Installing and integrating virtual private networks

If you are at the point of installing and integrating the VPN solution, then hopefully you will have acquired a system that meets the following requirements:

1. Provides a software client that is compatible with the client systems deployed in your environment (e.g., do not buy the Windows 2000 version if you have Windows XP).
2. Has a server that supports interfaces required for your environment.
3. Provides security functionality that meets or exceeds corporate security policies.
4. Provides an adequate number of sessions, allowing for anticipated concurrent usage as well as room for future growth.
5. Provides maintenance options from the vendor. (Note: This is not a requirement, but if you are new to the VPN world and cannot justify supporting it, this is certainly an option.)

These are fundamental requirements. In addition, you will need to make sure that the installed clients can support the software (e.g., enough memory and the right operating system).

The key to a successful VPN deployment is proper planning and the right approach. If you plan properly and clearly identify all of your requirements and the integration points up front, the actual installation becomes an execution of a well-thought-out plan, including a detailed design, integration plan and testing plan.

Develop a detailed VPN design

There are three main components of a VPN solution: the VPN access server, the VPN client and the VPN software that is installed on the client.

In general, the client software is configured to match what the server is providing in terms of access, authorization and encryption. You will want to put your VPN concentrator in a secure location that can be firewalled off from the corporate network. In most cases, the VPN server will terminate IPSEC/SSL sessions from Internet VPN users, so putting the VPN server in a DMZ is always a good idea.

The detailed VPN design lays out all of the specific addressing, security, logical segmentation, physical connectivity and naming conventions that will be configured on the VPN server and the equipment that the VPN server connects to (such as a LAN switch in the DMZ). It is always helpful to define these details in advance because this ensures that you are covering all aspects of the integration before actually going out and installing and configuring the platforms.

Be sure to collect all the relevant VPN information (usernames/passwords, encryption details) that needs to be configured, and create templates for installation. These can then be used as troubleshooting tools as well.

Plan for testing and integration

A common oversight in VPN installation is the integration into the existing network. Vendors are famous for touting their solutions as "plug & play," when, in reality, modifications to the existing environment will have to be made in order to "plug" the solution seamlessly into the current network. You will need to design and configure VLANs, IP addressing and IP routing parameters on the current network in order to support the VPN. This should be a part of your detailed design.

Once the design is on paper, you should develop scripts for testing whether the solution delivers the required functionality once it is installed. This will allow for solution validation and drastically reduce those dreaded Day 2 installation calls (new system installed and no one can get it to work). If feasible, try to deploy the design in a proof-of-concept/pilot environment. If this is possible, you can develop the test scripts using actual solution parameters and screenshots.

Finally, you will want to develop the integration plan. This consists of two distinct entities. One is the resources and time frames required to deploy the solution, and the other is the tasks that will be executed during deployment (install, configure, test, and turn-over to production). If you plan ahead around these key areas, you will have no surprises when deploying the solution, and you will also be able to turn over to production with very little hand-holding of end users and support staff.

About the author:
Robbie Harrell (CCIE#3873) is the National Practice Lead for Advanced Infrastructure Solutions for SBC Communications. He has more than 10 years of experience providing strategic, business and technical consulting services. Robbie lives in Atlanta and is a graduate of Clemson University. His background includes positions as a principal architect at International Network Services, Lucent, Frontway and Callisma.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Engineering Limit network energy consumption with computer cooling technologies Understanding remote scripting: Managing Windows networks using scripts, Part 9 Network mapping in Vista for Windows XP Recovering domain controllers after a server disk failure Recovering from a server disk failure: The shortcomings of NTBCKUP Enabling Windows Vista's Network Mapping feature on domain networks Prevent unauthorized USB devices with software restriction policies, third-party apps How to subnet: Subnetting calculations and shortcuts Using Windows Vista group policy to prevent unauthorized USB device use ISDN implementation: Part 3 -- Cisco router ISDN configuration VPN Products and Services To simulate voice over IPSec VPNs which simulators work? Creating Remote Access and Site-to-Site VPNs with ISA Firewalls: from 'The Best Damn Firewall Book Period, Second Edition' How can I get our VPN to work on Windows Vista? To set up a VPN server, do you need two NIC cards? How do I connect to our VPN with authentication ID? SonicWall acquisition could hurt Aventail users What equipment do I use to connect two LANs in different cities? What are the steps? Remote access keeps physicians connected Security Spotlight: SSL VPN appliances simplify secure access MPLS transport options VPN Design Creating Remote Access and Site-to-Site VPNs with ISA Firewalls: from 'The Best Damn Firewall Book Period, Second Edition' A basic virtualized enterprise -- from 'Network Virtualization' How can I get our VPN to work on Windows Vista? To set up a VPN server, do you need two NIC cards? MPLS technology overview How do I connect my VLANs to the Internet using NAT and the appropriately configured ACL? What equipment do I use to connect two LANs in different cities? What are the steps? Are there any architectures of IPsec VPN apart from lookaside and flow-through? How can I access each device from my network while keeping the companies' networks secure? VPN operating system interoperability -- Configure VPNs with Linux VPN Design Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary extranet  (SearchNetworking.com) hardware VPN  (SearchNetworking.com) IPLC  (SearchNetworking.com) virtual network adapter  (SearchNetworking.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.