Always On VPN – Configure the Remote Access Server

You can use this
section to install and configure the Remote Access server role on the computer
or virtual machine (VM) that you want to use as your VPN server.

The steps in this
section allow you to complete the following items.

1. On the computer or VM that is planned as the
   VPN server, and that is installed on your perimeter network, you can install
   Remote Access.
2. On the Remote Access server, you can configure
   Remote Access as a RAS Gateway VPN server.

Install Remote Access as a RAS Gateway VPN
Server

You can use this
section to install the Remote Access role as a single tenant RAS Gateway VPN
server.

Administrative
Credentials

Membership in Administrators, or equivalent, is the minimum required to perform
these procedures.

To install
Remote Access by using Windows PowerShell

To perform this
procedure by using Windows PowerShell, run Windows PowerShell as Administrator,
type the following command, and then press ENTER.

Install-WindowsFeature DirectAccess-VPN
-IncludeManagementTools

After installation
successfully completes, the following message appears in Windows PowerShell.

To install
Remote Access by using Server Manager

You can use the
following procedure to install Remote Access using Server Manager.

1. On the VPN server, in Server Manager, click Manage, and then click Add Roles and Features. The Add Roles and Features Wizard opens.
2. In Before you begin, click Next.
3. In Select Installation Type, ensure that Role-Based or feature-based installation is selected, and then click Next.
4. In Select destination server, ensure that Select a server from the server pool is selected. In Server Pool, ensure that the local computer is selected. Click Next.
5. In Select server roles, in Roles, click Remote Access, and then click Next.
6. In Select features, click Next.
7. In Remote Access, click Next.
8. In Select role service, in Role
   services, click DirectAccess and VPN (RAS). The Add Roles and Features Wizard dialog box opens.

9. In Add Roles and Features Wizard, click Add
   Features to close the
   dialog box, and then click Next.
10. In Web Server Role (IIS), click Next.
11. In Select role services, click Next.
12. In Confirm installation selections, review the choices you’ve made, and then
    click Install.
13. When the installation is complete, click Close.

Configure Remote Access as a VPN Server

In this section, you
configure Remote Access VPN to allow IKEv2 VPN connections, deny connections
from other VPN protocols, and assign a static IP address pool for issuance of
IP addresses to connecting authorized VPN clients.

To Configure
Remote Access as a VPN Server

1. On the VPN server, in Server Manager, click
   the Notifications flag; then, in the Tasks menu, click Open the Getting Started Wizard. The Configure Remote Access wizard opens.

Note

The Configure Remote Access wizard might open behind Server Manager.
If you think the wizard is taking too long to open, move or minimize Server
Manager to find out whether the wizard is behind it. If not, wait for the
wizard to initialize.

• In Configure Remote Access, click Deploy
  VPN only. The Routing and
  Remote Access Microsoft Management Console (MMC) opens.

• In Routing and Remote Access, right-click the
  VPN server, and click Configure
  and Enable Routing and Remote Access. The Routing
  and Remote Access Server Setup Wizard opens. Complete the following steps:

  a. In the Routing and Remote Access Server Setup Wizard, click Next.

b. In Configuration, click Custom Configuration, and then click Next.

c. In Custom
Configuration, click VPN access, and then click Next.
 

d. In Completing
the Routing and Remote Access Server Setup Wizard, click Finish to close the
wizard, and click OK to close the Routing and Remote Access
dialog box.

e. Click Start service to start Remote Access.

• In the Remote Access MMC, right-click the VPN
  server, and click Properties.

• In Properties,
  click the IPv4 tab. Click Static address pool, and complete the following steps to
  configure an IP address pool. The static address pool should contain addresses
  from the internal perimeter network. These addresses are on the internal-facing
  network connection on the VPN server, not the corporate network.

a. Click Add.

b. In Start
IP address, type the starting IP
address in the range you want to assign to VPN clients.

c. In End
IP address, type the ending IP
address in the range you want to assign to VPN clients, or in Number of addresses, type the number of address you want to make
available.

If you’re using DHCP
for this subnet, ensure that you configure a corresponding
 address exclusion on your DHCP servers.

• In Properties, on the IPv4 tab, click Adapter. The resulting list displays the network adapters that are installed. Click the Ethernet adapter that is connected to your internal perimeter network.
• In Properties, click the Security tab. Click Authentication provider, and then click RADIUS Authentication. Click Configure. The RADIUS Authentication dialog box opens.
• In RADIUS Authentication, click Add. The Add RADIUS Server dialog box opens.
• In Add RADIUS Server, in Server name, type the Fully Qualified Domain Name of the NPS server on harmikbatth.lab/Corporate network. For example, if the NetBIOS name of your NPS server is NPS1 and your domain name is harmikbatth .lab, type NPS1.
  harmikbatth .local.
• In Shared secret, click Change. The Change Secret dialog box opens.
• In Change Secret, in New secret, type a text string. In Confirm new secret, type the same text string, and then click OK. IMPORTANT: Save this text string. When you configure the NPS Server on harmikbatth.lab/Corporate network, you will add this VPN Server as a RADIUS Client. During that configuration, you will use this same shared secret so that the NPS and VPN Servers can communicate.
• In Add RADIUS Server, review the default settings for Time-out, Initial score, and Port. If necessary, change the values to match the requirements for your environment, and then click OK.
• On the Security tab, review the setting for Accounting provider. If you want Remote Access activity logged on the Remote Access server, ensure that Windows Accounting is selected. If you want your NPS server to perform accounting services for VPN, change Accounting provider to RADIUS Accounting, and then configure the NPS server as the accounting provider.
• Click OK to close the Properties dialog box.
• In the Routing and Remote Access MMC, right-click Ports, and then click Properties. The Ports Properties dialog box opens.
• In Ports Properties, click WAN Miniport (SSTP), and then click Configure. The Configure Device – WAN Miniport (SSTP)dialog box opens.
• In Configure Device – WAN Miniport (SSTP), deselect the Remote access connections (inbound only) and Demand-dial routing connections (inbound and outbound) check boxes, and then click OK.
• Repeat the actions described in the previous step for WAN Miniport (L2TP) and WAN Miniport (PPTP).
• Click WAN Miniport (IKEv2), and click Configure. The Configure Device – WAN Miniport (IKEv2) dialog box opens.
• In Configure Device – WAN Miniport (IKEv2), in Maximum ports, type the number of ports to match the maximum number of simultaneous VPN connections that you want to support and then click OK.
• If prompted, click Yes to confirm restarting the server.
• If prompted, click Close to restart the server.