Checklist: Installing and Configuring an RRAS VPN Server

Applies To: Windows 7, Windows Server 2008 R2

Task Reference

Review key concepts.

Virtual Private Networking

Gather required information.

Requirements for Installing RRAS as a VPN Server

Configure TCP/IP on the network adapters of the RRAS server.

Configure TCP/IP on the RRAS Server

Install RRAS.

Install RRAS

Enable RRAS and configure it as a VPN server.

Enable RRAS as a VPN Server

If your RRAS server is behind a perimeter firewall, or is running a host-based firewall such as Windows Firewall with Advanced Security, then configure the required firewall rules to permit virtual private network (VPN) network traffic through the firewall to the RRAS server.

Configure a Firewall for VPN Traffic

If your RRAS server is not behind a perimeter firewall, and is not running a host-based firewall such as Windows Firewall with Advanced Security, then configure static packet filters to permit only the required VPN network traffic to the RRAS server.

Configure Static Packet Filters

Configure the types of VPN connections and the number of each type that your VPN server supports.

Configure Ports for Remote Access

Specify either DHCP or configure a static pool of IP addresses for VPN clients.

Configure the Way RRAS Assigns IP Addresses to VPN Clients

If you are using DHCP to supply IP addresses to remote clients, and the DHCP server is not located on the same IP subnet as the RRAS server, then configure a DHCP relay agent that forwards broadcast DHCP requests and responses through routers to the DHCP server.

Configure the IPv4 DHCP Relay Agent

Configure the IPv6 DHCP Relay Agent

If you are using Network Policy Server (NPS) to centrally manage policies for your RRAS servers, then configure dial-in properties and network policies for dial-in permission, authentication, and encryption settings.

See "Checklist: Configure NPS for Dial-Up and VPN" in Network Policy Server Help.

Adjust logging levels for RRAS and for each routing protocol.

Configure Logging Levels for RRAS

(Optional) Create a Connection Manager profile to manage the client connection experience for your users and simplify troubleshooting client connections.

Connection Manager Administration Kit (https://go.microsoft.com/fwlink/?linkid=136440)

If your RRAS configuration requires any certificates for authentication, for example, when you use Internet Key Exchange version 2 (IKEv2) or Secure Socket Tunneling Protocol (SSTP)-based VPN connections, then you must have a source for the certificates. Install Active Directory Certificate Services (AD CS) on a server on your network as an alternative to purchasing certificates from third-party root certification authorities (CAs).

Active Directory Certificate Services (https://go.microsoft.com/fwlink/?linkid=136444)

To support SSTP or IKEv2 certificate-authenticated VPN connections, you must install a computer certificate with the Server Authentication or All-Purpose Enhanced Key Usage (EKU) property installed on your RRAS server.

Configure RRAS with a Computer Authentication Certificate

If you initially configured your RRAS server to support Internet Protocol version 4 (IPv4) only, you can add support for Internet Protocol version 6 (IPv6) remote access.

Enable IPv6 Remote Access

(Optional) Configure your VPN server to use Network Access Protection (NAP) to enforce health requirement policies.

Configure Network Access Protection Enforcement for VPN

Additional references