Last week, I explained how to ensure that your RAS users can reliably authenticate in a mixed Windows 2000 and Windows NT 4.0 environment. One solution that lets you avoid relaxing Active Directory's (AD’s) default security settings is to upgrade all your NT 4.0 RAS servers to Win2K. Win2K includes several enhancements to NT 4.0's RAS service—enhancements that might prompt you to migrate your RAS servers sooner rather than later. One such enhancement is Win2K’s VPN support.
VPN connections are similar to dial-up connections in that they give remote users access to your network. But unlike dial-up connections, VPNs let you use an existing network—the Internet, for example—as the connection medium. VPNs wrap the Point-to-Point Protocol (PPP) packets used in dial-up connections with additional tunneling protocol headers that let the VPN packets travel securely over a shared network. VPN is especially beneficial in situations where users would otherwise incur long-distance charges when dialing in to your network. To use VPN, all you need at the client is a connection to the Internet (and with the proliferation of broadband Internet connections, VPN users can realize significantly greater connection speeds than dial-up users). Of course, because you're communicating over a public network, it's important that you adequately secure data communications. How you secure data communications depends on the tunneling protocol you use.
Win2K supports two tunneling protocols: PPTP and Layer 2 Tunneling Protocol (L2TP). Win2K and NT 4.0 both support PPTP, so you can use the protocol with both Win2K Professional and NT Workstation clients. Another advantage of PPTP is that PPTP transmissions pass through a Network Address Translation (NAT) server. However, one downside to PPTP is that because it relies on Microsoft Point-to-Point Encryption (MPPE), it doesn’t provide strong security. MPPE can use a 128-bit encryption key, but you must use the default 40-bit encryption key to provide compatibility with NT 4.0 clients.
L2TP, which is new with Win2K, overcomes PPTP's security limitations by enlisting IP Security (IPSec) to encrypt data for transmission. L2TP wraps a PPP packet with an L2TP header and UDP header, making it safe to transmit the packet over the Internet. IPSec encapsulation then encrypts the packet and provides an unencrypted IP header that provides the necessary addressing information between the VPN client and VPN server. L2TP and IPSec provide better security than PPTP, but the technology requires client support that's available only from Win2K, and L2TP-IPSec traffic can't pass through an NAT server.
You might think that a choice between tunneling protocols would create administrative overhead, but Win2K RAS server can support both tunneling protocols simultaneously. Next week, I'll describe how to configure Win2K RAS servers and Win2K clients for VPN.