Windows Server 2008 R2

Setting up a Virtual Private Network

This document will focus on setting up a Virtual Private Network in Windows Server 2008 R2.


A Virtual Private Network is used to connect remote computers or networks to an internal network that would
not be accessible any other way. VPNs can connect remote computers or networks or multiple networks
together. A VPN provides security so that traffic sent through the VPN connection is isolated from external
computers and networks.

The VPN connection allows remote users to directly connect to a remote network to gain access to resources on
that network.


Definitions:

VPN - Connect Remote users and/or networks to local resources
PPTP - Point-to-Point Tunneling Protocol: Creates a tunnel used to ensure that traffic sent from one point to the
next is secure
GRE - Generic Routing Encapsulation is a tunneling protocol to encapsulate traffic
L2TP - Layer 2 Tunneling Protocol: Tunneling protocol that relies on an encryption protocol to encrypt the data
within the tunnel
IPsec - Internet Protocol Security secures IP traffic by authenticating and encrypting each packet in a session
Digital Certificate Certificate is an electronic document that uses a digital signature to verify the user/device
identity
Direct Access Introduced in Windows 7 and Windows 2008 R2, it allows remote users to securely access
internal resources on the corporate network. The access connects from a direct access enabled portable
computer before the user logs into the device. Windows 2008 R2 requires a Public Key Infrastructure to work.
It also requires Windows 7 Enterprise/Ultimate and Windows Server 2008 R2.
Network Policy Service (NPS) - Microsoft implementation of Remote Authentication Service. NPS provides
Authentication, Authorization and Accounting for Wireless, Network Access and VPN services.

Setting up VPN requirements:

This demo will be using:
Two Windows 2008 R2 with two network connections (one internal (Private) and one external (Public)
Windows 7 to connect to the remote VPN server.

Windows 7 to Windows 2008 R2 VPN connection
Windows 2008 R2 to Windows 2008 R2 site-to-site connection




Jim Long MOREnet 221 N. Stadium Blvd., Suite 201, Columbia, Mo. 65203 Oct 2012
Configure the Windows Server 2008 R2 VPN:

Pre-Setup Steps:
Install your Windows 2008 R2 server
Load all updates
Secure server
Add to Active Directory Domain
Configure external network connection
Configure host firewall
Configure external firewall to allow VPN connections

Setting up VPN:

On the Windows 2008 R2 Server we will install the VPN Role:

Open Server Manager

Click Start
Click Administrator Tools
Click Server Manager



Click Roles
Click Add Roles



Add Roles Wizard
The Roles Wizard will walk you through adding Roles to your server



Click Next
Select Network Policy and Access Services



Click Next
Network Policy and Access Services
Review this screen for more information about the service and review the links for additional information



Click Next

Select Role Services



Click Next

Select Role Services




Choose the roles that you need
Minimum roles:
NPS Create and enforce network access policies
Routing and Remote Access Services Provides remote user access
Remote Access Services Allow access through VPN
Routing Provides support for NAT routing and LAN routing

Additional Roles:
Health Registration Authority Validates certificate requests that contain health claims and issues
certificates based on the health status
Host Credentials Authorization Protocol Integrate Microsoft Network Access Protection with Cisco
Network Access controls

Select the Roles that you require

Click Next


Confirm Installation Selections



Click Install

Install Progress





Installation Results



Confirm that all Roles were successfully installed

Click Close

You will be returned to Server Manager



You will notice that the Role is showing errors
Click Network Policy and Access Services



Notice that it states that the service is installed but additional steps are required to configure the service

Click Go to the NPS console

Click Routing and Remote Access (Left Frame)



Click More Actions (Right Frame)

Click Configure and Enable Routing and Remote Access



Routing and Remote Access Wizard



Click Next

Configuration
This screen has several options to install a combination of services. Since we only want to install a VPN
server we will choose Custom Configuration



Click Custom Configuration
Click Next
Custom Configuration



Select VPN Access

Click Next

Complete the Routing and Remote Access Server Setup Wizard



Click Finish

Warning!

Routing and Remote access has created a default connection request policy called Microsoft Routing and
Remote Access Service Policy



Click OK

Start the Service



Click Start service

Starting Service




Install Complete
Routing and Remote Access is Configured on This Server




Out of the box we can not connect to the server because the Policies that were created will not allow
connections.

