VPN (virtual private network) service lets remote users connect to your intranet over the Internet. Users make a secure VPN connection to access services you haven’t made public on the Internet. For example, organizations typically make file sharing available only on their own intranets, requiring their remote users to connect using VPN to access shared files.
VPN service and your server’s firewall can both allow access to services from outside your intranet. The difference is that VPN service requires authentication for access, but allowing access through the firewall doesn’t require authentication. If VPN service is on, you don’t need to expose some services to the Internet through your firewall. For example, you might set the firewall to expose only your Websites services to the Internet, so the public can view your wikis and custom websites (subject to authentication and access restrictions you impose). Your server’s users can access other services—File Sharing, Contacts, Calendar, Messages, and Mail—through a VPN connection.
To ensure confidentiality, authentication, and communications integrity, VPN service uses the L2TP protocol with a shared secret. The shared secret is like a passphrase, but it isn’t used to authenticate client computer users for a VPN connection. Instead, it allows the server to trust client computers that have the shared secret, and it allows client computers to trust the server that has the secret. Both server and client computers must have the shared secret.
Users’ computers must be configured to make VPN connections. Users’ computers with OS X installed can be configured automatically. For information, see Provide secure remote access with VPN.
If you want to allow access to VPN service on the Internet and you have a cable router, DSL router, or other network router:
Your router must have port forwarding (port mapping) configured for VPN service. For information about port forwarding, see Port mapping for network and server protection.
Your router and VPN users’ routers must be configured so that they don’t assign conflicting IP addresses. For information, see Provide VPN service through an Internet router.
If you want to allow access to VPN service outside your intranet and your intranet has a separate firewall device, ask the firewall administrator to open the firewall for the ports and protocols that VPN service uses. For a list of ports, see Services and ports.