Remote Access Deployment – Part 2: Configuring RRAS as a VPN server

Hello Customers,

In this post, I will go through the steps to configure to deploy RRAS as a VPN server. I will try to go through different configuration scenarios in order to point you to various configuration options in RRAS server role. However for your deployment, you may be skipping some of those – depending upon your requirements.

Terminology: RRAS Internal Interface is the interface representing all remote access devices (all VPN/dial-up clients are part of this interface).

Lets go through the different steps: -

2.1 Installation of server role

Let us try to configure RRAS server role as a VPN server on a Windows server 2008 R2 machine. To do that, you need to first install the RRAS server role:

  • Open “Server Manager”. Click on “Roles”, “Add Roles”. Click “Next”. Select “Network Policy and Access Services”. Click on “Routing and Remote Access Service” and the underlying checkboxes. If you want to install NPS based radius server on the same machine as RRAS server, select the same too. Click “Next” to install the same.
2.2 Configuring for VPN server

Once the server role is installed, you need to configure the same to provision the server role as a VPN server. To do the same, follow these steps:

  • Open Routing and Remote Access MMC snap-in by clicking on “Start”->”All Programs”->”Administrative Tools”->”Routing And Remote Access”. This launches the RRAS MMC snap-in.
  • Right Click on the left pane – on the machine name (below “Server Status”) and select “Configure and Enable Routing and Remote Access”. Click “Next”.
  • Select “Remote access (dial-up or VPN)”. Click “Next”.
  • Select “VPN”. Click “Next”.
  • Select the network interface card (NIC) connected towards the Internet. This is your public interface. And automatically the other interfaces are considered as private interface by RRAS.

If you plan to deploy RRAS serve directly connected to Internet and want to enable RRAS packet filters to allow **only VPN traffic** to be accepted from Internet side, click on “Enable security on the selected interface by setting up static packet filters”.

WARNING: If you are running other server roles (e.g. terminal server) on the same machine that needs access from the Internet side, you need to MANUALLY go and add those filters to allow access to those server roles. Otherwise, the RRAS packet filters will drop those packets.

Click “Next”

  • On the “IP Address Assignment” page, select the mechanism by which you will like to assign the IPv4 addresses to the remote access clients (i.e. client’s inner IP address – through which they access the machines sitting on private interface of RRAS).

By default, “Automatically” is set on. This mandates a need for DHCP server to be sitting on the private interface of RRAS. In this scenario, RRAS server obtains IP addresses on behalf of remote access clients using DHCP protocol and then assigns these addresses to the VPN clients when they connect in. Click “Next” to continue.

If you will like to specify the IP address from a static pool, select “From a specified range of addresses”. And select “Next”. In the next page, select “New” and you can enter the Address range (e.g. 192.168.1.1 to 192.168.1.10). Click “Next” to continue.

  • You will see “Managing Multiple Remote Access Servers” page. Here you can select how you want to authenticate the remote access clients. There are two options here:
    • “No, use Routing and Remote Access to authenticate connection requests”. Select this option, if you will like to use Windows based authentication. This mechanism will require your remote access server machine to be joined to domain if you will like to authenticate the remote access users using domain credentials.

WARNING: It is not recommended for edge machines to be joined to domain – in order to restrict the security foot-print of a DMZ machine.

If you will like to authenticate the remote access users using work-group credentials – then RRAS server need not be joined to domain.

    • “Yes, set up this server to work with a RADIUS server”. Select this option, if you will like to use Radius based authentication. In this scenario there are two options: RADIUS server installed on some other machine or on the RRAS server machine.

WARNING: If Radius server is installed on the same machine, then same restriction of machine to be joined to domain exists in order to authenticate remote access users using domain credentials. And it makes an edge machine joined to domain.

Hence the recommended deployment scenario is RADIUS server installed on some other machine sitting on private interface of RRAS server. And that machine is joined to domain, however RRAS server is a non-domain joined machine.

Select “Yes, set-up this server to work with a RADIUS server”. Click “Next”.

