The beginner’s guide to setting up a VPN

For most IT managers, there are two network worlds: the safe, secure, firewalled company network where everything important lives, and the internet. Getting remote employees access to their corporate applications securely necessitates using the internet — where malware and hackers are waiting for an opportunity to steal or destroy the company’s digital assets.

Denying employees remote access to corporate applications isn’t a sustainable approach anymore. Mobile and at-home work environments are critical to today’s businesses. One popular solution is a virtual private network (VPN), which uses digital tunnels to armor and protect sensitive company traffic as it crosses untrusted networks. VPNs deliver three main benefits:

• Authentication: Users are authenticated when the VPN tunnel is established, ensuring that only authorized users can get in.
• Privacy: All the data that passed through a VPN tunnel is encrypted and double-checked, so no one can eavesdrop or change what’s going through the tunnel.
• Access control: As VPN traffic leaves the tunnel and enters your network, you have complete control, so you can restrict VPN users to specific applications or parts of the network.

IT managers within organizations who haven’t yet set up a VPN can get from zero to connected in five simple steps:

1. Figure out if you really need a VPN

VPN isn’t the only answer to remote business security questions. VPNs are nearly ubiquitous in large organizations, but SMB IT managers may not need to go that far. If, like many SMBs, you’ve moved your main applications — such as through Microsoft 365, Google Workspace — to the cloud, you may not need a VPN, because your main applications are no longer in your own data center.

When your main applications are in the cloud, a VPN may only be necessary for IT team members. In that case, it may be simpler for IT to use tools such as GotoMyPC, TeamViewer or AnyDesk rather than set up a full-fledged VPN for only a handful of users.

Assuming you’re still on the VPN train, you can move on to Step 2.

2. Decide how to bring the VPN into your network

VPN tunnels run from the end user’s laptop or mobile device to a gateway connected to your network. That gateway is usually called a VPN concentrator. Some products are available as software-only or virtual machines, but the best solution for most SMB IT managers is hardware.

But you may not need to buy anything new. All modern firewalls can also act as VPN concentrators. If you only have a few users and your network is fairly simple, making your firewall perform double-duty as a VPN concentrator speeds up the job tremendously. All you have to do is turn on a feature. As you deciding between a dedicated VPN concentrator and reusing your firewall, consider these six factors:

1. Routing: VPNs add another virtual segment to your network, which means adding additional internet protocol (IP) addresses and modifying every router in your network. Since the firewall is usually the main gateway for SMB networks, using an existing firewall makes routing simpler, while a dedicated VPN concentrator adds some complexity.
2. Capacity: VPNs require additional central processing unit (CPU) resources for encryption and tunnel handling. If your existing firewall is overpowered and underutilized, adding the VPN function won’t be an issue. But it you’re expecting a large number of users or your firewall is nearing its limit, then it will be more efficient to shift that burden to a dedicated VPN concentrator.
3. Cost: Obviously, a VPN concentrator isn’t free, but your firewall’s VPN functions aren’t necessarily free either. Firewalls can act as VPN concentrators, but you may only have a few licenses included your existing product. If you’d need to buy new licenses for your firewall, the choice isn’t a slam dunk. Make sure you look at the numbers.
4. Complexity: VPN configuration and firewall configuration naturally go together. Both are security solutions, and both define access controls. However, if your firewall has a complex configuration with a large security policy, plus network address translation (NAT) definitions and Urchin Tracking Module (UTM) features, it may be less complex to keep your VPN and firewall on separate devices to prevent cross-traffic.
5. Upgrades: Firewalls have faster upgrade cycles and get replaced more frequently than VPN concentrators. For example, if you upgrade your internet connection, you may need to upgrade your firewall so it can keep up. Every time you make changes to your firewall, there will be a learning curve and some downtime. VPN concentrators don’t need to be upgraded as frequently because once they’re installed, they’ll hum along pretty smoothly for five or even 10 years. Sometimes it’s more efficient to keep your VPN concentrator in a separate device just to simplify the job of swapping firewalls.
6. Compatibility: A huge difference between firewalls and VPNs is the client-side software. A firewall has no client — it runs by itself, and there aren’t any compatibility issues as you add new devices to the network or upgrade operating systems (OSs). The VPN concentrator talks to client software, so every time Microsoft, Google or Apple starts changing things, your VPN vendor has to be on top of it. Security companies that focus on VPNs will give you better support and compatibility than network companies that may be using a third-party client or don’t prioritize keeping things up to date on the client side.

Even if you decide to use a dedicated VPN concentrator, you don’t necessarily have to learn a new device. You can select the same vendor for both VPN and firewall and just get a second appliance. In fact, it’s common for SMB IT managers to repurpose an existing firewall for VPN services when they upgrade to a newer, faster firewall.

Once you’ve decided whether to use your existing firewall or add a dedicated device for VPNs (top vendors include Cisco, Pulse Secure, Check Point, Juniper, Fortinet and Palo Alto Networks), the installation is straightforward. In SMB environments, the simplest approach is to install the VPN concentrator between the internet and your network, essentially bridging the firewall. One leg (the network interface) will be on the outside, toward the internet service provider (ISP) with a static address assigned. The other leg will be on the inside, usually on the same subnet as the firewall, with NAT used to simplify the routing.

