Logo
programming4us
programming4us
programming4us
programming4us
 Home
programming4us
 XP
programming4us
 Windows Vista
programming4us
 Windows 7
programming4us
 Windows Azure
programming4us
 Windows Server
programming4us
 Windows Phone
 
Windows Server

Windows Server 2008 R2 : Choosing Between Traditional VPN Technologies and DirectAccess

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
3/20/2011 3:18:23 PM
One of the choices to make when you’re deploying Windows Server 2008 R2-based remote access is the choice between a traditional VPN technology and the new DirectAccess.

Within the VPNs technologies are a number of choices, primarily whether to use L2TP/IPSec or PPTP.

Advantages of L2TP/IPSec

Although PPTP users significantly outnumber L2TP/IPSec users, because of a higher level of security in L2TP/IPSec as well as several other benefits of L2TP/IPSec, organizations that are seeking to improve secured remote connectivity are beginning to implement L2TP/IPSec VPN as their remote and mobile access standard. The following are the advantages of using L2TP/IPSec over PPTP:

  • IPSec provides per-packet data authentication (proof that the data was sent by the authorized user), data integrity (proof that the data was not modified in transit), replay protection (prevention from resending a stream of captured packets), and data confidentiality (prevention from interpreting captured packets without the encryption key). PPTP provides only per-packet data confidentiality.

  • L2TP/IPSec connections provide stronger authentication by requiring both computer-level authentication through certificates and user-level authentication through a PPP authentication protocol.

  • PPP packets exchanged during user-level authentication are never sent unencrypted because the PPP connection process for L2TP/IPSec occurs after the IPSec security associations are established. If intercepted, the PPP authentication exchange for some types of PPP authentication protocols can be used to perform offline dictionary attacks and determine user passwords. If the PPP authentication exchange is encrypted, offline dictionary attacks are possible only after the encrypted packets have been successfully decrypted.

Advantages of PPTP

Although L2TP/IPSec is more secure than a PPTP VPN session, there are significant reasons organizations choose PPTP over L2TP/IPSec. The following are advantages of PPTP over L2TP/IPSec:

  • PPTP does not require a certificate infrastructure. L2TP/IPSec, SSTP, and DirectAccess require a certificate infrastructure for issuing computer certificates to the VPN server computer (or other authenticating server) and all VPN client computers.

  • PPTP can be used by all Windows desktop platforms (Windows Server 2008, Windows Server 2008 R2, Windows Server 2003, Windows 2000 Server, Windows 7, Windows Vista, Windows XP, Windows 2000 client, Windows NT 4.0, Windows Millennium Edition [Me], Windows 98, and Windows 95 with the Windows Dial-Up Networking 1.3 Performance and Security Update). Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server, Windows 7, Windows Vista, Windows XP, and Windows 2000 Workstation VPN clients are the only clients that support L2TP/IPSec and the use of certificates. Windows 7 is the only client that supports DirectAccess.

IPSec functions at a layer below the TCP/IP stack. This layer is controlled by a security policy on each computer and a negotiated security association between the sender and receiver. The policy consists of a set of filters and associated security behaviors. If a packet’s IP address, protocol, and port number match a filter, the packet is subject to the associated security behavior.

Advantages of SSTP

The SSTP protocol in Windows Server 2008 R2 gives administrators the capability to establish tunnels across the majority of corporate networks, bypassing many of the technical hurdles that stop PPTP and L2TP.

The advantages of SSTP are as follows:

  • SSTP helps lower administrative costs by reducing the technical steps needed to tunnel between organizations. Because HTTPS is allowed through most firewalls and proxy servers, there is no additional infrastructure changes needed to support SSTP.

  • SSTP is certificate-based security implemented via SSL. However, certificates only need to be issued to the servers rather than the clients. This provides the security benefits of L2TP, but with almost the ease of configuration of PPTP.

The benefits are offset by the requirement that the client Certificate Authority requirements and the operating system requirement. The client requirement is that it trusts the CA issuing the certificates and that it can access the certificate revocation list.

Support for SSTP in clients is available in Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows XP SP3 or later, and Windows Vista SP1 or later.