We will need to check the Routing and Remote Access settings and make sure everything is setup properly.



Verify Routing and Remote Access Configuration

This section will focus on checking the settings and ensuring that everything is setup properly with our VPN
configuration that we just finished installing.

Open Routing and Remote Access Management Console
Click Start / Administrative Tools
Click Routing and Remote Access



Routing and Remote Access Console



Checking the Properties for the Server
Right Click the server name



Click Properties

General Tab



By default it is setup for IPv4

Security Tab



The Security tab will allow us to setup additional security settings.

Because Windows 2008 R2 uses NPS the Authentication Methods need to be configured in the Connection
Policies. We will look at that Policy later.

IPsec Policy / PreShared Key for L2TP connections

You will need to determine by Internal Policies if you will require L2TP connections.

By default a PPTP connection is created, PPTP is basically creating an encrypted tunnel that sends the
unencrypted data back and forth through the tunnel.

L2TP uses the encrypted tunnel but the data that is sent is then encrypted as well, this is the most secure method
but it can cause additional overhead on the client and server as it will have to encrypt/decrypt the data at each
end of the communication tunnel

To configure a basic L2TP policy you will click the Allow custom IPsec policy for L2TP connection and enter a
preshared key. This key will then have to configure on the client computers when setting up the VPN client in
order to connect to the server.

SSL Certificate Binding
To configure your server to use Secure Socket Tunneling Protocol you will need to have a Server
Authentication certificate to bind to the server. You can use an internal certificate store and the clients will also
be required to have certificates
How to setup SSTP: http://technet.microsoft.com/en-us/library/cc731352(v=ws.10).aspx
IPv4 Tab



This screen allows us to define the IP addresses that will be used to hand out to our clients.
IPv4 address assignment IP addresses can be handed out by the server or by a DHCP server. If you do not
have an IP server defined then check Static Address pool

Enable IPv4 Forwarding You will have to have this enabled if you want the traffic that is coming through this
VPN server to route from your public network to your private network. If you want clients to be able to access
the entire network that the server is attached to then you should enable this.

Static Address Pool

Click Add

Add the IP addresses you want the server to hand out



Click Ok

Enable Broadcast Name Resolution this allows remote clients to resolve broadcast names on the subnet that
they are connecting to

If you are using a DHCP server then leave the DHCP Server checked and then you can either allow RRAS to
automatically select the adapter or you can select the adapter



* Allowing RAS to select the adapter will result in RRAS randomly selecting an adapter every time the service
is started

IPv6 Tab



This tab allows you to define the IPv6 settings necessary for the server.

Enable IPv6 Routing Same as IPv4, specifies if the RRAS server will be forwarding the IPv6 Traffic

Enable Default Route Advertisement Specifies whether a default route is advertised on the server

IPv6 prefix assignment Enter your IPv6 assigned prefix

Use the Following adapter for DHCP, DNS - This is used the same as in IPv4 above

IKEv2

IKEv2 Internet Key Exchange is used to setup security associations with IPsec protocol



There are no changes to be made on this screen unless you encounter specific issues related to IKEv2

IKEv2 client connection timeouts

Idle time-out refers to the number of minutes that an IKE client can be idle before the connection is
terminated

Network Outage Time refers to the amount of time that packets are retransmitted to the client without a
response before the connection is considered severed.

Security Association(SA) expiration control

Security Association expiration time refers to the time that is allowed to create a SA connection to the IKE
server before the session has to be re-negotiated. The negotiation must succeed before the computers can
exchange data

Security Association data size refers to the maximum amount of data that can be transferred between the
computers before SA must negotiate and create a new session
PPP Tab




Multilink Determines whether you will allow clients to combine multiple physical connections to a single
logical connection

Dynamic bandwidth control using BAP or BACP Defines whether the server uses these protocols to control
multiple physical connections fore clients

Link control protocol (LCP) extensions Clearing this checkbox prevents the server from Sending Time-
Remaining and Identification checks to the client

Software Compression Defines whether the server uses the Microsoft point-to-point Compression Protocol
(MPPC) to compress data sent on the remote access connection


