A virtual private network (VPN), allows you to connect components to a network, via another network, such as the Internet. You can make your server-based computer a remote-access server so that other users can connect to it by using VPN, and then access shared files on your local drives or on your network. Virtual private networks accomplish this by "tunnelling" through the Internet or another public network in a manner that provides the same security and features as a private network. With a VPN, connections across the public network can transfer data using the routing infrastructure of the Internet, but to the user it appears as though the data were being sent over a dedicated private link.

A virtual private network (VPN) is a means of connecting to a private network (such as your office network) by way of a public network, such as the Internet. This combines the virtues of a dial-up connection to a dial-up server with the ease and flexibility of an Internet connection. By using an Internet connection, you can travel world-wide and still, in most places, connect to your office with a local call to the nearest Internet access phone number. If you have a high-speed Internet connection (such as cable or DSL) at your computer (and at your office), you can communicate with your office at full Internet speed, which is much faster than any dial-up connection using an analog modem.

A traditional network consists of two computers that must communicate with each other. The two computers are connected by a physical medium, such as an Ethernet connection. A VPN works on the same principle. It consists of two computers that must communicate and a medium. However, unlike with traditional networks, this medium isn't dedicated to the network in question. Often the medium is the Internet. Because both computers are connected to the Internet, it's possible to establish a route through the Internet between the two computers. In the case of a VPN, this route is called a tunnel.

VPNs use authenticated links to ensure that only authorised users can connect to your network, and they use encryption to ensure that data that travels over the Internet can't be intercepted and used by others. Windows achieves this security using Point-to-Point Tunnelling Protocol (PPTP) or Layer Two Tunnelling Protocol (L2TP).
VPNs use authenticated links to ensure that only authorised users can connect to your network, and they use encryption to ensure that data that travels over the Internet can't be intercepted and used by others. Windows achieves this security using Point-to-Point Tunnelling Protocol (PPTP) or Layer Two Tunnelling Protocol (L2TP).
VPN technology also allows a corporation to connect to its branch offices or to other companies over a public network (such as the Internet) while maintaining secure communications. The VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link.

A VPN in Windows 98, 2000 or XP environment consists of a VPN server, a VPN client, a VPN connection (the portion of the connection in which the data is encrypted), and the tunnel (the portion of the connection in which the data is encapsulated). The tunnelling is done through one of the tunnelling protocols included with Windows 98, 2000 or XP, both of which are installed with Routing and Remote Access.

The two tunnelling protocols included with Windows are:

• Point-to-Point Tunnelling Protocol (PPTP): Provides data encryption using Microsoft Point-to-Point Encryption.
• Layer Two Tunnelling Protocol (L2TP): Provides data encryption, authentication, and integrity using IPSec.Your connection to the Internet should use a dedicated line such as T1,

In addition to software VPNs, hardware VPNs are available.

Where should the VPN terminate? There are two schools of thought.

1. Network guys want to enable the VPN to terminate inside the network and allow it to only access the specific servers required. (My thoughts are that this is too big an exposure).
2. Terminate the VPN in a DMS and locate the Web front end in the DMZ along with any collaborative applications required by both internal(whq) and remote users.

Terminating the VPN in a separate DMZ has the benefit of further limiting remote clients to a small subset of your network. However, it could introduce other problems. For instance, do those same (or other) users need to get at the resources to be put into the DMZ from a fixed client directly connected to your network? If so, they may need to have a VPN client to connect to those resources. It may very well be more trouble than it's worth.

If you can ensure that all VPN clients are properly authenticated, I would recommend terminating the VPN inside the firewall, making the remote client look as though it is connected directly inside the firewall. This will probably have the least impact on your applications.