Understanding VPN configuration in Windows Server 2012 R2 Essentials

[This post comes to us courtesy of Md. Sabir Chandwale and Rituraj Choudhary from Global Business Support]

In this post we will discuss about Virtual Private Network feature on Windows Server 2012 R2 Essentials.

Virtual Private Network can be straightforwardly installed and configured on a Windows Server 2012 R2 Essentials by running the Set up Anywhere Access wizard and selecting Virtual Private Network (VPN) option on the following screen.

image

If you want to know about Remote Web Access, or run through the sequential screens of Anywhere Access wizard, please visit this post.

When you choose to enable VPN using this wizard, the following roles/features get installed on the Essentials Server: Remote Access, DirectAccess and VPN (RAS), IP and Domain Restrictions, IIS Management Scripts and Tools, Network Policy and Access Services Tools, and Windows Internal Database.

You can also enable these roles/features from the Server Manager or PowerShell command-lets, however on Windows Server Essentials we recommend enabling it using the Set up Anywhere Access wizard.

It’s noteworthy that Windows Server 2012 R2 Essentials allows client machines to join their server without having to be inside the company network using a feature called Remote Domain Join. So, if VPN is enabled on Server Essentials, you may connect a remote client to the local network via VPN, run the Connect wizard from https:// <servername> /connect or https://<domainname>.remotewebaccess.com/connect URL and join the remote client to the server. The process is very simple and straightforward.

As a prologue to discuss some common issues with VPN on Windows Server 2012 R2 Essentials, let us first glance through the default Routing and Remote Access (RRAS) settings. You may also find the specifics about these settings on TechNet.

Note: Server Essentials automatically manages the routing for VPN, and therefore Routing and Remote Access (RRAS) UI is hidden on the server to prevent tampering of RRAS settings. As a result, to view, change or troubleshoot the Remote Access settings, you need to install Remote Access GUI and Command-Line Tools using Server Manager or the following PowerShell command:

Add-WindowsFeature RSAT-RemoteAccess-Mgmt

This feature enables Routing and Remote Access console and respective command-line tools to manage VPN and DirectAccess. Note that this role may not be required on the server unless you need to change the settings for VPN or DirectAccess.

Default Settings of VPN on Windows Server 2012 R2 Essentials

To check the default settings for the VPN, open Routing and Remote Access Manager. Right click server name, and select Properties.

On the General tab, IPv4 must be enabled:

clip_image003

The Security tab consists of the Authentication Methods… and SSL Certificate Binding:

clip_image004

The Authentication Methods should have Extensible authentication protocol (EAP) and Microsoft encrypted authentication version 2 (MS-CHAP v2) enabled. You can confirm it by clicking the Authentication Methods… button on the Security tab.

clip_image005

The SSL Certificate Binding section on the Security tab displays the certificate active for VPN. This also indicates that we enable VPN on SSL and that you do not have to allow any port other than port 443.

Let’s move on to the IPv4 tab. By default the VPN clients are set to receive IP from DHCP, but you may require to change it to a Static address pool for troubleshooting purposes.

clip_image006

On the IPv6 tab, the options Enable IPv6 Forwarding and Enable Default Route Advertisement are selected by default.

clip_image007

The IKEv2 tab consists of the default options to control the IKEv2 client connections and Security Association expiration.

clip_image008

The PPP tab contains the settings for Point-to-Point protocol and are as follows:

clip_image009

The Logging tab on the server properties page contains the level of logging enabled for Routing and Remote Access.

clip_image010

To enable additional logging for the Routing and Remote Access, select the option Log additional Routing and Remote Access information. Once this option is selected additional log files are created in the %windir%\Tracing directory that provide deeper insight to troubleshoot RRAS issues. Make sure to disable the additional logging once the troubleshooting is complete.

You may also gather and modify information for Remote Access from an elevated Windows PowerShell terminal. Here are some common commands:

Command

Purpose

  Get-Command -Module RemoteAccess

  Displays a list of commands available with RemoteAccess module

  Get-RemoteAccess

  Displays the configuration of VPN and DirectAccess (DA)

  Get-VpnAuthProtocol

  Displays authentication protocols and parameters set on the VPN

  Get-VPNServerConfiguration

  Displays VPN server properties

Here is a sample output:

clip_image011

You can look at the help file of each of these commands for a detailed description. Better yet, you can use the following command to insert the help contents of each of these commands for the module RemoteAccess to a text file as:

$(foreach ($command in (Get-Command -Module RemoteAccess)) {Get-Help $command.Name} ) | Out-File HELP.txt

We will discuss some common issues with VPN on another post in future.