Click Add and select Microsoft: Secure password (EAP-MSCHAP v2). Uncheck the option to use Microsoft Encrypted Authentication (MS-CHAP). Specify AD security group for remote access. Provide a descriptive name for the policy, select Type of network access server, and then choose Remote Access Server (VPN-Dial up) from the drop-down list and click Next.Ĭlick Add, select Windows Groups, and click Add.Ĭlick Add Groups, specify the name of the AD security group that includes users to be authorized for remote access VPN, then click OK and Next.
Right-click Network Policies and choose New. To configure remote access permissions for an AD group, right-click Remote Access Logging and choose Launch NPS. A better and more effective way to grant remote access is by using an Active Directory (AD) security group. The VPN server is configured to allow remote access only to users whose domain account dial-in properties are set to allow access, by default. Network Policy Server (NPS) Configuration Repeat this process for any additional DHCP servers and click OK.Ĭonfigure DHCP relay agent. To enable the internal DHCP server to provide IP address assignment for remote access clients, expand IPv4 and then right-click DHCP Relay Agent and choose Properties.Įnter the IP address of the DHCP server and click Add. “To support the relaying of DHCP messages from remote access clients, you must configure the properties of the DHCP Relay Agent with the IP address of your DHCP server.”ĭHCP Relay Agent configuration reminder. The RRAS configuration wizard will indicate that the DHCP relay agent must be configured for remote access clients. Review the configuration and click Finish. Use Routing and Remote Access to authenticate connection requests. Choose No, use Routing and Remote Access to authenticate connection requests and click Next. For the scope of this article, native Windows authentication using RRAS will be configured. The VPN server can authenticate users itself, or forward authentication requests to an internal RADIUS server. If the VPN server is to be deployed in a load-balanced cluster, IP addresses must be assigned to clients manually. Select the Internet-facing network interface. In addition, select the option to Enable security on the selected interface by setting up static packet filters and click Next. Select the network interface that is Internet-facing. Right-click the VPN server and choose Configure and Enable Routing and Remote Access.Ĭonfigure and enable Routing and Remote Access.Ĭlick Next, choose the Remote access (dial-up or VPN) option, and click Next. Open the Routing and Remote Access management console.
Install the VPN role using the Install-WindowsFeature PowerShell command. Install-WindowsFeature DirectAccess-VPN -IncludeManagementTools To install the VPN role, enter the following command in an elevated PowerShell command window. Once the server is provisioned and joined to the domain, installing the VPN role is simple and straightforward. The server does not have to be joined to a domain, but it is recommended to streamline the authentication process for VPN clients and to provide better management and security for the server. For more information about configuring a multi-homed Windows server, click here. Without a default gateway on the internal network interface, static routes will have to be configured on the server to allow communication to any remote internal subnets. Only the external network interface is configured with a default gateway. A server with two network interfaces requires special attention to the network configuration. This configuration allows for a better security posture, as the external network interface can have a more restrictive firewall profile than the internal interface. The VPN server should be configured with two network interfaces one internal and one external. In addition, adding capacity is as easy as spinning up additional VMs, in most cases. The server can be deployed in existing virtual infrastructure and has no per-user licensing requirements. Cost Effective – A Windows Server 2012 R2-based VPN server costs significantly less than it does to deploy dedicated and proprietary VPN hardware.Windows system management is mature and well understood, and the server can be maintained using existing platforms, tools, and procedures.