Enabling VPN Functionality on an RRAS Server in Windows Server 2008



By installing the Routing and Remote Access Service (RRAS) on the server, the ability to allow VPN (Virtual Private Network) connections to and/or from the server is enabled. The following type of VPN connections can be created:

1) VPN gateway for clients: The most common scenario, this involves the RRAS server being the gateway into a network for VPN clients. This scenario requires the server to have two network cards installed.

2) Site-to-site VPN: In this scenario, the RRAS server creates a VPN tunnel between another RRAS server in a remote site, allowing for traffic to pass unimpeded between the networks, but in an encrypted state.

3) Dial-up RAS server: In this layout, the server is installed with a modem or pool of modems and provides for dial-in capabilities.

4) NAT between networks: On an RRAS server installed in Routing mode, this deployment option provides for Network Address Translation (NAT) between network segments. For example, on one network, the IP addresses might be public, such as 12.155.166.x, while on the internal network they might be 10.10.10.x. The NAT capability translates the addresses from public to private and vice versa.

5) Routing between networks: On an RRAS server installed in Routing mode, this deployment option allows for direct routing of the traffic between network segments.

6) Basic firewall: The RRAS server can act as a simple Layer 3 router, blocking traffic by port. For more secure scenarios, use of an advanced Layer 7 firewall such as Microsoft’s ISA Server 2006 is recommended.

NOTE: Setting up a VPN connection requires the server to have at least two network cards installed on the system. This is because the VPN connections must be coming from one network and subsequently passed into a second network, such as from the Demilitarized Zone (DMZ) network into the internal network.

To set up the RRAS server for the most common scenario, VPN gateway, perform the following tasks:

1. Open the Routing and Remote Access MMC tool (Click on Start and then Control Panel and then Administrative Tools and then Routing and Remote Access).

2. Select the local server name or connect to a remote RRAS server by right-clicking Routing and Remote Access and selecting Add Server.

3. Click Action and then Configure and Enable Routing and Remote Access.

4. Click Next at the Welcome page.

5. Choose from the list of configuration settings. Different scenarios would require different settings. For example, if setting up a site-to-site VPN, you should select the Secure Connection Between Two Private Networks option. In this case, we are setting up a simple VPN, so we select Remote Access (Dial-up or VPN).

6. On the Remote Access page, check the box next to VPN. If enabling dial-up, such as in scenarios when the VPN box has a modem attached to it, the Dial-up box can be checked as well. Click Next to continue.

7. On the VPN Connection page, select which network card is connected to the network where VPN clients will be coming from. This might be the Internet, or it might be a secured perimeter network such as a DMZ. Click Next to continue.

8. On the IP Address Assignment page, select how VPN clients will get their IP addresses (typically Automatically). In addition, a manual range can be specified. Click Next to continue.

9. On the Managing Multiple Remote Access Servers page, select whether to use RRAS to authenticate locally or to use a remote RADIUS server. Click Next to continue.

10. Review the wizard settings and click Finish when complete.

11. Click OK when prompted about the default connection request policy being created and click OK again when prompted about the DHCP Relay Agent (if prompted).

12. Click Finish when the wizard is complete.

The wizard will enable RRAS on the server and allow for administration of the VPN settings and client from the Routing and Remote Access dialog box. Review the settings within this tool to familiarize yourself with how the system is configured.