Logging Tab



Select the event types you want logged

Log Errors only Writes errors only to the Events Log files
Log Errors and Warnings Writes errors and Warnings to the Event Log files
Log all events Writes all log events to the Event Log files
Do not log events Does not write any events to the Event Log files

Log Additional Routing and Remote Access information (used for debugging) Writes events in to the ppp.log
located at %windir%/tracing location



This completes the settings needed for the RRAS server itself, we will take a closer look at some of the
additional settings and the configuration in the RRAS console




Network Interfaces



Shows the Network Interfaces associated with this server. I have named mine by IP address and which is
Public/Private so I can easily manage these connections

Remote Access Clients



Shows the clients that are currently connected to this RRAS server

Ports



This shows the Number of available ports per protocol that clients can access. You can change the number of
ports.

Right Click Ports
Click Properties



The default number of ports created is listed.
You can change the number of ports available by selecting the type and clicking Configure

I have selected PPTP connections



You can change whether Remote access connections are allowed for this connection type
You can change whether Demand Dial connections are allowed for this connection type

You can also change the Maximum number of ports allowed.

Once you have made your changes Click Ok

Click Ok to close the properties window
Remote Access Logging and Policies



This setting will be controlled by the Network Policy Server. This will be discussed later in this document.

IPv4 Section

General



This screen again shows the network connections but on this screen we can click on the connections and view
the properties. The properties for the network connection from this screen will allow us to setup Inbound and
Outbound firewall rules.

Right Click on one of the network connection



You will see that you can now update the Routes as well as showing additional information about this interface

Click Properties



Enable IP Routing Specifies whether TCP/IP is enabled on this interface

Enable router discovery advertisements Specifies whether Internet Control message Protocol (ICMP) router
discovery is enabled on this interface

Inbound\Outbound Filters



Configure inbound/outbound rules to control network traffic by IP source/Destination and Protocol
Enable fragmentation checking Specifies whether the router discards all fragmented IP packets that do not
correspond with the allowed traffic filters

Multicast Boundaries



Limit the range of the multicast scope


Multicast Heartbeat



Multicast Heartbeat listens for periodic traffic to confirm that the multicast infrastructure is functioning
normally
Static Routes



Allows for Static Routes to be defined for the network connections to this Routing and Remote Access server

Right Click static Routes
Click New



Enter the information to create new static routes and click Ok to create



DHCP Relay Agent



DHCP Relay Agent listens for broadcast DHCP messages on the local subnet and routes them to the DHCP
server on a different subnet.

To add additional Interfaces
Right Click the DHCP Relay agent
Click New Interface



Select the interface and click OK

This is not needed if you have setup the RRAS server as a router which it is setup as by default or you are
having your RRAS server hand out the IP addresses as in this document
IGMP



IGMP Internet Group Management Protocol is a used to manage host membership in IPv4 multicast groups
on a network segment

Configure this only if needed

IPv6

General




This screen again shows the network connections but on this screen we can click on the connections and view
the properties. The properties for the network connection from this screen will allow us to setup Inbound and
Outbound firewall rules.

Similar to the IPv4 above, allows you to configure Inbound\Outbound filters for the traffic but does not show
you the Update Routes or other information viewable with the IPv4 interfaces.

Static Routes



Same as IPv4 above; lets you create static route statements

This completes the settings and examples for this section.
Network Policy Server (NPS) Console

Configures and Manages Network Policy Servers
The Network Policy server is used to create, manage and enforce network access policies, connection requests
for authentication and authorization to connect to your network

Open Network Policy Server
Click Start
Click Administrative Tools
Click Network Policy Server




Network Policy Server

The NPS server handles more than just the VPN policies it also handles:

RADIUS Clients and Servers
Policies
Network Access Protection (NAP)
Accounting
Template Management

I will overview each Section but to learn more about the details of each component you can select the
component and click the Learn more link.



This will open the Windows Help file with additional information about the selected item.



The Learn more link is available once you select ANY of the top level categories


NPS Overview

Radius Clients and Servers



This section allows you to add services or devices that can use this server to authenticate users. One of the most
common uses today is to allow authenticated users access to Wireless network resources.

