Best Practices Analyzer for RRAS: Configuration

Applies To: Windows Server 2008 R2

The topics in this section can help you bring Routing and Remote Access Service (RRAS) that is running on Windows Server 2008 R2 into compliance with configuration best practices. Content in this section is most valuable to administrators who have completed a Best Practices Analyzer scan of RRAS and who want information about how to interpret and resolve scan results that identify areas of RRAS that are noncompliant with configuration best practices.

Best Practices Analyzer and configuration rules

The Best Practices Analyzer applies configuration rules to identify settings that might require modification for RRAS to perform optimally. Configuration rules can help prevent setting conflicts that can result in error messages or prevent RRAS from carrying out its prescribed duties in an enterprise.

For more information about Best Practices Analyzer and scans, see Best Practices Analyzer (https://go.microsoft.com/fwlink/?LinkId=122786).

Topics in this section

• RRAS: The Routing and Remote Access server must be running

• RRAS: To support remote access connections, IPv4 or IPv6 Remote Access must be enabled on the RRAS server

• RRAS: Logging should be enabled on the RRAS server

• RRAS: At least one network interface should be enabled on the RRAS server

• RRAS: The network interface <adapter name> on the RRAS server should be enabled

• RRAS: At least one network interface on the RRAS server must be reachable

• RRAS: The network interface <adapter name> on the RRAS server should be reachable

• RRAS: To use RRAS server as an IPv4 router, IPv4 forwarding must be enabled

• RRAS: To use RRAS server as an IPv6 router, IPv6 forwarding must be enabled

• RRAS: IPv4 routing should be enabled on the RRAS server for routing protocols like DHCP Relay, RIP and IGMP to run

• RRAS: IPv6 routing should be enabled on the server for routing protocols like DHCP Relay to run

• RRAS: Number of ports for IKEv2, L2TP and SSTP should be greater than 0 and ports for PPTP should be greater than 1

• RRAS: The number of ports available for use by this tunneling protocol should be greater than 0

• RRAS: The IKE and AuthIP IPsec Keying Modules service is required to support L2TP/IPsec and IKEv2 tunnels

• RRAS: To use IKEv2 behind a NAT router, the certificate subject name must match the NAT address

• RRAS: To use SSTP behind a NAT router, the certificate subject name must match the NAT address

• RRAS: To use a demand-dial interface on the RRAS server, 'LAN and demand-dial routing' must be enabled on the server

• RRAS: Demand dial interface <interface name> should support encryption of the data

• RRAS: The IPv4 DHCP Relay Agent should be configured with at least one DHCP server

• RRAS: The IPv6 DHCPv6 Relay Agent should be configured with at least one DHCP server

• RRAS: At least one interface in the IPv4 DHCP Relay Agent must have 'Relay DHCP packets' enabled

• RRAS: At least one interface in the IPv6 DHCPv6 Relay Agent must have 'Relay DHCP packets' enabled

• RRAS: Only one certificate for IKEv2 should have IKE_INTERMEDIATE in its EKU property

• RRAS: If there are multiple valid certificates for SSTP then the preferred certificate should be specified

• RRAS: The subject name of the certificate to be used for IKEv2 or SSTP must match the name of the RRAS server or the IP address of the external interface of the RRAS server

• RRAS: If DHCP is used to allocate addresses to remote clients then specify the network adapter to be used to obtain DHCP addresses

• RRAS: Use authentication protocols that are considered more secure than PAP, CHAP, or MS-CHAPv2