۲۰۱٥/٦/٦ Checklist: Implementing a Site­to­Site Connection Design

Checklist: Implementing a Site‐to‐Site Connection Design

This topic has not yet been rated

Published: April 30, 2010

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

To connect remote networks by using a VPN site‐to‐site connection, you must identify which design options you need to deploy. If you are connecting existing
networks, some elements that make up the infrastructure may already be in place. For example, each network may have a domain controller or the servers that you
plan to connect may already be joined to the domain. Such tasks are identified in the checklist as optional.

Note

Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure
so that you can proceed with the remaining tasks in this checklist.

Checklist:

Implementing a VPN Site‐to‐Site Connection Design

Task Reference

Review key concepts and design considerations for a VPN site‐to‐site connection. Virtual Private Networking

Connecting Remote Sites Design in the Routing and

Remote Access Services Design Guide

﴾Optional﴿ Deploy a domain controller for the branch office site. Deploy Active Directory

﴾Optional﴿ Use certificates to enable and manage user‐ and computer‐level authentication. Deploy a Certificate Infrastructure

﴾Optional﴿ Deploy an NPS server if you plan to use the same server to authenticate users and the Deploy an NPS Server for RADIUS Authentication
routers that initiate and answer connection requests.

Configure the WAN interface through which the connection is made to each remote site. Configure the WAN Adapter

Configure the intranet interface that connects each demand‐dial router to its respective private Configure the Intranet Connection
network.

﴾Optional﴿ Join the calling and answering routers to the Active Directory domain. Join the Router to the Domain

﴾Optional﴿ Place the calling and answering routers in a perimeter network at their respective Place the Router in Your Perimeter Network
sites.

﴾Optional﴿ If you plan to use L2TP/IPsec authentication, install a computer certificate on the Install Computer Certificates for L2TP/IPsec
router at each end of the VPN tunnel.

﴾Optional﴿ If you plan to use EAP‐TLS for user authentication, install computer and user Install Computer and User Certificates for EAP‐TLS
certificates on the routers at each end of the VPN tunnel.

Enable the routing and remote access service and configure the demand‐dial interface for each Configure the Routing and Remote Access Service
remote site connection. and Demand‐Dial Interfaces

On each router, create a user account whose name exactly matches the demand‐dial interface of Create User Accounts for the Site‐to‐Site Connection
the remote router.

Specify a set of conditions that the calling router must meet before its connection request is Configure a Network Policy
authorized by the answering router.

Configure the connection to be always available ﴾persistent﴿, or specify a period of time that the Configure a Persistent Connection or a Disconnect
connection can remain idle before it is disconnected. Interval

Create static routes on the router at each end of the VPN tunnel to provide access to locations Configure Static Routes
on its respective private network.

https://technet.microsoft.com/en­us/library/ff687867(v=ws.10).aspx 1/2
۲۰۱٥/٦/٦ Checklist: Implementing a Site­to­Site Connection Design
﴾Optional﴿ Configure RIP on the router interfaces. Configure RIP

﴾Optional﴿ Enable users to access the Internet through the calling router at their location. Configure Internet Access Through the Calling
Router

﴾Optional﴿ Configure the router at each end of the VPN tunnel to support IP multicast Configure IP Multicasting
applications.

Choose different providers for authentication and accounting. Configure the Authentication Provider

Change the authentication method on the answering router. Configure Authentication Methods

Customize the default port settings. Configure Ports in Routing and Remote Access

Specify when the calling router can initiate a connection and when the answering router can Configure Dial‐out or Dial‐in Hours
accept a connection.

﴾Optional﴿ Configure filters that allow only specific types of traffic to cross the VPN tunnel, and Configure IP Packet Filters and Demand‐Dial Filters
specify which types of traffic can initiate a site‐to‐site connection.

Confirm that each router has permission to initiate an on‐demand connection, and then initiate Initiate the Connection
a connection from the calling router.

﴾Optional﴿ Configure and verify Active Directory replication between the branch office network Configure Replication for Active Directory
and the corporate network.

Verify that the connection works in each direction as expected. Test Site‐to‐Site Connectivity

Community Additions

© 2015 Microsoft

https://technet.microsoft.com/en­us/library/ff687867(v=ws.10).aspx 2/2