
Always On VPN – Configure the Remote Access Server
You can use this
section to install and configure the Remote Access server role on the computer
or virtual machine (VM) that you want to use as your VPN server.
The steps in this
section allow you to complete the following items.
- On the computer or VM that is planned as the
VPN server, and that is installed on your perimeter network, you can install
Remote Access. - On the Remote Access server, you can configure
Remote Access as a RAS Gateway VPN server.
You can use this
section to install the Remote Access role as a single tenant RAS Gateway VPN
server.
Administrative
Credentials
Membership in Administrators, or equivalent, is the minimum required to perform
these procedures.
To perform this
procedure by using Windows PowerShell, run Windows PowerShell as Administrator,
type the following command, and then press ENTER.
Install-WindowsFeature DirectAccess-VPN
-IncludeManagementTools
After installation
successfully completes, the following message appears in Windows PowerShell.
Success | Restart Needed | Exit Code | Feature Result |
True | No | Success | {RAS Connection Manager Administration Kit |
You can use the
following procedure to install Remote Access using Server Manager.
- On the VPN server, in Server Manager, click Manage, and then click Add Roles and Features. The Add Roles and Features Wizard opens.
- In Before you begin, click Next.
- In Select Installation Type, ensure that Role-Based or feature-based installation is selected, and then click Next.
- In Select destination server, ensure that Select a server from the server pool is selected. In Server Pool, ensure that the local computer is selected. Click Next.
- In Select server roles, in Roles, click Remote Access, and then click Next.
- In Select features, click Next.
- In Remote Access, click Next.
- In Select role service, in Role
services, click DirectAccess and VPN (RAS). The Add Roles and Features Wizard dialog box opens. - In Add Roles and Features Wizard, click Add
Features to close the
dialog box, and then click Next. - In Web Server Role (IIS), click Next.
- In Select role services, click Next.
- In Confirm installation selections, review the choices you’ve made, and then
click Install. - When the installation is complete, click Close.
In this section, you
configure Remote Access VPN to allow IKEv2 VPN connections, deny connections
from other VPN protocols, and assign a static IP address pool for issuance of
IP addresses to connecting authorized VPN clients.
- On the VPN server, in Server Manager, click
the Notifications flag; then, in the Tasks menu, click Open the Getting Started Wizard. The Configure Remote Access wizard opens.
Note
The Configure Remote Access wizard might open behind Server Manager.
If you think the wizard is taking too long to open, move or minimize Server
Manager to find out whether the wizard is behind it. If not, wait for the
wizard to initialize.
- In Configure Remote Access, click Deploy
VPN only. The Routing and
Remote Access Microsoft Management Console (MMC) opens. - In Routing and Remote Access, right-click the
VPN server, and click Configure
and Enable Routing and Remote Access. The Routing
and Remote Access Server Setup Wizard opens. Complete the following steps:a. In the Routing and Remote Access Server Setup Wizard, click Next.
b. In Configuration, click Custom Configuration, and then click Next.
c. In Custom
Configuration, click VPN access, and then click Next.
d. In Completing
the Routing and Remote Access Server Setup Wizard, click Finish to close the
wizard, and click OK to close the Routing and Remote Access
dialog box.
e. Click Start service to start Remote Access.
- In the Remote Access MMC, right-click the VPN
server, and click Properties. - In Properties,
click the IPv4 tab. Click Static address pool, and complete the following steps to
configure an IP address pool. The static address pool should contain addresses
from the internal perimeter network. These addresses are on the internal-facing
network connection on the VPN server, not the corporate network.
a. Click Add.
b. In Start
IP address, type the starting IP
address in the range you want to assign to VPN clients.
c. In End
IP address, type the ending IP
address in the range you want to assign to VPN clients, or in Number of addresses, type the number of address you want to make
available.
If you’re using DHCP
for this subnet, ensure that you configure a corresponding
address exclusion on your DHCP servers.
- In Properties, on the IPv4 tab, click Adapter. The resulting list displays the network adapters that are installed. Click the Ethernet adapter that is connected to your internal perimeter network.
- In Properties, click the Security tab. Click Authentication provider, and then click RADIUS Authentication. Click Configure. The RADIUS Authentication dialog box opens.
- In RADIUS Authentication, click Add. The Add RADIUS Server dialog box opens.
- In Add RADIUS Server, in Server name, type the Fully Qualified Domain Name of the NPS server on harmikbatth.lab/Corporate network. For example, if the NetBIOS name of your NPS server is NPS1 and your domain name is harmikbatth .lab, type NPS1.
harmikbatth .local. - In Shared secret, click Change. The Change Secret dialog box opens.
- In Change Secret, in New secret, type a text string. In Confirm new secret, type the same text string, and then click OK. IMPORTANT: Save this text string. When you configure the NPS Server on harmikbatth.lab/Corporate network, you will add this VPN Server as a RADIUS Client. During that configuration, you will use this same shared secret so that the NPS and VPN Servers can communicate.
- In Add RADIUS Server, review the default settings for Time-out, Initial score, and Port. If necessary, change the values to match the requirements for your environment, and then click OK.
- On the Security tab, review the setting for Accounting provider. If you want Remote Access activity logged on the Remote Access server, ensure that Windows Accounting is selected. If you want your NPS server to perform accounting services for VPN, change Accounting provider to RADIUS Accounting, and then configure the NPS server as the accounting provider.
- Click OK to close the Properties dialog box.
- In the Routing and Remote Access MMC, right-click Ports, and then click Properties. The Ports Properties dialog box opens.
- In Ports Properties, click WAN Miniport (SSTP), and then click Configure. The Configure Device – WAN Miniport (SSTP)dialog box opens.
- In Configure Device – WAN Miniport (SSTP), deselect the Remote access connections (inbound only) and Demand-dial routing connections (inbound and outbound) check boxes, and then click OK.
- Repeat the actions described in the previous step for WAN Miniport (L2TP) and WAN Miniport (PPTP).
- Click WAN Miniport (IKEv2), and click Configure. The Configure Device – WAN Miniport (IKEv2) dialog box opens.
- In Configure Device – WAN Miniport (IKEv2), in Maximum ports, type the number of ports to match the maximum number of simultaneous VPN connections that you want to support and then click OK.
- If prompted, click Yes to confirm restarting the server.
- If prompted, click Close to restart the server.
No Comments