A Typical Microsoft-Based VPN

A typical Microsoft-based VPN may include the following: (1) A Windows 2000 server running Microsoft’s Internet Security and Acceleration (ISA) firewall application and the Routing and Remote Access Services (RRAS) to connect the remote LAN to another ISA/RRAS gateway (2) at the central office with either an IPSec tunnel mode connection or an L2TP/IPSec transport mode tunnel.

Individual roaming or home user computers (3) that connect to the Internet using dial-up or broadband ISP connections also link to the ISA/RRAS server (2) using L2TP/IPSec so that they can connect to internal resources such as a file server (5) or an Exchange e-mail server (6).

Workstations or servers (4) on the internal network needing to connect to resources at the central site over untrustworthy network media, such as wireless (e.g., 802.11) or LANs located in facilities where intruders could physically connect, use IPSec transport mode to connect with the central resources they need to use (5, 6).

IPSec Kerberos authentication (if used) and Group Policy control of IPSec rules and settings is handled by Windows 2000 domain controllers (7). All IPSec devices that use machine certificates for authentication obtain them from a Windows 2000 Certificate Server (8).