If you're building a dial-up VPN so workers in home offices or small offices can connect to the company headquarters, you might want to consider using the VPN capabilities of Windows 2000 as a way to save money and time.
But, experts say, Win 2000 VPN support is not for everyone, especially those who demand a high-speed connection or whose applications require quick response time across the VPN.
Because Win 2000 software includes VPN support, customers don't have to buy separate VPN software for each PC or spend time distributing it, says Thaddeus Fortenberry, author of Windows 2000 Virtual Private Networking. When you have thousands of remote clients, distributing and maintaining software is a nightmare and a huge expense.
Cost savings is what drives many companies to choose remote-access VPNs in the first place. Rather than pay long-distance phone bills to take calls from remote PCs, these remote access VPNs use the Internet. For the price of a local call, remote users can connect to headquarters, avoiding the expense of long-distance or 800-number connections directly to a remote access server.
Remote users can connect to a Win 2000 server or to VPN servers from companies such as Cisco and Nortel Networks. Similarly, SafeNet, the second-largest maker of VPN client software, behind Microsoft, has made its Safenet/ SoftPK client compatible with Win 2000 servers. This Win 2000 compatibility makes it possible to set up VPN connections among business partners that don't have VPN gear made by the same vendors.
However, companies that require thousands of remote connections may want to consider using a single-purpose VPN server rather than a Win 2000 server, Fortenberry says. In his work as the VPN program manager for Compaq's internal VPN, he says he limits the number of simultaneous VPN connections to 2,000 per server to avoid performance drop-offs that Win 2000 is susceptible to.
Network executives should also keep in mind that this technology is best-suited to dial-up-speed connections, up to the maximum 128K bit/sec of ISDN, says John Lawler, an analyst with Infonetics Research. That is because the software uses the processor of the host PC to encrypt the VPN packets. If the speeds are much greater than 128K bit/sec, you can run into performance problems, depending on the type of traffic you're running over the VPN, he says.
So higher-speed connections such as DSL and cable modems might be better-served by VPN appliances, separate hardware that connects remote PCs to Internet links and handles all VPN processing, Lawler says. Remote users running multiple applications at once or uploading large files will find VPN appliances prevent their PCs from slowing down during VPN sessions, he says.
The Win 2000 VPN package uses a mix of Layer 2 Tunneling Protocol (L2TP) and IP Security (IPSec), two major VPN standards, to build its VPN software. Other vendors use pure IPSec for encapsulating and authenticating VPN traffic, but Microsoft shifts that task to L2TP. That mmeans customers can send non-IP traffic such as Unix or Appletalk over the Internet rather than just IP.
Microsoft says it will support pure IPSec when it includes a stable standard for handling non-IP traffic.
This story, "Need dial-up VPN? Look to Win 2000" was originally published by Network World.