162 • Any ping or traceroute output you may have that demonstrates the problem. Make sure your ISP is someone you trust. During the course of the troubleshooting session you may have to give them security information about your network, or set up a test account for them to attempt to dial into. Here are some suggestions for finding a trustworthy ISP, or building trust with your current one: • Use a well-established ISP: either a well-known national provider, or a local one that has a good reputation and operating history. Your local Better Business Bureau is a good place to start. • If possible, always deal with the same support person. This will not only assure you better service—as theyll be familiar with your past problems—but will also keep the number of people you might give sensitive network information to at a minimum.

10.2.5 Compatibility with Other Products

Other products on your network may interfere with the performance of your VPN. Before investing the time and money to set up a VPN, you should do some research to ensure that your system and network configuration will work with it—especially if you have an elaborate security setup. Here are some caveats when setting up a VPN or adding a new product to your network: • Some routers may block certain TCP ports out-of-the-box as a security measure. Find out which ports it blocks and make sure that theyre not ports your VPN uses. You can usually turn this filtering off. • As weve already said, some VPN products wont work through a proxy server. Versions of the Microsoft Proxy Server before 2.0, for instance, dont work with PPTP. If you already have a proxy server and want to implement a VPN, you may want to multi-home the VPN server between the Internet and your LAN, just as you have the proxy server set up. See Figure 10-1 . VPN-only traffic routes through the VPN server, while all other traffic routes through the proxy server. Figure 10-1. Running a proxy server with a VPN server 163 • Network Address Translation NAT is a protocol many routers support that allows machines to access the Internet even though they have internal IP addresses set aside in RFC 1918 that are not usable on the wider Internet. Essentially, each machine is given a nonroutable address, while the router has a routable IP address. When each of the machines behind the router wants to access the Internet, it pretends to have the IP address of the router. If you want to use NAT, we suggest a double-router setup, as shown in Figure 10-2 . It shows a gateway router to the Internet and a perimeter network with Internet-routable IP addresses. On the perimeter network is a NAT-capable router multi-homed to have interfaces to both the perimeter network and the internal network. The machines on the internal network have only non-Internet routable IP addresses. The VPN server is also multi-homed between the perimeter and internal networks, and will route only VPN traffic to and from those networks. Figure 10-2. Running a Network Address Translation router with a VPN server

10.3 Delivering Quality of Service

We have already spoken about QoS in reference to choosing an ISP. This section will discuss creating QoS for your own connectivity. QoS gives you the ability to manage your bandwidth. It does this by allowing you to assign priorities to certain types of network traffic based on user, application, host, network, or protocol. With a VPN, you might be using your VPN Internet connection for normal Internet traffic as well, such as email, web browsing, file transfers, etc. Since a VPN connection is business-critical, you might want those users to have less latency time compared to some other services. In this case, you could bump up the