If you have made the decision to move forward with a virtual private network (VPN), you'll want to ensure that the solution is installed correctly and integrates with the current environment. This is where the rubber meets the road in the effort to get the system up and running as efficiently (and correctly) as possible.
If you are at the point of installing and integrating the VPN solution, then hopefully you will have acquired a system that meets the following requirements:
- Provides a software client that is compatible with the client systems deployed in your environment (e.g., do not buy the Windows 2000 version if you have Windows XP).
- Has a server that supports interfaces required for your environment.
- Provides security functionality that meets or exceeds corporate security policies.
- Provides an adequate number of sessions, allowing for anticipated concurrent usage as well as room for future growth.
- Provides maintenance options from the vendor. (Note: This is not a requirement, but if you are new to the VPN world and cannot justify supporting it, this is certainly an option.)
These are fundamental requirements. In addition, you will need to make sure that the installed clients can support the software (e.g., enough memory and the right operating system).
The key to a successful VPN deployment is proper planning and the right approach. If you plan properly and clearly identify all of your requirements and the integration points up front, the actual installation becomes an execution of a well-thought-out plan, including a detailed design, integration plan and testing plan.
Develop a detailed VPN design
There are three main components of a VPN solution: the VPN access server, the VPN client and the VPN software that is installed on the client.
In general, the client software is configured to match what the server is providing in terms of access, authorization and encryption. You will want to put your VPN concentrator in a secure location that can be firewalled off from the corporate network. In most cases, the VPN server will terminate IPSEC/SSL sessions from Internet VPN users, so putting the VPN server in a DMZ is always a good idea.
The detailed VPN design lays out all of the specific addressing, security, logical segmentation, physical connectivity and naming conventions that will be configured on the VPN server and the equipment that the VPN server connects to (such as a LAN switch in the DMZ). It is always helpful to define these details in advance because this ensures that you are covering all aspects of the integration before actually going out and installing and configuring the platforms.
Be sure to collect all the relevant VPN information (usernames/passwords, encryption details) that needs to be configured, and create templates for installation. These can then be used as troubleshooting tools as well.
Plan for testing and integration
A common oversight in VPN installation is the integration into the existing network. Vendors are famous for touting their solutions as "plug & play," when, in reality, modifications to the existing environment will have to be made in order to "plug" the solution seamlessly into the current network. You will need to design and configure VLANs, IP addressing and IP routing parameters on the current network in order to support the VPN. This should be a part of your detailed design.
Once the design is on paper, you should develop scripts for testing whether the solution delivers the required functionality once it is installed. This will allow for solution validation and drastically reduce those dreaded Day 2 installation calls (new system installed and no one can get it to work). If feasible, try to deploy the design in a proof-of-concept/pilot environment. If this is possible, you can develop the test scripts using actual solution parameters and screenshots.
Finally, you will want to develop the integration plan. This consists of two distinct entities. One is the resources and time frames required to deploy the solution, and the other is the tasks that will be executed during deployment (install, configure, test, and turn-over to production). If you plan ahead around these key areas, you will have no surprises when deploying the solution, and you will also be able to turn over to production with very little hand-holding of end users and support staff.
About the author:
Robbie Harrell (CCIE#3873) is the National Practice Lead for Advanced Infrastructure Solutions for SBC Communications. He has more than 10 years of experience providing strategic, business and technical consulting services. Robbie lives in Atlanta and is a graduate of Clemson University. His background includes positions as a principal architect at International Network Services, Lucent, Frontway and Callisma.