1 00:00:00,740 --> 00:00:05,470 The Windows Server and Windows VPN client support a number of VPN protocols, 2 00:00:05,470 --> 00:00:09,170 so administrators have to understand these protocols in order to 3 00:00:09,170 --> 00:00:12,140 select the best protocol available for them. 4 00:00:12,140 --> 00:00:13,200 In Windows Server, 5 00:00:13,200 --> 00:00:15,910 the most common protocol or the most popular one is 6 00:00:15,910 --> 00:00:18,890 Internet Key Exchange version 2, or IKEv2. 7 00:00:18,890 --> 00:00:23,030 On Windows Servers specifically, SSTP is supported, 8 00:00:23,030 --> 00:00:25,630 that's the secure Socket Tunneling Protocol, 9 00:00:25,630 --> 00:00:29,370 and Windows Server and Windows client also support two additional protocols, 10 00:00:29,370 --> 00:00:31,450 L2TP, or Layer 2 Tunneling Protocol, 11 00:00:31,450 --> 00:00:34,070 as well as Point‑to‑Point Tunneling Protocol, 12 00:00:34,070 --> 00:00:36,980 and we'll talk about each of these in detail. 13 00:00:36,980 --> 00:00:42,990 IKEv2 is an open standard protocol, and it uses IPsec for providing security, 14 00:00:42,990 --> 00:00:44,940 privacy, and protection. 15 00:00:44,940 --> 00:00:50,420 IKEv2 uses UDP ports 500 and 4500, and as you can guess, 16 00:00:50,420 --> 00:00:52,310 has some operational limitations. 17 00:00:52,310 --> 00:00:56,770 Not all firewalls allow outbound UDP 500 and 4500 and, 18 00:00:56,770 --> 00:00:57,740 in fact, 19 00:00:57,740 --> 00:01:00,420 oftentimes those ports are proactively blocked because 20 00:01:00,420 --> 00:01:03,640 they're known VPN transport ports. 21 00:01:03,640 --> 00:01:04,220 Also, 22 00:01:04,220 --> 00:01:08,050 IKEv2 has a number of performance issues associated with it due to some 23 00:01:08,050 --> 00:01:10,790 operational challenges and limitations with Windows, 24 00:01:10,790 --> 00:01:15,840 so you might find that the performance lacks when using IKEv2. 25 00:01:15,840 --> 00:01:19,140 SSTP is another protocol supported by Windows, 26 00:01:19,140 --> 00:01:22,400 and it is a Microsoft proprietary protocol, 27 00:01:22,400 --> 00:01:24,820 so you can only take advantage of this protocol if you're 28 00:01:24,820 --> 00:01:27,940 using a Windows Server infrastructure. 29 00:01:27,940 --> 00:01:32,390 SSTP uses TLS for protection instead of IPsec and, 30 00:01:32,390 --> 00:01:37,940 as such, uses the standard HTTPS port of TCP port 443. 31 00:01:37,940 --> 00:01:41,900 This makes SSTP very firewall friendly and really the 32 00:01:41,900 --> 00:01:45,140 best choice for user‑based connections. 33 00:01:45,140 --> 00:01:49,740 And, in addition, it offers the best performance. 34 00:01:49,740 --> 00:01:51,110 Two additional protocols, 35 00:01:51,110 --> 00:01:56,000 L2TP and PPTP are supported in Windows Server and Windows client. 36 00:01:56,000 --> 00:01:59,790 L2TP has been deprecated in favor of IKEv2. 37 00:01:59,790 --> 00:02:02,240 L2TP doesn't provide a lot of real advantages, 38 00:02:02,240 --> 00:02:07,540 If you need to use L2TP you can likely just use IKEv2 instead. 39 00:02:07,540 --> 00:02:11,560 PPTP, of course, has been deprecated as insecure. 40 00:02:11,560 --> 00:02:14,130 No one should be using PPTP anymore. 41 00:02:14,130 --> 00:02:16,540 There are tools available on the internet that would allow an 42 00:02:16,540 --> 00:02:19,650 attacker to easily break this communication. 43 00:02:19,650 --> 00:02:24,940 It is as secure as the Wi‑Fi Wired Equivalency Protocol, WEP. 44 00:02:24,940 --> 00:02:29,640 So no one's using WEP anymore, no one should be using PPTP as well. 45 00:02:29,640 --> 00:02:33,760 So the question invariably comes up, which protocol should I use? 46 00:02:33,760 --> 00:02:38,390 Should I use IKEv2, or should I use SSTP, and the answer is it depends. 47 00:02:38,390 --> 00:02:40,310 So for IKEv2, 48 00:02:40,310 --> 00:02:45,370 you're going to have to use IKEv2 if you're using a device tunnel connection. 49 00:02:45,370 --> 00:02:48,240 The device tunnel for Windows, always on VPN, 50 00:02:48,240 --> 00:02:51,370 requires IKEv2, it does not support SSTP, 51 00:02:51,370 --> 00:02:54,440 so you must use IKEv2 for the device tunnel. 52 00:02:54,440 --> 00:03:00,140 Also, you will use IKEv2 if you're using non‑Microsoft VPN devices. 53 00:03:00,140 --> 00:03:03,390 So if you're using Cisco, Check Point, Palo Alto, 54 00:03:03,390 --> 00:03:04,640 what have you, 55 00:03:04,640 --> 00:03:07,410 the protocol of choice there will be IKEv2 for the 56 00:03:07,410 --> 00:03:09,940 interoperability capabilities. 57 00:03:09,940 --> 00:03:14,930 IKEv2 should also be used when the highest level of security is required. 58 00:03:14,930 --> 00:03:21,040 To make that clear, IKEv2 is a secure protocol as well as SSTP, 59 00:03:21,040 --> 00:03:25,130 but the options to tweak or tune IKEv2 to a very high 60 00:03:25,130 --> 00:03:28,120 level of security are greater than SSTP, 61 00:03:28,120 --> 00:03:33,040 so you would use IKEv2 when the highest level of security was required. 62 00:03:33,040 --> 00:03:35,920 SSTP is best for the user tunnel, and again, 63 00:03:35,920 --> 00:03:40,300 this is because it runs on TLS, it uses TCP port 443, 64 00:03:40,300 --> 00:03:44,840 so it's ubiquitously available, and provides the best user experience. 65 00:03:44,840 --> 00:03:45,800 SSTP again, 66 00:03:45,800 --> 00:03:48,540 is available to you if you're using the Windows Server infrastructure, 67 00:03:48,540 --> 00:03:51,950 whether that's RRAS or the Azure VPN gateway, 68 00:03:51,950 --> 00:03:56,630 and remember, SSTP does provide very good security. 69 00:03:56,630 --> 00:04:01,490 The security level of SSTP is probably satisfactory for 99% 70 00:04:01,490 --> 00:04:03,840 of the deployments there are in the world. 71 00:04:03,840 --> 00:04:06,340 If you have nation state adversaries, 72 00:04:06,340 --> 00:04:15,000 probably IKEv2 is going to be your best bet, but SSTP is still a very, very good and very secure transport.