3.3.1 Install and configure the Remote Access role
Installing the remote access role provides for multiple Routing and Remote Access(RRAS) options:
VPN: Virtual Private Network - client to server and site to site.
DRAS: Dialup Remote Access Server
NAT: Network Address Translation
Basic router functionality -
Web application proxy (R2)
Install from Add Roles and Features Wizard:
Add server role: Remote Access(RemoteAccess)
Under role services you can specify any of the sub-feature options:
DirectAccess/VPN(DirectAccess-VPN)
Routing(Routing)
Web Application Proxy(Web-Application-Proxy)
Installing Routing will also install DirectAccess-VPN. Installing DirectAccess-VPN does not install Routing.
In addition, installing the Routing and/or DirectAccess-VPN role services on R2 will also install IIS(Web-Server) and a number of it's sub-components, as well as the Windows-Internal-Database(WID). If you include management tools, Web-Mgmt-Console will also be installed.
Including the Management tools with any of the role services will also install Group Policy Management Console(GPMC), Connection Manager Administration Kit(CMAK), RSAT-RemoteAccess, RSAT-RemoteAccess-Mgmt, and RSAT-RemoteAccess-Powershell
After installing a sub-feature(s), you can run the configuration wizard from the server manager or pull up the Remote Access Management Console and run the wizard from there.
Run the Remote Access Console from Server Manager under "Remote Access Management Console"(RAMgmtUI.exe)
DirectAccess and VPN/Routing - Two wizards are presented:
Getting Started Wizard - configures with default recommended settings
Remote Access Setup Wizard - configure with custom settings
With either wizard, you have the option to deploy both DireactAccess, VPN, or both.
Note that to configure VPN/NAT will open the Routing and Remote Access Management MMC snap-in (rrasmgmt.msc)
You can also launch the RRAS Management from the right hand side of the RRAS Management Console under VPN/Open RRAS Management. Or launch from command line using (rrasmgmt.msc)
Web Application Proxy also has it's own configuration wizard.
Powershell:
Install all features:
install-windowsfeature remoteaccess -includeallsubfeature -includemanagementtools
Install routing and directaccess/vpn:
install-windowsfeature routing -includemanagementtools
Install only directaccess/vpn:
install-windowsfeature directaccess-vpn -includemanagementtools
Extra Note: The full set of web-server features that are installed with Routing and DirectAccess-VPN include Web-Server, Web-WebServer, Web-Common-Http, Web-Default-Doc, Web-Dir-Browsing, Web-Http-Errors, Web-Static-Content, Web-Health, Web-Http-Loggin, Web-Performance, Web-Stat-Compression, Web-Security, Web-Filtering, Web-IP-Security, Web-Mgmt-Tools, Web-Scripting-Tools
Note that this only applies to R2, as 2012 only installed Web-IP-Security and also did not install WID.
Extra Note: R2 adds router BGP support for multi-tenant deployments. This is configurable via Powershell only.
3.3.2 implement Network Address
Translation (NAT)
Requires at least 2 network interfaces. Routing should be installed
In the RRAS Management snap-in, right click the Server and select either of the NAT wizards, or just custom configuration as in the following example.
After clicking customer configuration and Next, choose NAT, then Next. The service will start and click Finish. Note that if Routing is not installed, you can do this step but you will not see NAT in the list of options under IPv4 in the next step.
Expand the tree from the RRAS server in RRAS snap-in, IPv4. Right click NAT and "New Interface" to configure an interface that will participate in NAT. If the Interface faces the internal network, choose Private Interface. Otherwise, choose the Public interface and if you want to do NAT translation on this interface, choose Enable NAT.
Once you have at least one public interface and one private, any packets that come in on the private will be out the public by translating to the interace IP.
By right clicking on the public interface, you can use "Show mappings" to view current NAT mappings. Or by selecting Properties, you can click on the "Address Pool" tab to add a pool of addresses that can be used by internal computers, and have the option to reserve some of those ips to private computers, as a 1-to-1 mapping, using the "Reservations" button. You can also setup port redirection from the outside public interface on the "Services and Ports" tab. This allows you to redirect ports on the interface ip or address pool, to an internal private server, such as a web server.
