In this video, Scott Burrell configures Windows Server 2016 to act as a Remote Access VPN server. The role is changed from NAT to a combination of NAT and VPN, and configured to allow authorized inbound connections. Plus, learn how to add a DHCP relay agent and grant local users access to the VPN gateway.
- [Instructor] Let's start this chapter off by setting up a remote access VPN gateway. Remember what we have accomplished so far and where we're going. We ultimately want a VPN tunnel that connects Boston to the corporate office, but we also want a VPN that will allow individual connections to occur through the Internet. This laptop represents any user authorized to access the VPN. For now we will configure it for Robert Robertson, the corporate VP of Operations.
In today's demonstration, the role of the Internet is being played by the 10.3.66 network, and you can see that both the gateway server and the laptop are connected to this Internet. So here we are on the same server that we used to configure NAT in the last chapter. And before we can configure this VPN side of routing, we need to confirm that our external interface has a static IP address. That wasn't all that important for NAT, but it will be important here because inbound requests over the Internet need to know our address every time.
And we can easily check that from Server Manager by clicking on Local Server. It will give us information about the configuration of our server, including the IP addresses of our network cards. If these had been assigned by DHCP, it would tell us. So we can see here that our outside IP address, 10.3.66.74, is statically assigned. It all looks good. So lets configure this VPN by going to the Tools menu and launching the Routing and Remote Access tool again.
The first thing you should notice when I right click on the server to add features is that there is no menu option to add VPN, or to redo configuration of routing and remote access. We already configured routing and remote access as NAT only, and that isn't going to be good enough for us right now. So we're going to need to disable routing and remote access so we can configure it again the right way. Now this means we are going to take down some functionality, so plan this configuration.
Do this during a time when you can afford to have that service down. Because we're about to take the entire network off the Internet. So now that we're in our maintenance window and no one needs access to the Internet, I'm going to click on Disable Routing and Remote Access. And I get this reminder that if I turn it off I'm losing this configuration and I'm going to have to set a new configuration. And yes, that's exactly what I want to do. So once these clocks go all the way around and the service is stopped, then we're ready to right click on the server again and configure and enable so that we can set up both features.
So as I right click and select Configure and Enable, it will launch the same wizard that we ran before. And this time, from the selection screen, we can select Virtual Private Network and NAT. And as we go through, pay attention to notifications you receive from Windows. If there's anything about your environment that isn't quite right yet, you'll be told during this process and you'll be given good instructions on how to take care of it. So I'm going to keep my eye out for that. As I move forward to the next screen I'm asked to identify, once again, which interface points to the Internet.
That is my outside interface. Once again, I'm glad that I renamed those to make them easy to recognize. Next, the configuration wizard asks how you want your inbound connections to get an IP address and function inside this private network. Remember, that laptop out on the Internet has an IP address for the Internet, but not for our private network. The VPN adapter or the connection through the tunnel will need an IP address on our private network. And we're going to assign that automatically using services that are already configured.
Now this wizard didn't see our DNS and DHCP server, but they are there, so I'm going to move forward saying that I will set them up. And I'm going to move forward through the wizard. This screen asks how the users are going to be authenticated. We have a chapter later on where we're going to go through RADIUS. And we're going to install and configure a RADIUS server so that another server can be responsible for authenticating connections through the VPN. But that's a little ways down the road.
For now, we're going to allow routing and remote access on this box to authenticate the connection requests. So as I get ready to complete this wizard, it gives me a summary of how I've answered the questions. As I select Finish, it will give me one of those prompts that I mentioned before, of something that needs to be configured. And it tells me right here that if I want to relay DHCP messages from my server in the private network to VPN connections, I'm going to need to add a DHCP Relay Agent with the IP address of my internal server.
So we'll do that just as soon as this service is configured and running. So I'll go ahead and click OK. And it will start the services with the new configuration, and that's it. Sort of. Don't forget that we still need to add that DHCP Relay Agent that we just read about. And that's easy enough to do. We can expand IP version four, and we can right click on DHCP Relay Agent and we're going to select the Properties of that service. And from right here I can simply add the IP address of the DHCP server on my internal network.
And that is 172.16.0.10. Now we have a functioning VPN, as I apply this and click OK. The only thing that remains in this video is granting someone permission to use it. Now this server is not a member of the domain, so I'm going to need to use local user accounts to grant these permissions. So I'm going to open Windows Administrative Tools and I'm going to double click on Computer Management.
In here I can expand Local Users and Groups and I can see the user accounts in my environment. Here we have Robert Robertson. I'm going to double click his account so that I can see the Properties page. And I'm going to go to the Dial-in tab to give him the permissions necessary. Remember in the last chapter I mentioned that VPN evolved from connections over phone lines, and some of the same terminology and some of the same options remain. All that matters to us at this point is that Mr. Robertson is allowed access to dial-in.
So as I click Apply and OK, the server side of this configuration is done. In the next video, we'll take a look at the client side to confirm that it all worked.
- NAT implementation
- Site-to-site and remote access VPNs
- VPN protocols
- Remote Access Gateways
- NPS configuration
- RRAS configuration
- RADIUS proxies and clients
- RADIUS authentication
- RADIUS accounting
- NPS templates
- NPS policies
- Connection request and connection-specific policies
- DirectAccess server requirements and certificates
- DirectAccess installation and configuration