosses
the public Internet. Typically, a VPN is used either to connect two
office sites or to enable remote computers to access a single office
network. In the case of a site-to-site VPN (shown in Figure 1), no special configuration is required
for the clients. The negotiation of the private connection for these
VPNs is performed by the VPN servers at each office, and clients in
opposite branches communicate with each other as they would
communicate with clients in their own branch.
In a remote access VPN, however, the client running Windows 7
must be configured to negotiate a connection to the VPN server. For
this reason, it is only the remote access VPN . A remote access VPN is shown in Figure 2.
1. Understanding VPN Encapsulation and Tunneling
A VPN works by taking the communication exchanges that
computers would use if they were located on the same network,
encrypting these exchanges, and then encapsulating the information
with the additional networking data needed to cross the Internet. As
a result of this encapsulation, the physical network through which
private data is sent becomes transparent to the two endpoints of
communication, as shown in Figure 3. In the
illustration, two computers, Computer1 and Computer2, are connected
physically only through the Internet, but the transparency of the
physical link is revealed in the results of the Tracert command run
at each computer. Although many hops separate the two computers,
each appears to the other as only one hop away through the VPN
connection. Communication occurs between the two private IP
addresses, each within the 192.168.10.0/24 subnet, as if the
computers were both located on the same network segment.
The term used to describe this process of encapsulating
private data within public data is tunneling. A
VPN tunneling protocol creates a secure channel between two VPN
servers or between a VPN server and a VPN client. Within a VPN
tunnel, encryption is used to protect data as it crosses the public
network. Private data is encrypted before the data is sent out onto
the tunnel and then decrypted when it reaches the end of the
tunnel.
Data authentication is also performed by
most VPN tunneling protocols to validate the data in two
ways. First, tunneling protocols can perform data integrity
checking, which ensures that the data remains untouched from its
original version. Second, they can perform data origin
authentication, which ensures that the data is truly sent from the
party that claims to be sending it.
2. Understanding Remote Access VPN Infrastructure
To provide remote access to VPN clients, a Windows-based network must include a
number of features, as shown in Figure 4. At a minimum, these features
include the VPN client and client software (or network connection in Windows), a
VPN server running Routing and Remote Access Services (RRAS), and an
internal DNS server. Typically, however, a VPN infrastructure will
also include a domain controller, a certificate server, and a DHCP
server. Finally, a Network Policy Server (NPS) might also be used. The
role of these VPN infrastructure components is described in the
following section.