The DHCP allocator and DNS Proxy are for simple SOHO deployments. DHCP allocator is a very simple DHCP server for a single scope of addresses. DNS proxy will act as a simple DNS server to forward requests from the internal network.
Extra Note: When an address pool is configured on a public interface, outbound requests will use each public address unless otherwise reserved for 1-to-1 mapping.
Extra Note: On 2012, I have not found a way to add NAT
after an RRAS server has been initially configured without it, unless
you disable and reconfigure.
Extra Note: In R2, there is a new powershell module, "NetNat", with cmdlets that appear to be for setting up NAT. However, these are for the new multi-tenant VPN feature for setting up NAT with a NVGRE network, and is not related to the RRAS NAT feature.
3.3.3 configure VPN settings
http://technet.microsoft.com/en-us/library/dd469817%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/dd469733.aspx
Types of VPN scenarios:
Client to Server - Clients connect to RRAS server to get on the network.
Site-to-Site - Two VPN servers create a connection to each other.
VPN protocols supported by RRAS:
Point-to-Point Tunneling Protocol (PPTP) - uses TCP for tunnel management and encapsulates PPP datagrams in GRE protocol. Microsoft encrypts via Microsoft Point-to-Point Encryption(MPPE) using MsChapv2 or EAP-TLS. PPTP uses TCP port 1723 and IP protocol 47.
Layer 2 Tunneling Protocol (L2TP) with IPSEC - L2TP encapsulates in a UDP packet over port 1701. IPSec is first used to set up a secure channel using IKE on UDP port 500 via shared key or certificate, then sets up the tunnel, and encapsulates the L2TP datagrams, using ESP(IP protocol 50). UDP port 4500 may be used for IPSec NAT Traversal Encryption is either AES or 3DES. .
IKEv2 : Encapsulates using IPSec. Ipsec sets up secure channel using IKE on UDP port 500(or 4500) via shared key or certificate, then sets up the tunnel using ESP(IP protocol 50). UDP port 4500 may be used for IPSec NAT Traversal. Encrypted with one of AES 256, AES 192, AES 128, or 3DES. It supports MOBIKE and VPN Reconnect. Supported on Windows 7, Windows 2008R2, and newer versions.
SSTP : Encapsulates PPP datagrams over SSL(port 443), and encrypted via SSL. Note that SSTP is not configurable for site-to-site vpn connections.
GUI install:
There are multiple ways to configure VPN functionality on the RRAS server. In the RRAS Management snap-in, right click the Server and select one of the VPN options: "Remote access","Virtual private network access and NAT", "Secure connection between two private networks", or just use a custom configuration and select VPN, as well as dialup-access and/or demand-dial as needed.
If you want to disable VPN after using the wizard, right click the server in the RRAS MMC snap-in, selecting properties, and unchecking "IPv4 Remote access server".
Powershell:
Configure only the VPN feature:
install-remoteaccess -vpntype vpn
Client-to-Server. Configuring Servers.
For the minimum to configure the RRAS server for clients to connect to your server, you only have to select custom configuration and then VPN.
Using "Remote access(dial-up or VPN) wizard:
Check VPN.
Select Interface that faces the internet and will be used for incoming VPN connections.
(Note that configuring this does not specifically prevent other interfaces from being used as VPN endpoints, unless otherwise firewalled/filtered)
If you check "Enable security on the selected interface by setting up static packet filters", then the wizard will setup some filters for the interface and ports allowed for VPN.
Next, select an interface for a network that VPN clients can use for addresses.
(Note that this interface will be used to obtain DHCP addresses for the VPN clients, and will not necessarily limit clients to accessing only this interface)
Select whether DHCP will be used to assign IPs to the clients, or add a range of addresses that clients can use. The next option is to decide whether to use RADIUS authentication
Custom configuration:
To create a similar configuration as using the wizard above:
Static packet filters:
In the RRAS MMC snap-in, expand IPv4, General, then right click on the interface. On the general tab, add applicable filters to the Inbound Filters option.
