[This post comes to us courtesy of Md. Sabir Chandwale and Rituraj Choudhary from Global Business Support]
In this post we will discuss about Virtual Private Network feature on Windows Server 2012 R2 Essentials.
Virtual Private Network can be straightforwardly installed and configured on a Windows Server 2012 R2 Essentials by running the Set up Anywhere Access wizard and selecting Virtual Private Network (VPN) option on the following screen.
When you choose to enable VPN using this wizard, the following roles/features get installed on the Essentials Server: Remote Access, DirectAccess and VPN (RAS), IP and Domain Restrictions, IIS Management Scripts and Tools, Network Policy and Access Services Tools, and Windows Internal Database setup.
You can also enable these roles/features from the Server Manager or PowerShell command-lets, however on Windows Server Essentials we recommend enabling it using the Set up Anywhere Access wizard.
It’s noteworthy that Windows Server 2012 R2 Essentials allows client machines to join their server without having to be inside the company network using a feature called Remote Domain Join. So, if VPN is enabled on Server Essentials, you may connect a remote client to the local network via VPN, run the Connect wizard from or http://domainname URL and join the remote client to the server. The process is very simple and straightforward.
As a prologue to discuss some common issues with VPN on Windows Server 2012 R2 Essentials, let us first glance through the default Routing and Remote Access (RRAS) settings. You may also find the specifics about these settings on TechNet.
Note: Server Essentials automatically manages the routing for VPN, and therefore Routing and Remote Access (RRAS) UI is hidden on the server to prevent tampering of RRAS settings. As a result, to view, change or troubleshoot the Remote Access settings, you need to install Remote Access GUI and Command-Line Tools using Server Manager or the following PowerShell command:
Add-WindowsFeature RSAT-RemoteAccess-Mgmt
This feature enables Routing and Remote Access console and respective command-line tools to manage VPN and DirectAccess. Note that this role may not be required on the server unless you need to change the settings for VPN or DirectAccess.
Default Settings of VPN on Windows Server 2012 R2 Essentials
To check the default settings for the VPN, open Routing and Remote Access Manager. Right click server name, and select Properties.
On the General tab, IPv4 must be enabled:
The Security tab consists of the Authentication Methods… and SSL Certificate Binding:
The Authentication Methods should have Extensible authentication protocol (EAP) and Microsoft encrypted authentication version 2 (MS-CHAP v2) enabled. You can confirm it by clicking the Authentication Methods… button on the Security tab.
The SSL Certificate Binding section on the Security tab displays the certificate active for VPN. This also indicates that we enable VPN on SSL and that you do not have to allow any port other than port 443.
Let’s move on to the IPv4 tab. By default the VPN clients are set to receive IP from DHCP, but you may require to change it to a Static address pool for troubleshooting purposes.
On the IPv6 tab, the options Enable IPv6 Forwarding and Enable Default Route Advertisement are selected by default.
The IKEv2 tab consists of the default options to control the IKEv2 client connections and Security Association expiration.
The PPP tab contains the settings for Point-to-Point protocol and are as follows:
The Logging tab on the server properties page contains the level of logging enabled for Routing and Remote Access.
To enable additional logging for the Routing and Remote Access, select the option Log additional Routing and Remote Access information. Once this option is selected additional log files are created in the %windir%\Tracing directory that provide deeper insight to troubleshoot RRAS issues. Make sure to disable the additional logging once the troubleshooting is complete.