Configure the Routing and Remote Access Service and Demand-Dial Interfaces

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

Use the following procedures to enable the Routing and Remote Access service and to establish a site-to-site connection:

  • Enable Routing and Remote Access.

  • Configure the demand-dial interface for the remote site connection.

  • Configure an additional demand-dial interface for a temporary ISP link.

Enable Routing and Remote Access

When you run the Routing and Remote Access Wizard to enable the Routing and Remote Access service, the choices you make are the same for dial-up routing and for VPN routing.

To enable the Routing and Remote Access service

Note

You can skip step 1 if either of the following is true:

  • If this server uses local authentication or authenticates against a RADIUS server.

  • If you have administrative rights to add the computer account of the Routing and Remote Access server to the RAS and IAS Servers security group. The wizard automatically adds the computer to RAS and IAS Servers.

  1. Enable the router as follows:

    • Ask your domain administrator to add the router’s computer account to the RAS and IAS Servers security group for this domain by using the Active Directory Users and Computers snap-in or the netsh ras add registeredserver command.

    • If this router must access other domains, ask your domain administrator to add the router’s computer account to the RAS and IAS Servers security group of the other domains.

    • Restart the router for the change to take effect immediately.

  2. Open Routing and Remote Access, select the computer on which you want to enable the Routing and Remote Access service (probably the computer you are currently working on), and then, on the Action menu, select Configure and Enable Routing and Remote Access to start the Routing and Remote Access Wizard. Complete the wizard pages as shown in the following table:

Wizard Page Action

Configuration

Select Secure connection between two private networks.

Demand-Dial Connections

Select Yes (to use demand-dial routing to access remote networks).

IP Address Assignment

Select one of the following:

  • Select Automatically to use DHCP if you want to assign addresses automatically without using a specified range of addresses.

  • Select From a specified range of addresses if you want to specify an address range (recommended):

    1. On the Address Range Assignment screen, select New, and then type values for the following:

      • Start IP address

      • End IP address

      You can use public or private address ranges. Based on what you specify for the starting and ending addresses, the Number of addresses field is prepopulated.

      Note
      For example, for a two-way connection, you might specify the range 192.168.10.1–192.168.10.2 on the calling router and the range 192.168.0.220–192.168.0.221 on the answering router. In this case, if the calling router initiates the connection, the calling router assigns 192.168.10.1 to itself, and it assigns 192.168.10.2 to the answering router.

    2. If the static IP address pool address range is an off-subnet address range, ensure that the routes to the address range exist in the routers of your intranet.

When the Routing and Remote Access Wizard completes, you might see the message "Windows was unable to add this computer to the list of valid remote access servers in the Active Directory. Before you can use this computer as a remote access server, the domain administrator must complete this task." If you see this message, click OK. Later, after you complete the Demand-Dial Interface Wizard (described next), add the computer account to the RAS and IAS Servers security group.

Configure the demand-dial interface for the remote site connection

The Demand-Dial Interface Wizard appears automatically after the Routing and Remote Access Wizard completes.

To configure the demand-dial interface for a remote site connection

Complete the wizard pages for the Demand-Dial Interface Wizard as shown in the following table.

Wizard Page Action

Interface Name

Type a name for the remote router that matches the user account name that you created earlier for the remote router.

Connection Type

Select one of the following:

Connect using a modem, ISDN adapter, or other device. Select this option to establish a device-to-device dial-up connection:

  • On the Select a device page, select the modem or adapter you want from the list.

  • On the Phone Number page, if this is a calling router, type the phone number you want the router to call. (If this is an answering router that is not also a calling router, you can leave this blank.)

-or-

Connect using virtual private networking (VPN). Select this option to establish a VPN connection over the Internet:

  • On the VPN Type page, select one of the following:

    • Automatic selection (accepts either PPTP or L2TP connections)

    • Point to Point Tunneling Protocol (PPTP)

    • Layer 2 Tunneling Protocol (L2TP)

  • On the Destination Address page, if this is a calling router, type the IP address of the remote router this interface will connect to. (If this is an answering router, you can leave this field blank.)

Do not select the third option, Connect using PPP over Ethernet (PPPoE), because PPPoE is used to link to the local ISP, not to create a device-to-device dial-up link or a VPN tunnel.

Protocols and Security

  • Select Route IP packets on this interface (the default).

  • If this is an answering router that is not joined to an Active Directory domain, add a local account by selecting Add a user account so a remote router can dial in. This creates a local user account on the demand-dial router. (Do not select this option if you earlier created an Active Directory user account for the answering router to use to authenticate the calling router.)