The next page is “RADIUS Server Selection” where you can enter the IP address of Primary and alternate RADIUS server (if any) and the shared secret.

NOTE: The same shared secret must be configured on the RADIUS server as the secret of the RADIUS client (i.e. VPN server in this scenario).

  • Click “Finish” to finish installation of remote access role.

If using Windows authentication OR Radius server (i.e. NPS) is installed on the same machine as RRAS server, a pop-up comes which specifies that a default remote access policy named “Microsoft Routing and Remote Access server” is created. Click OK.

Additionally in this scenario, you need change the “Access Permission” inside network policy from “Deny access” to “Grant access”. To do this, follow these steps:

    • Click on Routing and Remote Access MMC. Click on “Remote Access Logging and Policies”. Right Click and select “Launch NPS”. This will launch NPS MMC (a minimal one though. A full one can be launched by opening nps.msc at the command prompt).
    • Double click on the relevant Policy. Click on “Overview” tab and change the “Access Permission” to “Grant Access”.
2.3 IPv4 or IPv6 based remote access server
  • If not already launched, open Routing and Remote Access MMC snap-in by clicking on “Start”->”All Programs”->”Administrative Tools”->”Routing And Remote Access”. This launches the RRAS MMC snap-in.
  • Right Click on the left pane – on the machine name (below “Server Status”) and select “Properties”. This will open up the property page.
  • Click on “General” tab to select at top level how you will like to deploy this RRAS server. For example:
    • To enable RRAS server to forward IPv4 packets to/from remote access clients, enable “IPv4 Remote access server”.
    • To enable RRAS server to forward IPv6 packets to/from remote access clients, enable “IPv6 Remote access server”.
    • To enable RRAS server to forward IPv4 packets while acting as a site-to-site router, enable “IPv4 Router” and “LAN and demand-dial routing”.
    • To enable RRAS server to forward IPv6 packets while acting as a site-to-site router, enable “IPv6 Router” and “LAN and demand-dial routing”.
  • Click on IPv4 tab to change IPv4 transport related configuration:
    • “Enable IPv4 Forwarding” should be checked on – to ensure IPv4 packets can be forwarded between remote access client and rest of intranet resources. This check-box should be turned off – only if remote access users need to access the remote access server (e.g. you have some other server roles like IIS installed on remote access server machine and you will like to give your user access to only those server roles and not any other machines).
    • You can change the “IPv4 address assignment” between a “static address pool” and “DHCP”. This address pool will be used to assign one IP address to remote access client during VPN tunnel establishment phase.
    • If you will like to forward NETBIOS based name resolution queries coming from remote access clients to intranet (or private network behind RRAS server), click on “Enable broadcast name resolution”.
    • If you have multiple NICs as private interface on RRAS server, you need to select the NIC which will be used by RRAS server to read the DHCP server, DNS server and WINS server addresses. The DHCP server address will be used to build the IP address pool if “IPv4 address assignment” is DHCP. The DNS server and WINS server address will be passed to remote access clients during VPN tunnel establishment phase. These addresses will be used by remote access client to do the name resolution for intranet resources.
  • Click on IPv6 tab to change IPv6 transport related configuration:
    • “Enable IPv6 Forwarding” should be checked on – to ensure IPv6 packets can be forwarded between remote access client and rest of intranet resources. This check-box should be turned off – only if remote access users need to access the remote access server (e.g. you have some other server roles like IIS installed on remote access server machine and you will like to give your user access to only those server roles and not any other machines).
    • “Enable Default Route Advertisement” should be checked on – if you will like to make this RRAS server as the default IPv6 gateway for the remote access clients (i.e. turning split-tunneling off for the IPv6 transport in the remote access client)

Note: This check-box is not available on IPv4 tab – because in case of IPv4 the remote access client’s VPN configuration is the ONLY configuration that governs whether it has default IPv4 gateway towards VPN server or not (i.e. whether split-tunneling is turned on or off). However IPv6 is a special case because IPv6 protocol allows IPv6 router advertisement capability by which VPN server can advertise to VPN clients to become a default. If it does AND the remote access client’s VPN configuration allows that, then only default IPv6 gateway will be set with highest precedence (or lowest metric) on the VPN interface.

