I'm going to be setting up a network at a data center and I was wondering if it's possible to have Windows Server 2008 R2 act as a VPN server.
Also, I've heard there are 3 main types of VPN: PPTP, L2TP/IPSec and SSTP. After some investigation it looks like to allow native (OS level) support for Mac OS X, Linux and Windows I would use PPTP or L2TP/IPSec. I also read that L2TP is more secure than PPTP, is this true?
Lastly, is it a good idea to install the VPN server on the primary domain controller (PDC), if not, why?
Best Answer
PPTP is the 'least' secure of the bunch; but it's still secure enough for all but FIPS-140 data when you use the EAP-* auth protocols. MS-CHAPv2 is also very secure. But it relies on passwords, which is almost always the weak point (that and social engineering, which is amazingly effective).
L2TP is more secure, and you should deploy it with certificates, not a PSK. This requires a PKI, which isn't too hard to setup. It's more secure than PPTP, but only on account of requiring the certificate or PSK.
SSTP is basically as secure as L2TP, it uses certificates again, still need a PKI. It's main advantage is that it works with cheap firewalls (or tightly configured ones) that block GRE and UDP traffic (for PPTP and L2TP respectively).
It's best practice to only have AD installed by itself (or with DNS) on a server; but people frequently install other services without significant problems. Bear in mind if this Internet connected server is compromised your AD DB is automatically compromised too.