Remote Connectivity

Site-to-Site VPN (S2S)

Site-to-site VPN connects two networks permanently. It's the technology used when two physical locations — offices, a branch and headquarters, an office and a data center — need to communicate as if on the same local network.

How it works: VPN-capable firewalls at both locations negotiate an encrypted IPsec tunnel. Traffic destined for the remote network is encrypted and sent through the tunnel; the remote firewall decrypts it and delivers it locally. Users at either location don't know the other network exists behind the tunnel.

IPsec: The Underlying Protocol

IPsec uses a two-phase approach. Phase I establishes a secure management tunnel — the two firewalls negotiate and agree on encryption parameters (hashing algorithm, authentication method, Diffie-Hellman group, tunnel lifetime, encryption cipher) and exchange keys using Internet Key Exchange (IKE). Once Phase I is up, Phase II establishes the data tunnel through which actual traffic flows.

The Diffie-Hellman key exchange is what allows two parties who've never met to agree on a shared secret key without an eavesdropper being able to derive it — even if they observe the entire negotiation. This is fundamental to IPsec's security.

S2S use cases:

• Branch office to headquarters
• Office to on-premises data center
• Office to cloud virtual network (Azure VPN Gateway, AWS VPN Gateway)

S2S is network-to-network. It requires a VPN device at each end and is meant for permanent connectivity between fixed locations.

Point-to-Site VPN (P2S)

Point-to-site VPN connects an individual device to a remote network. This is the traditional "employee VPN" — a user installs VPN client software, connects to the company's VPN gateway, and their traffic routes through the company network as if physically in the office.

How it works: the gateway accepts incoming connections from authenticated clients. The client authenticates (credentials + MFA, or certificate), a virtual network adapter appears on the client device, and traffic destined for company resources routes through the tunnel.

Use cases:

• Remote employees accessing on-premises file servers, printers, or internal applications
• IT staff managing internal infrastructure remotely
• Any scenario requiring full internal network access from outside the office

SSL VPN

SSL VPN is a category of P2S VPN that uses SSL/TLS — the same protocol as HTTPS — rather than IPsec. The practical advantage: SSL/TLS on port 443 is permitted through virtually every corporate and hotel firewall, while IPsec is frequently blocked. SSL VPN works everywhere.

Most enterprise VPN products support SSL VPN as one mode: SonicWall NetExtender/Mobile Connect, Cisco AnyConnect, Palo Alto GlobalProtect, Fortinet FortiClient.

The Modern Alternative: Zero Trust Access

Traditional VPN gives remote users broad network access — which is also what makes it a liability. A compromised device connected via VPN can reach your entire network.

Zero Trust Network Access (ZTNA) replaces broad network access with application-level access. Instead of joining the network, users access specific applications — and access decisions factor in identity, device health, location, and context.

Cloudflare Access, Zscaler Private Access, and Azure App Proxy are mature ZTNA implementations. For organizations replacing aging VPN infrastructure, evaluating ZTNA alongside traditional options is worthwhile.

Choosing Between S2S and P2S

S2S: You have two fixed locations that need permanent connectivity. Resources at each site must be reachable from the other.

P2S: Individual users need remote access — employees working from home, IT staff managing servers remotely.

In practice, most organizations need both: S2S for the connection to a data center or cloud network, and P2S for traveling and remote employees.