Configure a Remote Access VPN Server

Applies To: Windows Server 2008

This topic explains the basic steps for configuring a remote access virtual private network (VPN) server using Server Manager, the Add Roles Wizard, and the Routing and Remote Access Server Setup Wizard. After you finish configuring a basic remote access VPN server, you can perform additional configuration tasks, depending on the way you want to use the remote access VPN server.

Before you begin

The following table lists the information that you need to know before you configure a remote access VPN server.

Before adding a remote access/VPN server role Comments

Determine which network interface connects to the Internet and which network interface connects to your private network.

During configuration, you will be asked to choose which network interface connects to the Internet. If you specify the incorrect interface, your remote access VPN server will not operate correctly.

Determine whether remote clients will receive IP addresses from a Dynamic Host Configuration Protocol (DHCP) server on your private network or from the remote access VPN server that you are configuring.

If you have a DHCP server on your private network, the remote access VPN server can lease 10 addresses at a time from the DHCP server and assign those addresses to remote clients. If you do not have a DHCP server on your private network, the remote access VPN server can automatically generate and assign IP addresses to remote clients. If you want the remote access VPN server to assign IP addresses from a range that you specify, you must determine what that range should be.

Determine whether you want connection requests from VPN clients to be authenticated by a Remote Authentication Dial-In User Service (RADIUS) server or by the remote access VPN server that you are configuring.

Adding a RADIUS server is useful if you plan to install multiple remote access VPN servers, wireless access points, or other RADIUS clients to your private network. For more information, see Network Policy Server Help.

Determine whether VPN clients can send DHCP messages to the DHCP server on your private network.

If a DHCP server is on the same subnet as your remote access VPN server, DHCP messages from VPN clients will be able to reach the DHCP server after the VPN connection is established. If a DHCP server is on a different subnet from your remote access VPN server, make sure that the router between subnets can relay DHCP messages between clients and the server. If your router is running Windows Server® 2008, you can configure the DHCP Relay Agent service on the router to forward DHCP messages between subnets.

Verify that all users have user accounts that are configured for dial-up access.

Before users can connect to the network, they must have user accounts on the remote access VPN server or in Active Directory® Domain Services. Each user account on a stand-alone server or a domain controller contains properties that determine whether that user can connect. On a stand-alone server, you can set these properties by right-clicking the user account in Local Users and Groups and clicking Properties. On a domain controller, you can set these properties by right-clicking the user account in the Active Directory Users and Computers console and clicking Properties.

Configuring your remote access VPN server

To configure a remote access VPN server, start the Add Roles Wizard by doing either of the following:

  • In the Initial Configuration Tasks window, under Customize This Server, click Add roles. By default, Initial Configuration Tasks starts automatically when you log on.

  • Open Server Manager by clicking Start, Administrative Tools, and then click Server Manager. Then, under Roles Summary, click Add roles.

In the Add Roles Wizard, do the following:

  1. Click Next or click Select Server Roles.

  2. In the list of server roles, select Network Policy and Access Services. Click Next twice.

  3. In the list of role services, select Routing and Remote Access Services to select all the role services for Routing and Remote Access Services. You can also select individual server roles.

  4. Proceed through the steps in the Add Roles Wizard to complete the installation.

Completing additional tasks

After you complete the steps in the Add Roles Wizard and complete configuration in Routing and Remote Access, your server is ready for use as a remote access VPN server.

The following table lists additional tasks that you might want to perform on your remote access/VPN server.

Task Purpose of task

Configure static packet filters.

To add static packet filters to better protect your network.

Configure services and ports.

To choose which services on your private network you want to make available for remote access users.

Adjust logging levels for routing protocols.

To configure the level of event details that you want to log. You can decide which information you want to track in your log files.

Configure the number of VPN ports.

To add or remove VPN ports.

Create a Connection Manager profile for your users.

To manage the client connection experience for your users and simplify troubleshooting client connections.

Add Active Directory Certificate Services (AD CS).

To configure and manage a certification authority (CA) on a server for use in a public key infrastructure (PKI).

Increase remote access security.

To protect your remote users and your private network by enforcing the use of secure authentication methods, requiring higher levels of data encryption, and more.

Increase VPN security.

To protect your remote users and your private network by requiring the use of secure routing and tunneling protocols, configuring account lockout, and more.

For more information about these tasks, see https://go.microsoft.com/fwlink/?LinkId=89010.

Removing the remote access VPN server role

If you need to reconfigure your server for a different role, you can remove existing server roles. When you remove the remote access VPN server role, your server will no longer provide dial-up or VPN access for remote access clients. Remote users will not be able to connect to your private network, and the computers on your private network might not be able to connect to the Internet.

To remove the remote access VPN server role, first restart the Add Roles Wizard by doing the following:

  • Open Server Manager by clicking Start, Administrative Tools, and then click Server Manager. Then, under Roles Summary, click Remove roles.

Then, in the Add Roles Wizard, remove the remote access VPN server role:

  • Advance to the Remove Server Roles page, click Network Policy and Access Services, click Next, click Remove, and then click Close. In the server restart confirmation dialog box, click Yes to restart your computer.

Additional references