Export (0) Print
Expand All
5 out of 6 rated this helpful - Rate this topic

What's New in Remote Access in Windows Server 2012 R2

Published: August 21, 2013

Updated: August 21, 2013

Applies To: Windows Server 2012 R2

There are a number of new Remote Access server and client features in Windows Server® 2012 R2 and Windows® 8.1. The new server features include:

  • Multi-tenant Site-to-site VPN Gateway

  • Multi-tenant Remote Access VPN Gateway

  • Border Gateway Protocol (BGP)

  • Web Application Proxy

The new Windows 8.1 Remote Access client features include:

  • Auto-triggered VPN

  • Enhanced VPN Client PowerShell configuration

  • Enhanced VPN IPsec

  • Create and Edit VPN profiles in PC settings

With Windows Server 2012 R2, hosters can deploy multi-tenant Site-to-site (S2S) Gateways (GW) to provide cross-premises connectivity from networks at the tenant sites to virtual networks dedicated per tenant in the hoster’s network. The virtual network of the tenant could be built on top of Hyper-V Network Virtualization (HNV) or VLAN at the hoster. A single GW instance is capable of serving multiple tenants with overlapping IP address spaces, maximizing efficiency for the hoster as compared to deploying separate GW instance per tenant. The Routing and Remote Access (RRAS) GW is a software only solution that can be deployed in multiple instances of multi-tenant RRAS servers to balance the load.

With Windows Server 2012, hosters will able to allow transparent VPN access to virtual machines replicated in the cloud even after a failure when the entire site of the tenant goes down. Windows Server 2012 reduces the CAPEX and OPEX for hosters with a single RRAS Gateway that can service multiple tenants with overlapping IP address spaces. The RRAS GW is a software only solution that can be deployed in multiple instances of multi-tenant RRAS servers to balance the load.

Windows Server 2012 Border Gateway Protocol (BGP) enables dynamic distribution and learning of routes by site-to-site (S2S) interfaces of RRAS. This feature enables hosters (primarily Infrastructure as a service (IaaS) providers) to deploy BGP on multi-tenant RRAS S2S gateway, so that the gateway can learn what packets need to be routed to the Internet, tenant premises, and tenant virtual network at the hoster, and route them accordingly. RRAS gateway with BGP enabled can also be deployed by enterprises at their premises edge to distribute internal routes to other edge gateways (of the same enterprise in physical or virtual networks) over secure tunnels.

Web Application Proxy is a new Remote Access role service in Windows Server 2012 R2. Web Application Proxy provides reverse proxy functionality for web applications inside your corporate network to allow users on any device to access them from outside the corporate network. Organizations can provide selective or conditional access to these web applications, according to organizational requirements. Web Application Proxy also provides built-in AD FS proxy capabilities. For more information, see Web Application Proxy Overview.

Auto-triggered VPN, or Application-triggered VPN, in Windows 8.1 allows pre-defined applications to automatically connect to corporate networks by opening a VPN connection when the application is started. You can define the applications you want to make available for auto-triggering and restrict remote access based on the user identity and the computer identity from which the user is accessing the resource. This provides a secure and reliable way of accessing corporate resources from various devices. For more information, see Windows Server 2012 R2 Test Lab Guide: Demonstrate VPN Auto trigger.

Windows 8.1 for x86, amd64, and ARM (Windows 8.1 RT) supports the inbox SSL VPN plugin from the following third party VPN vendors: Checkpoint Software Technologies Ltd, DELL SonicWall Inc., F5 Networks, Inc., and Juniper Networks, Inc. The 3rd party VPN plugin also supports a similar Windows PowerShell cmdlet to configure auto-triggered VPN. The VPN connection profiles can be configured for auto-triggered based on a DNS name or for an application by Windows PowerShell or Microsoft Mobile device Management.

Support for 3rd party VPN plugins is provided by the respective 3rd party VPN partners.

The following table provides links to documents from the respective 3rd party VPN partners


VPN Plugin Provider

Support Document


SonicWall Mobile Connect for Windows 8.1 User Guide


Windows In-Box Junos Pulse Client- Pdf - Link


BIG-IP APM Client Compatibility MatrixlConfiguration Notes: Inbox F5 VPN Client for Microsoft Windows 8.1


Check Point Mobile VPN for Windows 8.1 Release Notes

Check Point Mobile VPN for Windows 8.1 Administration Guide

Advanced VPN configuration support in Windows Windows 8.1 enables use of a single set of VPN configuration PowerShell cmdlets to configure the VPN connections instead of using multiple scripts. This feature also helps with better Microsoft Mobile Device Management allowing all the required settings from the server to be pushed out to users without executing any additional scripts.

Enhanced IPsec in in Windows 8.1 allows Suite-B cryptography standards, or other custom cryptography configurations for IPSec based tunnels. VPN clients can be configured to use these standards and configurations with easy-to-use PowerShell cmdlets. And it also allows you to decide which client certificate is selected for any particular VPN connection.

In Windows 8, creating or editing VPN profiles had to be done in the Desktop view. Now, in Windows 8.1, you can create and edit VPN connection profiles in PC Settings rather than going to the Desktop and navigating through a number of menus. This new VPN profile editing experience is optimized for touch screens and simplified. Advanced properties can still be accessed through the desktop when they are needed.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

© 2014 Microsoft. All rights reserved.