Professional Documents
Culture Documents
Checklist_ Implementing a Site-to-Site Connection Design
Checklist_ Implementing a Site-to-Site Connection Design
To connect remote networks by using a VPN site‐to‐site connection, you must identify which design options you need to deploy. If you are connecting existing
networks, some elements that make up the infrastructure may already be in place. For example, each network may have a domain controller or the servers that you
plan to connect may already be joined to the domain. Such tasks are identified in the checklist as optional.
Note
Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure
so that you can proceed with the remaining tasks in this checklist.
Checklist:
Task Reference
Review key concepts and design considerations for a VPN site‐to‐site connection. Virtual Private Networking
﴾Optional﴿ Deploy a domain controller for the branch office site. Deploy Active Directory
﴾Optional﴿ Use certificates to enable and manage user‐ and computer‐level authentication. Deploy a Certificate Infrastructure
﴾Optional﴿ Deploy an NPS server if you plan to use the same server to authenticate users and the Deploy an NPS Server for RADIUS Authentication
routers that initiate and answer connection requests.
Configure the WAN interface through which the connection is made to each remote site. Configure the WAN Adapter
Configure the intranet interface that connects each demand‐dial router to its respective private Configure the Intranet Connection
network.
﴾Optional﴿ Join the calling and answering routers to the Active Directory domain. Join the Router to the Domain
﴾Optional﴿ Place the calling and answering routers in a perimeter network at their respective Place the Router in Your Perimeter Network
sites.
﴾Optional﴿ If you plan to use L2TP/IPsec authentication, install a computer certificate on the Install Computer Certificates for L2TP/IPsec
router at each end of the VPN tunnel.
﴾Optional﴿ If you plan to use EAP‐TLS for user authentication, install computer and user Install Computer and User Certificates for EAP‐TLS
certificates on the routers at each end of the VPN tunnel.
Enable the routing and remote access service and configure the demand‐dial interface for each Configure the Routing and Remote Access Service
remote site connection. and Demand‐Dial Interfaces
On each router, create a user account whose name exactly matches the demand‐dial interface of Create User Accounts for the Site‐to‐Site Connection
the remote router.
Specify a set of conditions that the calling router must meet before its connection request is Configure a Network Policy
authorized by the answering router.
Configure the connection to be always available ﴾persistent﴿, or specify a period of time that the Configure a Persistent Connection or a Disconnect
connection can remain idle before it is disconnected. Interval
Create static routes on the router at each end of the VPN tunnel to provide access to locations Configure Static Routes
on its respective private network.
https://technet.microsoft.com/enus/library/ff687867(v=ws.10).aspx 1/2
۲۰۱٥/٦/٦ Checklist: Implementing a SitetoSite Connection Design
﴾Optional﴿ Configure RIP on the router interfaces. Configure RIP
﴾Optional﴿ Enable users to access the Internet through the calling router at their location. Configure Internet Access Through the Calling
Router
﴾Optional﴿ Configure the router at each end of the VPN tunnel to support IP multicast Configure IP Multicasting
applications.
Choose different providers for authentication and accounting. Configure the Authentication Provider
Change the authentication method on the answering router. Configure Authentication Methods
Customize the default port settings. Configure Ports in Routing and Remote Access
Specify when the calling router can initiate a connection and when the answering router can Configure Dial‐out or Dial‐in Hours
accept a connection.
﴾Optional﴿ Configure filters that allow only specific types of traffic to cross the VPN tunnel, and Configure IP Packet Filters and Demand‐Dial Filters
specify which types of traffic can initiate a site‐to‐site connection.
Confirm that each router has permission to initiate an on‐demand connection, and then initiate Initiate the Connection
a connection from the calling router.
﴾Optional﴿ Configure and verify Active Directory replication between the branch office network Configure Replication for Active Directory
and the corporate network.
Verify that the connection works in each direction as expected. Test Site‐to‐Site Connectivity
Community Additions
© 2015 Microsoft
https://technet.microsoft.com/enus/library/ff687867(v=ws.10).aspx 2/2