Advantages of DirectAccess

DirectAccess is a new technology introduced with Windows Server 2008 R2 and is a completely new idea for remote access. Essentially, DirectAccess is a transparent always-on remote access. It allows users to always appear to be on the corporate network and appear as if they are in the office. In addition, it allows administrators to manage systems as local systems through tools like Group Policy and Microsoft System Center Configuration Manager (SCCM). From a user perspective, this is the easiest remote access solution. Once configured, they don’t need to perform any action; it just works. From an administrator point of view, however, this solution is the most complex due to the IPv6 and certificate requirements.

The advantages of DirectAccess are as follows:

  • DirectAccess provides seamless connectivity wherever a remote system has an Internet connection. No user interaction is required.

  • System administrators can manage remotely connected systems as if they were internal systems.

  • DirectAccess allows folder redirection so that all critical data is maintained inside the corporate network and backed up using enterprise tools.

  • DirectAccess uses a new technology, Name Resolution Policy Table (NRPT), to determine the appropriate DNS server for connection requests. Combined with split-tunneling, this makes for a truly transparent solution.

Despite these benefits, DirectAccess can be somewhat complex to implement. If most of the pieces, such as IPv6, PKI, and Windows 7 on the desktop are already in place, DirectAccess might be the best overall remote access solution for Windows Server 2008 R2.

Note

One advantage of DirectAccess is the fact that it uses IPv6. For organizations that have been looking to deploy IPv6 and gain experience with this new addressing scheme, the DirectAccess technology provides a good IPv6 learning platform that is self-contained and integrates well with existing IPv4 technologies.

Ports Affecting the VPN Connectivity

Frequently, RRAS servers operating as VPN servers have two network cards, one of which is plugged into the external network or DMZ. This is simpler, as there are typically few restrictions on communicating with that externally facing interface. The RRAS server is firewalled and the externally facing interface is hardened as a matter of best practice to mitigate the potential risks. In fact, this is a requirement for DirectAccess servers.

However, even with mitigation steps, this externally facing interface can present an unacceptable level of risk to some organizations. In those cases, the VPN infrastructure must remain entirely within the internal network. In that configuration, the firewall must be configured to allow the appropriate traffic to the RRAS server.

Table 1 and Table 2 list the relevant firewall rules needed for the PPTP and L2TP protocols. The IP address for each of the rules is the RRAS server address, which is the destination if the direction is inbound and the source if the direction is outbound.

Table 1. Firewall Rules for the RRAS Server for PPTP
DirectionProtocolPort or IDWhy?
InboundTCP1723Allows PPTP tunnel maintenance traffic from the PPTP client to the PPTP server
InboundIP47Allows tunneled PPTP data from the PPTP client to the PPTP server
OutboundTCP1723Allows PPTP tunnel maintenance traffic from the PPTP server to the PPTP client
OutboundIP47Allows tunneled PPTP data from the PPTP server to the PPTP client
Table 2. Firewall Rules for the RRAS Server for L2TP
DirectionProtocolPort or IDWhy?
InboundUDP500Allows IKE traffic to the VPN server
InboundUDP4500Allows IPSec NAT-T traffic to the VPN server
InboundIP50Allows IPSec ESP traffic to the VPN server
OutboundUDP500Allows IKE traffic from the VPN server
OutboundUDP4500Allows IPSec NAT-T traffic from the VPN server
OutboundIP50Allows IPSec ESP traffic from the VPN server

Note

Interestingly, because the DirectAccess server must be a dual-homed server with a network interface on the public network, there are no ports needed on the firewall for DirectAccess. In effect, it bypasses the firewall completely.

The SSTP protocol is simple and only requires that TCP port 443 be permitted inbound to the RRAS server.
Other -----------------
- DirectAccess in Windows Server 2008 R2 (part 2)
- DirectAccess in Windows Server 2008 R2 (part 1)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2010 : Understanding AD Functionality Modes and Their Relationship to Exchange Server Groups
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2010 : Exploring DSAccess, DSProxy, and the Categorizer
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2010 : Defining the Global Catalog (part 2)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2010 : Defining the Global Catalog (part 1)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2010 : Global Catalog and Domain Controller Placement
- New SOA Capabilities in BizTalk Server 2009: UDDI Services (part 3) - Dynamic endpoint resolution via UDDI
- New SOA Capabilities in BizTalk Server 2009: UDDI Services (part 2) - How to add services to the UDDI registry
- New SOA Capabilities in BizTalk Server 2009: UDDI Services (part 1)
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
 Windows Vista
programming4us
 Windows 7
programming4us
 Windows Azure
programming4us
 Windows Server