The traditional corporate network is no longer implemented as a simple local area network (LAN) made up of desktops plugged into a wired infrastructure. While the majority of nodes still connect in this manner, there are many organizations that have introduced the concept of the telecommuter and/or mobile workforce.
Many of these users may never step foot in a corporate office, but still have the same requirements as the traditional corporate employee. Remote access enables users to connect to a server at the corporate office and log into the network as if they were in the same building as the company. There are several ways users can accomplish this.
While no longer a common approach, some organizations may still have a private dial-up option for their users. In this scenario, users can establish a connection connect to the corporate office by way of a dial-up connection.
Rather than users connecting to the Internet, they use an analog modem connected to their computers and directly dial a number that corresponds to a modem that is connected to a Remote Access Server at the corporate office. In practice, rather than having one modem at the main office, a modem pool is used, where multiple modems share a common number so that more than one user can connect at a given time.
In this type of implementation, the client establishes the connection by initiating the connection using built-in client applications. On the server-side, you would have remote access server software running on a server, typically a Microsoft Windows Server that is running the Routing and Remote Access (RRAS) service.
The RRAS server would provide these remote users with access to resources on the local area network. Once the user is authenticated, the user can access shared drives and printers as if the user was working on a computer that is physically connected to the office LAN.
Virtual Private Network, or VPN, is the more common approach used by organizations to provide remote access to their users. The main advantage VPN has over dial-up is cost savings, both to the organization and end-user.
For the organization, expensive modem hardware and dedicated phone lines are not required for VPN connectivity. A VPN connection can be provided over existing Internet connections. Just like a dedicated dial-up connection, when a user is connected to the Internet, the user establishes a VPN connection with a VPN server.
Again, it may be a dedicated VPN appliance, or a Windows Server running the RRAS service. A VPN connection creates a secure, layer-2 tunnel between the corporate network and the end-user over the Internet.
Branch Office VPN Tunnels
When an organization has a main office with one or more remote offices, a wide area network (WAN) connection needs to be established between the locations. One common, low-cost approach is to use the existing Internet connection at each location and establish a secure tunnel between the two sites.
In this scenario, rather than the end-user establishing a secure connection back to the main office, the router/VPN servers at each location create a secure connection between them. The connection can be a dedicated or dial-up type connection. LAN traffic is not encrypted until it reaches the VPN server.
When traffic passes through the VPN tunnel, it is encrypted so that the contents of the payload are not exposed to the public Internet. When the encrypted traffic comes out of the other end of the tunnel, it is un-encrypted and forwarded onto the local area network.