Windows Server 2008 R2 as VPN Server
I'm going to be setting up a network at a data center and I was wondering if it's possible to have Windows Server 2008 R2 act as a VPN server.
Also, I've heard there are 3 main types of VPN: PPTP, L2TP/IPSec and SSTP. After some investigation it looks like to allow native (OS level) support for Mac OS X, Linux and Windows I would use PPTP or L2TP/IPSec. I also read that L2TP is more secure than PPTP, is this true?
Lastly, is it a good idea to install the VPN server on the primary domain controller (PDC), if not, why?
Solution 1:
PPTP is the 'least' secure of the bunch; but it's still secure enough for all but FIPS-140 data when you use the EAP-* auth protocols. MS-CHAPv2 is also very secure. But it relies on passwords, which is almost always the weak point (that and social engineering, which is amazingly effective).
L2TP is more secure, and you should deploy it with certificates, not a PSK. This requires a PKI, which isn't too hard to setup. It's more secure than PPTP, but only on account of requiring the certificate or PSK.
SSTP is basically as secure as L2TP, it uses certificates again, still need a PKI. It's main advantage is that it works with cheap firewalls (or tightly configured ones) that block GRE and UDP traffic (for PPTP and L2TP respectively).
It's best practice to only have AD installed by itself (or with DNS) on a server; but people frequently install other services without significant problems. Bear in mind if this Internet connected server is compromised your AD DB is automatically compromised too.
Solution 2:
It's a trade off between security/interoperability/setup overhead
PPTP is probably the most interoperable & works well over things like NAT, if you can setup GRE packet forwarding and port forward TCP 1723. As long as you're using MSCHAPv2 (which you could be on windows server 2008) then it's probably ok.
L2TP requires the PKI setup and there are some extra steps you need to do if you want your VPN server is on a NAT'd network.
SSTP is the new kid on the block and probably somewhere in-between for setup overhead/interop. If your looking at future proofing, then this is the way to go. Don't know if there is any working support of Mac OS though.
Using AD as a VPN Server is probably not best practice, but in a SOHO environment the VPN server usually is the DC (think SBS ).