It will also allow Radius proxies to be configured so that this server can forward requests to other Radius
Servers on the network.



Policies

There are 3 types of Policies that can be managed

Connection Request Policies These allow you to designate whether connection requests are processed locally
or forwarded to remote Radius Servers

Network Policies Designate who is authorized to connect to the network and under what circumstances they
can connect

Health Policies Setup Policies to control NAP-capable client computers to access the network


Network Access Protection (NAP)

NAP allows you to setup system health checks such as ensuring that systems are up-to-date with the latest
patches that they are running current anti-virus software and other checks that you deploy.

There are 2 sections

System Health Validators Allow you to specify the settings required by NAP-capable clients

Remediation Server Groups Allow you to define servers that can provide services and updates to non-
compliant clients


Accounting

Accounting allows the logs to be sent to an external server running a remote SQL server for accounting
purposes.

Some of the data that is collected:

Who Connected?
How long were they Connected?
Connection Errors
And more


Templates Configuration

You can use templates to create and manage several different settings for the server; templates include:

Shared Secrets
Radius Clients
Remote Radius Servers
Health Policies
Remediation Server Groups
IP Filters

Templates are not applied to the server but are stored for reuse later. These templates can be applied to specific
component configurations in the NPS console and can be re-used. This can save time when dealing with
multiple configurations that need the same settings.


Now that we have taken a look at what is available in this console lets go back to the Policies section and focus
on what is needed to allow remote connections to our VPN server.

The Policy that will allow users to connect to the VPN server was created when the VPN service was loaded.
The Policy is located here:

NPS / Policies / Network Policies




The default connection policy is Connections to Microsoft Routing and Remote Access server and it is setup
to Deny access to this server.
To allow access to the VPN server all we have to do is open the policy and Check Grant Access

Granting Access

Right Click Connections to Microsoft Routing and Remote Access server
Click Properties


Notice that Grant access is not checked



Check Grant Access
We will also set the Type of network access server at this time.

Make these changes and Click Apply



All Users will now be able to connect to the VPN server.

Congratulations! You now have a working VPN server!!!



We have created a VPN server; however we have not looked at the security settings. As you can see from the
screen shot above there are additional tabs available. These tabs will provide additional settings that we can use
to apply more strict security to the server. Lets open the Connections to Microsoft Routing and Remote
Access Policy again.

Right Click the Policy



Notice that you have some additional options

Move Up\Down Polices are read in a TOP-DOWN manner so that you can have multiple policies
Disable Disable the selected policy
Delete Deletes the selected policy
Rename Renames the selected policy
Duplicate policy This will allow you to duplicate the policy so that you can work with selected policy. This
is perfect for creating new policies off known good policies so that if mistakes are made you can revert back
to the original working policy
Properties Displays the selected policy properties
Help Displays the Microsoft help files

Click Properties


We are now back in the policy and we can explore the remaining tabs

Conditions



The Conditions tab allows us to define what conditions will need to be met in order for remote access clients to
connect to this server.

To add specific conditions click Add



You can now choose from an extensive list of conditions to allow remote clients to access the VPN server. The
easiest and most popular are located at the top of the list. We will add a Windows Group.

Adding a Windows Group will allow you to control the specific users that have access. As stated once the
policy was changed to grant access then all users were allowed to connect to this server, We will limit this to a
specific group that we will call VPN Users

Click Windows Group
Click Add



Click Add Groups



Enter the Group to add

Click Ok



Add as many groups as necessary

Click Ok



You can now see that the group specified is listed

Click Apply

Users that are not in this group will no longer be able to connect to the VPN server and will receive an error



Using Conditions such as Windows Groups we can restrict who can connect to the VPN server
Constraints




Constraints set criteria that must be matched in order to connect.

There are 6 available constraints

Authentication Define the authentication method for connecting to this server

Idle Timeout If the session is idle for a specific amount of time then disconnect the client

Session Timeout limits the amount of time a client can be connected to the server

Called Station ID specify the phone number of the calling client

Day and time restrictions restrict access to this server to defined days and times

NAS Port Type Specify what is allowed to connect to this server such as another VPN server, 802.11 warless
etc
Authentication

Set the allowed authentication methods



The most secure method is to allow certificate authentication only, however this can be an expensive and time
consuming method

Secured Password (EAP-MSCHAP v2) is also a secure method of authentication and it is setup by default

You can also add Protected PEAP by clicking Add in the center window

All Authentication methods that are chosen will be allowed to connect.

