VPN settings are fairly extensive and this is mostly new tech to me so I’m going to take a look at this within reason. I’m happy to say that I feel that test prep study is coming along nicely. Anyway, lets get back into this VPN stuff. Before posting the questions I’m going to go through the TechNet articles. Lets start with an obvious but helpful one.
Choosing between tunneling protocols
- PPTP can be used with a variety of Microsoft clients including Microsoft Windows 2000, Windows XP, Windows Vista, and Windows Server 2008. Unlike L2TP/IPsec, PPTP does not require the use of a public key infrastructure (PKI). By using encryption, PPTP-based VPN connections provide data confidentiality (captured packets cannot be interpreted without the encryption key). PPTP-based VPN connections, however, do not provide data integrity (proof that the data was not modified in transit) or data origin authentication (proof that the data was sent by the authorized user).
- L2TP can only be used with client computers running Windows 2000, Windows XP, or Windows Vista. L2TP supports either computer certificates or a preshared key as the authentication method for IPsec. Computer certificate authentication, the recommended authentication method, requires a PKI to issue computer certificates to the VPN server computer and all VPN client computers. By using IPsec, L2TP/IPsec VPN connections provide data confidentiality, data integrity, and data authentication.
- Unlike PPTP and SSTP, L2TP/IPsec enables machine authentication at the IPsec layer and user level authentication at the PPP layer.
- SSTP can only be used with client computers running Windows Vista Service Pack 1 (SP1) or Windows Server 2008. By using SSL, SSTP VPN connections provide data confidentiality, data integrity, and data authentication.
- All three tunnel types carry PPP frames on top of the network protocol stack. Therefore, the common features of PPP, such as authentication schemes, Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPV6) negotiation, and Network Access Protection (NAP), remain the same for the three tunnel types.
This is really helpful information that seems really obvious. This information seems really cut and dry however its from 2012 so its quite possible we may run into complications later. The other issue is that win 10 is mentioned no where in this and lets hope that the clients in our domain are supporting win 10.
There are two articles that I have saved on RAS so this one must be important. Ok for starters:
You can deploy RAS Gateway in multitenant mode as an edge gateway to route tenant customer network traffic to tenant virtual networks and resources.
I mean internal VPN is one thing for encapsulating traffic but this literally has ‘remote’ in the name. What else would you do with RAS besides throw it in front of a firewall to rout traffic, securely, to internal resources? Anyway back to the information at hand. There are lots of things going on in this article. Personally, I’m a big fan of the undefined colored clouds connected to Mixed Pool, GRE Pool and IKEv2. There is so much information here that says “A front-end RAS server connects to a gateway after authentication and then passes the traffic to the internal servers.” There are some specifics but its mostly theory that may or may not (most likely) be helpful when comprehending the questions at hand. Lets move on.
Ok, so I’m interested. Basically this one is advising that this exists and its designed for multi-tenant application environments. Assuming they mean docker environs but it could be any thing. The most important thing to me was the definitions towards the end:
RAS Gateway Features
- Site-to-site VPN. This RAS Gateway feature allows you to connect two networks at different physical locations across the Internet by using a site-to-site VPN connection. For CSPs that host many tenants in their datacenter, RAS Gateway provides a multitenant gateway solution that allows your tenants to access and manage their resources over site-to-site VPN connections from remote sites, and that allows network traffic flow between virtual resources in your datacenter and their physical network.
- Point-to-site VPN. This RAS Gateway feature allows organization employees or administrators to connect to your organization’s network from remote locations. For multitenant deployments, tenant network administrators can use point-to-site VPN connections to access virtual network resources at the CSP datacenter.
- GRE Tunneling. Generic Routing Encapsulation (GRE) based tunnels enable connectivity between tenant virtual networks and external networks. Since the GRE protocol is lightweight and support for GRE is available on most of network devices it becomes an ideal choice for tunneling where encryption of data is not required. GRE support in Site to Site (S2S) tunnels solves the problem of forwarding between tenant virtual networks and tenant external networks using a multi-tenant gateway, as described later in this topic.
- Dynamic routing with Border Gateway Protocol (BGP). BGP reduces the need for manual route configuration on routers because it is a dynamic routing protocol, and automatically learns routes between sites that are connected by using site-to-site VPN connections. If your organization has multiple sites that are connected by using BGP-enabled routers such as RAS Gateway, BGP allows the routers to automatically calculate and use valid routes to each other in the event of network disruption or failure. For more information, see RFC 4271.
Theses are actually helpful when trying to sort through answering basic questions. I suppose dealing with PowerShell CMDs are nice too, from the high availability
GRE Tunneling in Windows Server 2016
There is a really good definition in the intro and then some information about plausible uses. Its not marking and its helpful information. The most important part is
GRE tunnels are useful in many scenarios because:
- They are lightweight and RFC 2890 compliant, making it interoperable with various vendor devices
- You can use Border Gateway Protocol (BGP) for dynamic routing
- You can configure GRE multitenant RAS Gateways for use with Software Defined Networking (SDN)
- You can use System Center Virtual Machine Manager to manage GRE-based RAS Gateways
- You can achieve up to 2.0 Gbps throughput on a 6 core virtual machine that is configured as a GRE RAS Gateway
- A single gateway supports multiple connection modes
Really, that’s the only useful info in this.
Network Function Virtualization
Virtual appliance benefits
- A virtual appliance is dynamic and easy to change because it is a pre-built, customized virtual machine. It can be one or more virtual machines packaged, updated, and maintained as a unit. Together with software defined networking (SDN), you get the agility and flexibility needed in today’s cloud-based infrastructure. For example:
This is awesome! I’ve been wondering what an appliance was and I haven’t seen solid information on it. There is a lot of info on this topic. Highlight, when the hit the “But wait! There’s more!” lick haha. As I haven’t seen much in terms of questions on appliances I think we are good here. Lets get into the MeasureUp questions.
This one is pretty much definitonal and straight forward. The answers are clear and we have covered all this above.
The only thing I found here to be interesting was the L3 being the preferred method for datacenter to cloud architecture. Anyway, that’s all for the night. Time to go to to bed wake up, go straight to work and come home and start working on this again!