    • “IPv6 Prefix assignment” will be used to enter a /64 bit IPv6 prefix – which will be sent to the remote access clients. For example, 3000:1:2:3:

Note: The remote access clients share the same /64 bit IPv6 prefix – with 64 bit interface-id (i.e. lower 64 bit of IPv6 address) being different for each client.

    • If you have multiple NICs as private interface on RRAS server, you need to select the NIC which will be used by RRAS server to read the DNS server’s IPv6 address. This parameter is ONLY used for IKEv2 based VPN connection – to relay DNS server IPv6 address to the remote access clients during IKEv2 VPN tunnel establishment phase. This address will be used by remote access client to do the name resolution for intranet resources.

Note: The DNS server IPv6 address for rest of the PPP based VPN tunnels (i.e. PPTP, L2TP and SSTP) are not configured on the RRAS server directly. For this scenario to work, RRAS server is configured as a DHCPv6 Relay agent with RRAS Internal interface (i.e. virtual interface representing the remote access clients) and private interface facing a DHCPv6 stateless server. The DHCPv6 stateless server is configured with the DNS server IPv6 address. During VPN tunnel establishment phase, remote access client sends a DHCPv6 inform request packet – to get DNS server IPv6 address. This packet is sent over VPN tunnel to RRAS server who then relays the same to DHCPv6 stateless server. A DHCPv6 Inform reply is sent in reverse path containing the IPv6 address of the DNS server.

 

2.4 NAT support

RRAS server can be configured as a NAT router for two main scenarios – a) between machines sitting on LAN (i.e. private interface of RRAS) and Internet b) between remote access user machines and Internet.

To configure RRAS server as a NAT router (address port translation): -

  • Open Routing and Remote Access MMC snap-in by clicking on “Start”->”All Programs”->”Administrative Tools”->”Routing And Remote Access”. This launches the RRAS MMC snap-in.
  • Click on the left pane – on the machine name (below “Server Status”) and select “IPv4” and “General”. Right click and select “New Routing Protocol” and select “NAT”.
  • Select on “NAT” node under “IPv4”. Right click and select “New Interface”.

Select your interface facing internet and in the next page select the “Public interface connected to the Internet” and click to “Enable NAT on this interface”.

Select your interface facing private side (can be RAS Internal interface or other private NIC of RAS). And in the next page select the “Private interface connected to private network”.

2.5 DHCP Relay Agent

RRAS server can be configured as a DHCP Relay Agent for two main scenarios –

  • Between remote access clients and DHCP server when RRAS server is acting as a VPN server. In this scenario, the relay agent is used to forward DHCP inform packets between VPN client and DHCP server – to obtain information like DNS server address, IP routes.
  • Between LAN clients and DHCP server when RRAS server is acting as a LAN router. In this scenario, the relay agent is used to forward all DHCP packets – to obtain IP address and extended information.

DHCP relay agent is configured for IPv4 or IPv6 – depending upon the transport configured on DHCP client machine. Or in other words, if remote access client is configured to obtain IPv4 address from VPN server, then you need to configure DHCPv4 relay agent on RRAS server. And same way, if remote access client is configured to obtain IPv6 prefix from VPN server, then you need to configure DHCPv6 relay agent on RRAS server.

Note: DHCPv6 Relay Agent MUST be installed on RRAS server to support IPv6 remote access server scenario for all PPP based VPN tunnels (i.e. PPTP, L2TP and SSTP). This is required because the DNS server IPv6 address can be relayed to the VPN client only via the DHCPv6 Inform mechanism and not via PPP IPv6 Configuration Protocol stage. However the DHCPv4 Relay Agent is optional because DNS server address can be relayed to VPN client via PPP IPCP stage. The DHCPv6 Relay is optional for IKEv2 VPN tunnel because DNS server IPV6 address can be relayed to the VPN client using IKEv2 configuration payload stage.