I would recommend removing MS-CHAP as it is an older protocol and is less secure. Newer Windows
operating systems support MS-CHAP v2 and this is the preferred encryption method

NONE of the other encryption methods should be used as they are not secure!!!
Idle Timeout

The Idle Timeout setting is not enabled by default. This forces the client to disconnect from the VPN if the
session is idle for a specific amount of time.




Configure the settings you want to use and Click Apply


Session Timeout

The session timeout specifies a maximum amount of time that a client can be connected to the server. The
client will be disconnected after the timeout limit is reached and will have to establish a new connection.



Configure the maximum time allowed in minutes that you want and Click Apply


Called Station ID

The called station ID allows you to configure a string such as a phone number or an IP address that is allowed to
connect to the server, it can use pattern matching so that you can use partial information in order to define
where the connection is coming from.



Configure the settings you want to allow and Click Apply

Day and time restrictions

The day and time restriction will allow you to limit when clients can access the server. If an attempt is made to
connect to the server outside the allowed day/time then the request will be refused.



To enable and modify these restrictions click the checkbox and click Edit



Modify the allowed connection day/time and click Ok. Click Apply

NAS Port Type

Define the allowed NAS port types that will be used to connect to this server. Check all that apply, only the
types checked will be allowed to connect.



We have completed Configuring our VPN server and our Connection Policies. Clients can now connect.
Connecting a the VPN server

In this section we will use a Windows 7 machine to connect to our VPN server and test our connection to the
Internal Network.

I have setup my local intranet page and I only allow my internal network of 192.168.100.1/24 to connect. I
have setup IP restrictions so that this is enforced and I have tested connecting to the webpage from my web
servers public IP address of 192.168.0.240

I am connecting to the web site from my Windows 7 workstation and I receive this error:



In order to connect to the Internal Resource I will have to connect to my VPN server to gain access to my
intranet site and internal resources.

Configure VPN connection from Windows 7

Click Start
Type Network and Sharing in the search bar



Click Network and Sharing Center to open the link


Click set up a new connection or network



Select Connect to workplace

Click Next
Click Use my Internet Connection






Enter the IP address or DNS name of the VPN server

Give the connection a name (Destination Name)

Click Next


Enter Username, Password and Domain information

Click Connect

Connecting





I have connected successfully to my VPN server.

Now that we have connected lets check to see that we have a proper internal IP address



Notice the PPP adapter shows that I have an IP address but no gateway. When setting up my VPN server I did
not define a gateway since I did not want people using the VPN connection to browse the Internet. However
with my default settings I cannot browse at all. We can fix this by modifying the VPN connection that we setup

By disabling the gateway I can save bandwidth by forcing the client to use their own internet connection to
browse the internet and this means they are only using the VPN connection to connect to local resources.
Configure VPN client to NOT use remote gateway

First we will disconnect from the VPN we do this by clicking the Network Connections Icon in the task bar



Click on MyDomain VPN Server and Click Disconnect

Right Click on the Connection

Click Properties



This will open the connection properties



Click on the Networking tab

Click on Internet Protocol Version 4 (TCP/IPv4)

Click Properties



Click Advanced
Remove the check for Use default gateway on remote network



Click Ok
Click Ok
Click Ok to close all the Windows

Click the Network Connection Icon in the task menu

Click on the VPN connection



Click Connect


Enter the appropriate Information

Click Connect

Lets check our IP information now



Now we can see that there is no Gateway listed
Now that I have connected I need to access my work Intranet site. Lets try and connect to our intranet site

Open IE

Browse to http://192.168.100.100






I can now connect and see the Intranet Site!!!


This completes the section on setting up a test connection to the VPN server.
Setting up a Site-to-Site VPN connection

In this section we will work on setting up a site-to-site VPN connection.

VPN site-to-site connections can be used for connecting a branch office back to the primary office or for an
offsite server to have an active connection back to the main site.

We will be using the VPN server we configured previously in this document as our primary site.