To configure which interface to use for DHCP or configure static addresses, right click on the RRAS server and select properties. Click IPv4 tab. If you choose DHCP, you can also which interface to use to obtain DHCP addresses from.This setting will assign addresses to both server and client VPN interfaces, unless otherwise the client is otherwise configured with a static IP(for example, through dial-in settings)
View connected clients:
Under RRAS server, click on Remote Access Clients.
You can also sort the Ports by Active and see ports being used.
Powershell:
get-remoteaccessconnectionstatistics
get-remoteuseractivity 'rrasserver\clientuser'
disconnect-vpnuser 'rrasserver\clientuser'
Client-to-Server. Configuring Clients.
Then in Windows 8 or 2012, you configure clients by going to "Network and Sharing Center" in Control Panel, choose "Set up a new connection or network"
Split-Tunnel configuration:
By default the client will route all traffic to the vpn connection. You can change this behavior in the client's VPN connection properties - go into the Network and Sharing Center on the client, clicking the VPN connection, click properties, Networking tab, properties for IPv4 or IPv6, Advanced, uncheck "Use default gateway on remote network"
Site-to-Site configuration:
A minimum configuration for a site-to-site vpn connection requires only selecting custom configuration and then VPN and demand-dial.
In the RRAS MMC, click "Network Interfaces". Right click the view and select "New demand-dial interface".
Enter the remote server name as "Interface Name".
Select "Connect using VPN". Select type of VPN, for example "PPTP".
Enter IP address of remote server.
"Route IP Packets should be checked". If this server will only dial the remote server, and not vice versa, then you do not need to select "Add a user account"(Optional: You can manually setup a user account later).
Add a static route for the remote network. (Optional: you can setup routing later as needed).
Dial-out credentials: You have to put this in, but it is only needed if this server will call the remote server.
Note: If using a local account on the remote server, set the DOMAIN to the remote server name.
From the dialing server - right click the "Network Interface" and Connect.
You can change credentials by right clicking the server and "St Credentials".
Demand-Dial vs. Persistant:
You can configure a connection to only come up and connect when it receives traffic destined for certain networks. In Properties, be sure Options tab is set to Demand-Dial. You can also decide how long the connection is idle before it closes. Right-click on the interface connection and select "Set IP Demand-dial filters". Here you can decide what traffic will start the connection.
For a persistent connection, you only need to select "Persistent connection" in Properties/Options tab. Now the connection will stay up once connected.
Extra Note: Use "netsh ras diag set trace enable" to turn on detailed logging, which is stored in %systemdrive%\tracing. Turn off logging with "netsh ras diag set tracedisable"
Extra Note: The default dial-in setting for a user in 2012 is "Control access through NPS Network Policy". However, if you let the demand-dial interface wizard create a user for you, it will set the dial-in setting to "Allow Access" for that user.
3.3.4 configure remote dial-in
settings for users
You can configure some specific dial-in settings for users by using the "Dial-in" tab in the user profile properties. For local users using the Local Users and Groups in computer management, and for domain users by using the ADUC.
Network Access Permission:Determines if this user can remotely connect to this server. Allow, Deny, or Control Access through NPS Network Policy. Default setting is "Control Access through NPS Network Policy"
Note that NPS can override this setting.
Verify Caller-ID:
Device(s) must support caller-id and caller's id must match this setting if checked and filled out.
Callback Options:
No Callback, Set by Caller (RRAS only), Always callback to ____. Default is No Callback
Assign Static IP Addresses:
Defaults to assigning these IP(v4 and/or v6) addresses to this user's connections
Apply Static Routes:
Can be used to define static routes when using a one-way on-demand dialer.This is not meant to setup routes for a single user/client.
