Remote Access Data Encryption

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

You can use data encryption to protect the data that is sent between the remote access client and the remote access server. Data encryption is important for anyone who wants or needs secure data transfer, including financial institutions, law-enforcement and government agencies, and corporations.

Use data encryption when there is a risk of unauthorized interception of transmissions on the communications link between the remote access client and the remote access server. For dial-up networking connections, Routing and Remote Access uses Microsoft Point-to-Point Encryption (MPPE).

For virtual private networking connections, you can protect your data by encrypting it between the ends of the virtual private network (VPN). You should always use data encryption for VPN connections when private data is sent across a public network such as the Internet, where there is always a risk of unauthorized interception. For VPN connections, Routing and Remote Access uses MPPE with the Point-to-Point Tunneling Protocol (PPTP) and Secure Socket Tunneling Protocol (SSTP), and uses Internet Protocol security (IPsec) encryption with the Layer Two Tunneling Protocol (L2TP).

Because data encryption is performed between the VPN client and VPN server, it is not necessary to use data encryption on the communication link between a dial-up client and its Internet service provider (ISP). For example, a mobile user uses a dial-up networking connection to dial in to a local ISP. After the Internet connection is made, the user creates a VPN connection with the VPN server. If the VPN connection is encrypted, there is no need to use encryption on the dial-up networking connection between the user and the ISP.

MPPE and IPsec are configured on the Settings tab on the properties of a network policy (formerly named remote access policy) to use 40-bit (the Basic encryption setting), 56-bit (the Strong encryption setting), or 128-bit (the Strongest encryption setting) encryption keys. Use 40-bit encryption keys to connect with older operating systems that do not support 56-bit or 128-bit encryption keys. Otherwise, use 56-bit encryption keys. Encryption keys are determined at the time of the connection. MPPE requires the use of the MS-CHAP v2 or EAP-TLS authentication protocols.


Data encryption for PPTP or SSTP connections is available only if MS-CHAP v2 or EAP-TLS is used as the authentication protocol. Data encryption for L2TP connections relies on IPsec, which does not require any specific authentication protocol.
Remote access data encryption does not provide end-to-end data encryption. End-to-end encryption is data encryption between the client application and the server that hosts the resource or service being accessed by the client application. To get end-to-end data encryption, use IPsec to create a secure connection after the remote access connection has been made.