We will configure a secondary 2008 server to be our remote site.

Follow the steps outlined above to install the VPN service (pg 2-7) on the secondary VPN server.

You will only need to install Routing and Remote Access Services at this site:



NPS is not needed for this site since we will not be using this to allow remote connections

Routing is needed only if you intend to route traffic between the two remote networks.
Configure Remote Access Demand-Dial

Open Service Manager
Expand Roles
Expand Network Policy and Access Server


Click Routing and Remote Access (Left Frame)



Click More Actions (Right Frame)

Click Configure and Enable Routing and Remote Access



Routing and Remote Access Wizard



Click Next

Configuration
This screen has several options to install a combination of services.



Click Custom Configuration
Click Next
Custom Configuration



Select Demand-dial connections

Click Next

Complete Install Wizard



Click Next


Start the Service



Click Start service

Service is starting



RRAS is Configured



Create Demand-Dial Interface

Right Click on Network Interfaces



Click New Demand-dial Interface
Demand-dial Interface Wizard



Click Next

Interface Name



Enter the name for this Interface

Click Next

Connection Type



Select Connect using virtual private networking (VPN)

Click Next

VPN Type



Select the VPN type you can use Automatic selection

Click Next
Destination Address



Enter the DNS name or Public IP of the VPN server

Click Next

Protocols and Security



Select: Route IP packets on this interface (For routing traffic between networks)
Select: Add a user account so a remote router can dial-in
These settings are not needed for this connection

Click Next
Dial-Out Credentials

Create a secure user account on the remote VPN server



Enter the appropriate credentials

Click Next

Complete the Wizard



Click Finish


Once we have completed the Wizard we will have a new Interface. This interface will need to be configured.

Right Click the new Interface



Click Properties

MyDomain Connection Properties



Notice that by default ONLY IPv6 is enabled

If using IPv6 addressing then this connection should work
Enable IPv4 Addressing



Since we are only using IPv4 in this demo we will uncheck IPv6 and check IPv4
Enable all necessary protocols for this connection

Create this as a Persistent connection
We will want this connection to maintain a persistent connection to out remote site

Click Options tab



Change the Connection type from Demand-Dial to Persistent

Click Ok to close the Properties Window
Test the Connection

Right Click MyDomain Connection



Click Connect



You should now see that you are connected:




Success!!!!
Issue:

After creating a successful connection you will not be able to access some resources or Ping the remote
network. This is due to an issue with Windows 2008 R2 server not adding the appropriate route statement.

Fix:

In Routing and Remote Access Console
Expand IPv4
Right Click Static Routes



Click New Static Route


Select the Demand-dial interface you created

Enter the Remote Network

Enter the Remote Network Mask

Check: Use this route to initiate demand-dial connections

Click Ok



Your Route should now be displayed in the static routes window

Test:

Open the Command Prompt and Ping Remote site IP address:



You can now access the resources from the remote network!


Can we access our Intranet now?




You have successfully setup the Site-to-Site VPN using a Demand-dial access rule!

Congratulations!!!




Links:

Virtual Private Networks
http://technet.microsoft.com/en-us/network/bb545442.aspx

Remote Access Step-by-Step Guide: Deploying Remote Access with VPN Reconnect
http://technet.microsoft.com/library/dd637783.aspx

Direct Access
http://technet.microsoft.com/en-us/network/dd420463.aspx

Remote Access (Windows 2012)
http://technet.microsoft.com/library/hh831416

How to Setup SSTP Remote Access Step-by-Step Guide
http://technet.microsoft.com/en-us/library/cc731352(v=ws.10).aspx

Routing and Remote Access Blog
http://blogs.technet.com/b/rrasblog/

Cannot Ping Windows 2008 RRAS server IP
http://social.technet.microsoft.com/Forums/en/winserverNIS/thread/9ff109e5-0de4-4028-96fe-20aae218c6c4

Network Policy Server
http://technet.microsoft.com/en-us/network/bb629414.aspx

Windows Server 2008 How Do I Videos
http://technet.microsoft.com/en-US/windowsserver/dd334524.aspx

Windows 2008 Step-By-Step Guides (Downloadable Guides)
http://www.microsoft.com/en-us/download/details.aspx?id=17157