Extra Note: The use of the "Apply Static Routes" setting is fairly confusing. See the following articles for more information: http://technet.microsoft.com/en-us/library/cc738142%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc736311%28v=ws.10%29.aspx
3.3.5 configure routing
Viewing route table in RRAS - Right click static routes under IPv4 or IPv6 and select "Show Ip Routing Table".
route print
get-netroute
Static routes:
In RRAS, right click the Static Routes and select "New static route"
Select which interface this route will go out.
Enter the destination, network mask, gateway, and metric.
Note: static routes added through RRAS are persistent by default in that they will be readded to the routing table automatically when the service starts, and removed if it is stopped.
route add -p 192.168.100.0 mask 255.255.255.0 10.0.0.1
new-netroute -destinationprefix '192.168.101.0/24' -interfacealias 'ethernet' -nexthop '10.0.0.1'
route change 192.168.101.0 mask 255.255.255.0 10.0.0.2
set-netroute -destinationprefix '192.168.101.0/24' -nexthop '10.0.0.2'
route delete 192.168.101.0
remove-netroute '192.168.101.0/24'
RIP configuration:
in RRAS mgmt, expand IPv4 under the RAS server. Choose "New Routing Protocol" , "RIP version 2..."
On RIP menu or in view, right click and select "New Interface". Select an interface that will carry RIP advertisements.
General tab:
Operation mode:
Auto-static updates are sent when another router requests. Routes are marked as static.
Peridoic Update Mode - updates are sent out at intervals set by the "Periodic announcement
interval" (default 30 seconds)
Outgoing packet protocol:
RIP 1 broadcasts, RIP 2 broadcasts
RIP 2 multicast - sent on 224.0.0.9
Silent RIP - router will not send out advertisements on this interface, but will listen and record routes.
Incoming Packet Protocol - which advertisements to accept on this interface
RIP 1, RIP 2, RIP v1 & 2, Ignore RIP advertisements
Added cost for route - This number is added to a route for path cost purposes. Higher is worse.
Tag for announced routes - can be used to distinguish RIP routes from other routing protocols
Security tab:
This tab can be used to filter outgoing and incoming routes
Neighbors tab -
neighbors can be configured for unicast advertisements. You can configure the interface to advertise using broadcast/multicast, both neighbors and broadcast/multicast, or neighbors(unicast) only.
Advanced tab:
Periodic announcement interval - default 30 seconds
Time before routes expire - default 180 seconds
Time before route is removed - default 120 seconds. after expiration, route remains in routing table for this time so neighbors can be notified that route is no longer valid..
Enable split-horizon - To prevent loops, routes learned from Neighbor A are not sent back to neighbor A
Enable poison-reverse - Better prevention of loops at the cost of larger advertisements - routes learned from Neighbor A are sent back to A with infinity metric(16).
Enable triggered updates - Changes in the routing table are sent immediately
Send clean-up updates when stopped - when stopped, router sends advertisements to let other routers know that it is no longer valid for those routes.
Process host routes - handle incoming host route announcements
Include host routes -
Process default routes - accept default routes (0.0.0.0)
include default routes - include default route
Disable subnet summarization - summarization supernets subnets to make advertisements smaller.
Extra Note: RIP advertisements are sent over UDP port 520.RIPv2 includes optional multicast, including subnet mask in advertisements(CIDR), route tagging, simple password authentication.
3.3.6 (R2) configure web application proxy in passthrough mode
http://technet.microsoft.com/en-us/library/dn383639.aspx
Web Application Proxy replaces the functionality of ADFS Proxy 2.0. Installing Web Application Proxy requires having an ADFS server and a certificate for the ADFS server, as well as a certificate for each application that will be published.
Passthrough applications do not require authentication to ADFS, although the application on the back-end may require it's own authentication.
On an already installed web-proxy server, configuring an application in passthrough mode is done in the Remote Access Management Console(ramgmtui.exe), which is accessible from Server Manager.
Select Configuration, Web Application Proxy.
Click Publish.
Select preauthentication method: Pass-through.
Publishing Settings - enter a name. external URL, external certificate, internal url.
Powershell:
see link above for example.
Add-webapplicationproxyapplication -externalpreauthentication passthrough