To configure RRAS server as a DHCPv4 Relay Agent: -

  • If not already launched, open Routing and Remote Access MMC snap-in by clicking on “Start”->”All Programs”->”Administrative Tools”->”Routing And Remote Access”. This launches the RRAS MMC snap-in.
  • Click on the left pane – on the machine name (below “Server Status”) and select “IPv4” and “General”. Right click and select “New Routing Protocol” and select “DHCP Relay Agent”.
  • Select on “DHCP Relay Agent” node under “IPv4”. Right click and select “New Interface”.

Select your interface facing DHCP server and in the next page configure the DHCP relay agent parameters.

Repeat the same steps to select your interface facing remote access client (e.g. Internal) and in the next page configure the DHCP relay agent parameters.

  • Select on “DHCP Relay Agent” node under “IPv4”. Right click and select “Properties”. Enter the IPv4 address of the DHCP server – to which to relay the requests.

To configure RRAS server as a DHCPv6 Relay Agent: -

  • If not already launched, open Routing and Remote Access MMC snap-in by clicking on “Start”->”All Programs”->”Administrative Tools”->”Routing And Remote Access”. This launches the RRAS MMC snap-in.
  • Click on the left pane – on the machine name (below “Server Status”) and select “IPv6” and “General”. Right click and select “New Routing Protocol” and select “DHCPv6 Relay Agent”.
  • Select on “DHCPv6 Relay Agent” node under “IPv6”. Right click and select “New Interface”.

Select your interface facing DHCP server and in the next page configure the DHCP relay agent parameters.

Repeat the same steps to select your interface facing remote access client (e.g. Internal) and in the next page configure the DHCP relay agent parameters.

  • Select on “DHCPv6 Relay Agent” node under “IPv6”. Right click and select “Properties”. Enter the IPv6 address of the DHCP server – to which to relay the requests.
2.6 Packet Filtering

RRAS server can be configured to enable stateless packet filtering on any interface (LAN as well as Internal interface) using source IP address, destination IP address, IP protocol type, source and destination port number (for IP protocol type as TCP/UDP). These filters can be set for IPv4 as well as IPv6 packets.

To enable RRAS packet filtering on LAN interface (e.g. accept only VPN packets on public interface), please follow these steps:

  • If not already launched, open Routing and Remote Access MMC snap-in by clicking on “Start”->”All Programs”->”Administrative Tools”->”Routing And Remote Access”. This launches the RRAS MMC snap-in.
  • Click on the left pane – on the machine name (below “Server Status”) and select “IPv4” and “General”. Select the appropriate LAN interface on the right side. And right click and select “Properties”.
  • Select the “Inbound Filters” to add the filters on the IPv4 packets coming into the interface and “Outbound Filters” to add the filters on the IPv4 packets going out of the interface. On clicking the same, you can select the filter action (e.g. the incoming side filter action is “drop all packets except those that match the criteria below”) and click “New” to add the filter.
  • Similarly you can add the filters on IPv6 packets.

SECURITY NOTE: It is strongly recommended to allow specific filters on the public interface of RRAS and drop the rest. This filter set should match all the server roles running on RRAS server and accessible from Internet side (e.g. VPN service). Additionally, the IP address in the filter must be set correctly i.e. destination IP address MUST match the IP address of RRAS server public interface on the inbound filters and source IP address in packet MUST match the IP address of RRAS server public interface on the outbound filters . If you don’t put IP addresses explicitly, there is a risk of IP packets getting forwarded across RRAS server not meant for services running on RRAS server.

To enable RRAS packet filtering on VPN interface (i.e. filters packets coming in from remote access clients or going to remote access clients), please follow these steps:

  • Open the remote access network policy inside Radius server, go under the “Settings” tab and, click on “IP Filters” and then add the IPv4 and IPv6 inbound/outbound filters. This filter set will be passed to RRAS server during authentication stage and is applied on top of the internal interface corresponding to the specific authenticated VPN client. Note: The IP address given in this filter set represents the IP address of intranet machines (or machines behind RRAS server).