Static Routes for Remote Networks

To add one or more static routes to define the permanent route between this network and the remote network, click Add, and then, in the Static Route dialog box, do the following:

  • Destination. Type the network ID of the remote site.

  • Network Mask/Prefix Length. Type the subnet mask for the network ID of the remote site.

  • Metric. Select an appropriate number for the metric.

Dial In Credentials (for an answering router)

Type and confirm a password for the local user account.

Note
This page appears only if this is an answering router and if you chose Add a user account so a remote router can dial in on the Protocols and Security page earlier in the wizard. Notice that the User name provided is the same name as that used for the demand-dial interface.

Dial Out Credentials (for a calling router)

Specify the dial-out credentials to connect to the remote router:

  • User name. Type the name of the user account for the calling router that matches the name of the corresponding demand-dial interface on the answering router.

  • Domain. Type the domain name. Typically, both sites belong to the same domain.

  • Password and Confirm password. Type the password.

Note

If this is an answering router that is not also a calling router, you do not need to provide this information. However, the wizard requires that you fill in this page, so type any name, domain, and password.

If the Routing and Remote Access Wizard (which ran before the Demand-Dial Interface Wizard) was unable to add the computer to the list of valid remote access servers in Active Directory, you saw the error message "Windows was unable to add this computer to the list of valid remote access servers in the Active Directory. Before you can use this computer as a remote access server, the domain administrator must complete this task." To enable the computer to function as a remote access server, add the computer account for the router to the RAS and IAS Servers security group. If you did not see the error message indicating that the computer had not been added to the valid remote access servers in Active Directory, you do not need to perform this step.

After at least one demand-dial interface exists, you can run the Demand-Dial Interface Wizard at any time to add additional demand-dial interfaces by right-clicking Network Interfaces in the Routing and Remote Access snap-in console tree, and then clicking New Demand-dial Interface. Run the wizard again for the following reasons:

  • To add other branch office sites, repeat the steps in this procedure for each additional demand-dial interface you want to create.

  • To establish a temporary link to the local ISP at the branch office in order to create a demand-dial interface for that link, perform the steps as described in the next section.

If this is a VPN connection, and you connect your branch office to its local ISP through a temporary link, you must run the Demand-Dial Interface Wizard a second time to create a demand-dial interface for this physical link to the ISP. This link to the ISP can be a dial-up link or a PPPoE link.

Note

If you are deploying a non-VPN dial-up link, or a VPN connection between two sites, each of which connects to its local ISP through a dedicated link, do not perform these steps. Instead, perform the steps in "Configure the Demand-Dial Interface for the Remote Site Connection" earlier in this topic.

Open Routing and Remote Access, right-click Network Interfaces, click New Demand-dial Interface, and then complete the wizard pages for the Demand-Dial Interface Wizard as shown in the following table.

Wizard Page Action

Interface Name

Type an appropriate name, such as Dial_ISP.

Connection Type

Select one of the following:

Select Connect using a modem, ISDN adapter, or other device. Select this option to create a dial-up link to your local ISP:

  • On the Select a device page, select the modem or adapter you want from the list.

  • On the Phone Number page, type the phone number of your local ISP.

-or-

Select Connect using PPP over Ethernet (PPPoE). Select this option to create a PPPoE link to your local ISP:

  • On the Service Name page, type the name of the service. (If you leave this text box blank, Windows automatically detects and configures your service when you connect.)

Do not select the third option, Connect using virtual private networking (VPN), because this demand-dial interface is for the link to the ISP, not for a VPN tunnel.

Protocols and Security

Select Route IP packets on this interface (do not select Add a user account so a remote router can dial in).

Static Routes for Remote Networks

To add a static route for the IP address allocated to the answering router by the answering router’s ISP (or by ICANN):

  • Destination. Type the IP address of the answering router’s Internet-connected interface.

  • Network Mask/Prefix Length. Type 255.255.255.255.

  • Metric. Select an appropriate number for the metric.

Dial-In Credentials

This page does not appear.

Dial-Out Credentials

Specify the dial-out credentials used to connect to the local ISP:

  • User name. Type the name of the user account that has permission to access the local ISP. (This is not the router user account.)

  • Domain. Leave this field blank.

  • Password and Confirm password. Type the password.

Note
Open the Active Directory Users and Computers snap-in, and then, on the Dial-in tab of the Properties page for the user account that has permission to access the local ISP, select Allow access.