However, there are variations, depending on the complexity of your network, the number of users, your tolerance for NAT and how you have things configured. For example, you may want the traffic from the VPN concentrator to pass back through the firewall before it gets to the internal network — so you can configure all your security policies on a single device. There’s no right answer here. Pick a topology that meets your security and network requirements.

3. Tie down authentication

Each user connecting to your VPN has to be authenticated. For super-small VPNs with only a few users, you might consider keeping the login database on the VPN concentrator itself. A better approach for most IT managers is to use an existing Microsoft Active Directory (AD) service. Microsoft AD is a reliable and secure way to authenticate users, and it’s a very popular product for SMBs.

VPN concentrators will talk to AD using either RADIUS, via Microsoft’s free network policy server (NPS) service, which can be enabled on any Windows server, or Lightweight Directory Access Protocols (LDAPs), which connects directly to AD domain controllers. LDAP is usually simpler and faster to configure, if your VPN concentrator supports it. If LDAP isn’t an option for the product you’ve selected, then RADIUS is the typical backup. Your VPN vendor will be able to provide a step-by-step guide on how to link their product with AD, whether you’re using LDAP or Microsoft’s built-in RADIUS server.

So far, so good, but Microsoft AD by itself isn’t enough. IT managers should only be deploying VPNs if they have some type of two-factor authentication (2FA). In today’s internet, credential theft is prominent threat, usually through phishing or malware. Multifactor authentication, or 2FA, is a minimum security measure you should implement before rolling out the VPN to nontechnical users — and it’s not a bad idea for technical users either, especially anyone with administrator rights to networks and servers.

How you approach 2FA is up to you and will also depend on how far you’ve already gone down this path. If you already have a 2FA setup, you’ll want to ensure all VPN users also use the same 2FA.

If you haven’t set up 2FA yet, one option is to set up a dedicated 2FA for your VPN. Some VPN vendors, especially those focused on SMB networks, offer 2FA as an add-on service. Alternatively, your VPN may be the push you were looking for to deploy 2FA across your entire network. IT managers who haven’t looked at 2FA recently will be surprised at the alternatives available to SMBs; it’s not all expensive RSA SecurID and OneSpan (Vasco) DigiPass nowadays. Hardware 2FA such as Yubikey and software-based 2FA products such as OpenOTP are both easy to configure and inexpensive to deploy.

With a concentrator installed and authentication running, the next step is authorization.

4. Configure authorization and access controls

Authorization is different from authentication. Authentication involves identifying each user and checking their password, while authorization involves deciding which authenticated users are allowed to use the VPN and what resources they have access to.

Authorization matters because you don’t want to treat every user on the VPN the same way. First, not every AD user will necessarily be a VPN user — that’s something that should be configured only for users who need the service. But with that distinction, you’ll still want to differentiate different types of users, even in an SMB environment.

For example, most VPN users should only have access to the end-user apps and servers that make sense for them. Be especially careful when letting a third party into your VPN. If necessary, set them up with specific rules and groups. Remember Target’s data breach in 2013? Not tying down VPN authorizations properly cost the company nearly $300 million.

If you have linked your VPN to AD, then you’ll want to use AD groups for authorization. Whether they’re new or existing, each AD group should map to a different set of access control permissions through the VPN. You don’t have to micromanage access, especially when you’re just getting started. Most SMB IT managers will find that three to five authorization profiles are enough for day one.

5. Start connecting users

With all that infrastructure installed, now’s the time to start rolling things out to end users. To get started, they’ll need a VPN client.

One option is the built-in client that’s included with most OSs (Android, iOS, Windows and Mac OS X all have some built-in VPN client capabilities). That may sound like a good place to start, but it often isn’t. The included VPN client software only supports some VPN protocols — so it may not even be compatible with the VPN concentrator you just installed. And these built-in clients may not support all your VPN add-ons, such as the ability to control the traffic that goes down the VPN tunnel or using multiple Domain Name System (DNS) servers.

What’s more, the user experience with a built-in client is sometimes a little cryptic. Some users may need to edit files on disk or configure network settings they’ve never used. Nontechnical end users are likely to get very confused very quickly.

A better solution for both the end users and the IT team is to select the third-party VPN client that comes with the hardware or software you’ve chosen for your network. That software will be easy for end users to configure, and it should deliver the added usability features that better integrate the VPN into your network. For mobile devices, it’s as easy as grabbing the client from the relevant application store. For desktop computers and laptops, you’ll need to grab a copy of the client from the VPN vendor’s support site and then distribute it internally. Some VPN servers provide an automatic download of the client when you browse to a portal page, which is worth configuring if you have the option.

SMB IT teams that have desktop management or mobile device management (MDM) tools should, of course, use those tools as the go-to solution for installing the software. If you’re not there yet, add the VPN client to your golden master for desktops and laptops, and create a quick one-pager to help end users install and configure the client so they can get online.

The end result of establishing your VPN is secure accessibility. Your end users will be able to connect to the company network, no matter where they are and no matter what device they’re using — and they won’t compromise company security along the way.

Get your free guide to the top 10 essential steps toward securing your mobile device program. Or discover how you can securely use your personal phone for work — while keeping all your information safe and separate.