Note: NAP based health check also requires IP filters to be configured to restrict unhealthy client machines to a quarantine zone. However this quarantine filter set is configured as a “Remediation Server Group” and not as “IP filters” attribute inside the policy “Settings” tab. This is because filters specified as remediation server group is added on RRAS server when the remote access client is unhealthy and removed when the client becomes healthy. However the filters specified as IP filters is added on RRAS server when the remote client is healthy for the NAP scenario and for non-NAP scenario when the remote client is authenticated.

2.7 Tunnel Specific

Most of the configuration on RRAS server side is common for different types of VPN tunnels (i.e. PPTP, L2TP, SSTP and IKEv2), however there are few configuration that varies according to the tunnel. Let us take a look at some of these: -

  • Number of devices: A device is a software interface through which the remote access clients connect to VPN server. There is limited number of concurrent devices that is supported by different editions of Windows server – the details given here. Based upon your remote access user profile (mainly OS), you may have configured different VPN tunnels on the RRAS servers. You can thereby restrict number of ports for that particular tunnel type by changing the Ports configuration. Open RRAS MMC snap-in, click on the left pane – on the machine name (below “Server Status”) and select “Ports” node. Right click and select “Properties” and then select appropriate tunnel type and click “Configure” – to set the maximum number of concurrent ports supported by a given tunnel. This way you can divide your pool of concurrent VPN devices in a systematic manner between different tunnel types – hence the specific profile of remote access user.
  • Machine certificate configuration: L2TP/IPSec, SSTP and IKEv2 tunnels require a machine certificate to be installed on the RRAS server. This machine certificate should have following properties: EKU as Server Authentication, Subject Name same as the hostname OR IP address configured inside VPN client configuration and part of Trusted Root Chain that is also present on the VPN client machine. The same certificate can be used for all the tunnel types.

This certificate must be installed inside the local machine certificate store – under “Personal”. For L2TP/IPSec and IKEv2 – no other extra configuration is required in order to communicate the certificate pointer to RRAS. However for SSTP tunnel configuration, it is recommended to cross-check that the appropriate certificate is pointed by SSL Certificate Binding found here: Open RRAS MMC snap-in, click on server name, right click and select “Properties” and click on “Security” tab.

  • Authentication Methods/Protocols: All the VPN tunnels support EAP based authentication protocols. However PPTP & SSTP additionally supports MSCHAPv2, L2TP/IPSec additionally supports MSCHAPv2 and machine certificate based authentication, IKEv2 additionally supports machine certificate based authentication.

The set of allowed authentication methods are configured at two locations: One inside the Radius policy (as given above). And secondly, RRAS server MUST be configured to accept the appropriate authentication methods. This is done by following these steps: Open RRAS MMC snap-in, click on server name, right click and select “Properties” and click on “Security” tab. Click on “Authentication Methods” and select the appropriate authentication protocols accepted by RRAS server.

  • IKEv2 specific: Certain IKEv2 specific configuration like “Network Outage Time”, “Security Association Expiration Time”, “Security Association data size limit” – can be configured by following these steps: Open RRAS MMC snap-in, click on server name, right click and select “Properties” and click on “IKEv2” tab.
  • PPP specific (holds true for PPTP, L2TP and SSTP): Certain PPP specific configuration like “software compression” can be configured by following these steps: Open RRAS MMC snap-in, click on server name, right click and select “Properties” and click on “PPP” tab.

References: For further details on SSTP configuration, please refer to this step-by-step guide.

References: For further details on IKEv2 configuration, please refer to this step-by-step guide.

2.8 Further Readings

Remote Access Deployment – Part 1: Configuring Remote Access Clients

Remote Access Deployment – Part 3: Configuring RADIUS Server for remote access

With Regards,

Samir Jain

Senior Program Manager

Windows Networking

[This posting is provided “AS IS” with no warranties, and confers no rights.]