Most IT professionals know that Microsoft Windows includes a virtual private network (VPN) client as part of its core networking stack, not just in its Windows operating systems, but in Windows Server as well. This client begins at $199.99 for those who want to access it seperately, and it supports all the core features you’d expect in a business VPN client, including the major standards of encryption such as point-to-point tunneling protocol (PPTP), layer two tunneling protocol (L2TP), secure socket tunneling protocol (SSTP), and Internet Key Exchange (IKE). Unlike more polished third-party solutions, however, each version of Windows has a client with its own idiosyncrasies. Older versions are limited to older and less-secure protocols, gradually improving with every release of the operating system (OS). The Windows 8 VPN client, for example, supports a variety of VPN servers, including F5, Juniper, CheckPoint SonicWall, and of course, Microsoft’s own VPN Server. Meanwhile, the Windows 10 VPN client lists its supported protocols instead, and includes an Auto setting that worked well when we used to connect to several routers and firewalls and their VPN servers.
Since the Microsoft VPN Client for Windows is the default client for any Windows system, it’s got a massive footprint across both business and consumer audiences, which means it’s the most likely to be attacked by hackers. Keeping the OS updated a
nd ensuring that recommendations for key lengths and encryption strength are followed should prevent most attacks. Still, while this VPN client can act as a handily available option, choosing a more full-featured client, such as our Editors’ Choice winner NCP Secure Entry Client for Win32/64, means even more client- and server-side deployment and connection options, plus a set of management tools that won’t require quite as much work.
Setup and Configuration
With any version of Windows, installing a VPN connection is similar to setting up any other network connection such as a new Ethernet adapter, for instance. For example, with Windows 8.1, it is accessed through PC Settings > Network > Connections > Add a VPN Connection. With Windows 10, it is accessed through Settings > Network & Internet > VPN. The options, such as the type of protocol you want to use or the type of VPN server to which you want to connect, are supplied through drop-down menus. All the user needs is the pre-shared passphrase or certificate, a network login, and a password for the network. This can be the same username and password used on the internal network or a separate account.
Since the Microsoft VPN Client for Windows is included with Windows, it’s a default client that’s always available. There’s no need to install the client as with the other players in this roundup; you just configure a connection. The settings to configure the client can be saved separately and sent via email or loaded onto a USB key, as can the certificate used for authentication. The only thing the administrator needs to know is the version of Windows to which the client belongs. The downside is, the client only works on Windows and isn’t available for Apple iOS or OS X, Google Android, Linux, or any other OSes.
Both the configuration of the VPN client and a certificate or pre-shared key can be set up in advance and emailed or sent via the aforementioned USB key or some other physical device. Installation and configuration can done through Microsoft System Center Configuration Manager (SCCM), through Active Directory’s Group Policy, or other Microsoft management tools, too. If you want to explore your options here, it’s best to search TechNet, Microsoft’s IT professional knowledge base, keeping in mind not just that you’re looking for the VPN client but that you’re looking for specific versions of Windows, too. Generating certificates should be done through a certificate authority, as self-signed keys will work but will generate error messages every time they are used.
A pre-shared key doesn’t require the same kind of outside authentication as a certificate and may be simpler for most users. But it doesn’t provide the same degree of security that a certificate does. For example, there’s no way to revoke a pre-shared key other than manually changing the key from the VPN server. With certificates, a certificate used on multiple clients can be revoked through the certificate authority.
Deploying and managing Microsoft VPN Client for Windows, including its configuration and keys/certificate options, is easy if you do it through SCCM. And for an organization that exclusively runs Microsoft products, that represents a fairly complete solution. Also, because SCCM is an enterprise-oriented management tool with decent cross-platform support, organizations that use Apple iOS or OS X, Android phones or tablets, or other types of OSes may well be able to use SCCM to deploy and manage VPN clients on those devices, too. However, they will need to select a different client and learn the ins and outs of managing it through SCCM. For organizations that don’t have SCCM, management becomes a bit bleak. Those customers should test their mobile device management (MDM) tools as well as their infrastructure management tools to ensure they have an effective solution with the Microsoft VPN. If that doesn’t happen, it’s probably best to look for a more all-inclusive, third-party VPN platform, such as NCP Secure Entry Client for Win32/64 or TheGreenBow IPSec VPN Client.
The Microsoft VPN Client for Windows’ auto-configuration feature worked well with both our test routers, finding a working configuration within a couple of minutes without the need for manual intervention. Admins who want to create a script to ensure that all of the settings are exactly what they should be can do that by using a .pcf configuration file or a Microsoft PowerShell script to set up the client connection.
All this sounds fairly solid, but even in Windows 10, the Microsoft VPN Client for Windows is basic, without the extensive feature set offered by TheGreenBow IPSec VPN Client or the broad OS support offered by OpenVPN 2.4.3. It will, however, connect to most VPN servers, except the ones that require a proprietary client. And as with the other clients we tested, performance was limited only by the speed of the WAN connection. CPU overhead and memory usage were low.
How We Tested
As with the other products tested in this roundup, a test network was connected by a Shunra Wide Area Network (WAN) simulator to another test network, and two routers (a Linksys and a NetGear), both with VPN functionality. These were used to connect the two test networks. The WAN simulator was set to 1.5Mbps, 10Mpbs, 60Mbps, and 100Mbps speeds. As with the other products tested, the effective data transfer rate for the VPN connection was over 90 percent of the simulated WAN connection’s speed.
In Windows-only shops, the Microsoft VPN Client for Windows is an always-available option and, with SCCM or other Microsoft-centric deployment and configuration management tools, one that is simple to deploy and manage. Manual deployment through the policy engine or PowerShell scripts is a nice option for experienced Microsoft admins. However, the lack of corresponding clients for any other OS will obviate a single-source solution in heterogeneous networks. Additionally, other products offer a simpler and less-expensive deployment and management model in environments where SCCM is not already deployed. Still, for Windows-only environments, it’s a no-brainer.