Windows Server 2008 R2 : Work with Remote Clients (part 1) - Install and Configure Windows Server 2008 R2 VPNs

7/23/2012 5:44:45 PM
In Windows Server 2008 R2, in addition to the RDS components, the server can also be configured to provide powerful capabilities for remote clients to your network. Remote clients like your road warriors, your telecommuters, and other users are not connected to your network on a daily basis. In Windows Server 2008 R2, you still have access to the Routing and Remote Access services that were available in Windows Server 2008. However, you also have a powerful alternative to a normal VPN with a new component to Windows Server 2008 R2 called DirectAccess. You will now get broad overview of working with both solutions.

1. Install and Configure Windows Server 2008 R2 VPNs

Creating a VPN on your Routing and Remote Access server provides secure remote access to private networks. When you decide to install a VPN and install the Routing and Remote Access role services, you get several capabilities for your network. RRAS can be used in a variety of configurations, as you can see in Table 1.

Table 1. RRAS Options
VPN AccessThis allows clients to connect to your network across the Internet.
Dial-Up AccessThis allows clients to connect to your network via a modem or other dial-in equipment.
Demand-Dial ConnectionsThis allows your server to initiate and receive demand-dial connections. Demand-dial connections allow your modem communications to be cost effective by dialing the connections only when needed.
NATNetwork Address Translation allows your users on your network to share a single Internet connection. NAT translates between the public Internet address and your private network IP address scheme.
LAN RoutingThis option allows your RRAS server to forward packets from one LAN segment to another.

1.1. Understand the Windows Server 2008 R2 Role Services

There are several core services you can choose to configure on your Windows Server 2008 R2 server when you install your VPN for your network. Table 13.6 describes the role services and what their function is.

Table 2. Network Policy and Access Role Services
Role ServiceDescription
Network Policy Server (NPS)This role service gives you the ability to create access policies governing connection requests for authorization and authentication. This role service also allows you to install a client health enforcement tool called Network Access Protection (NAP).
RRAS Remote Access ServiceThe core RRAS services provide the VPN capability for your server. The connections can also be made with dial-up connections.
RRAS RoutingThis role service will provide LAN and WAN routing services for your network as well as NAT, RIP, and IGMP proxy routers.
Health Registration Authority (HRA)This is used in conjunction when you roll out your NAP solution. The HRA will validate the health of remote clients connecting to the server by issuing certificates with the health status of the connection client. This role service will require the IIS Management tools, specifically, the IIS 6 WMI and Scripting tools.
Host Credential Authorization Protocol (HCAP)This is another component for a NAP solution in your network; specifically, the HCAP component is designed to work with the Cisco Network Access Control. This role service will require the IIS Client Certificate Mapping Authentication and Digest Authentication components from the IIS services.

1.2. Install Routing and Remote Access Services

You install the Routing and Remote Access Services (RRAS) by adding the role services in Server Manager:

  1. Select Start => Administrative Tools => Server Manager.

  2. Click Roles on the tree menu on the left.

  3. Click Add Roles in the details pane on the right.

  4. In the list of roles, select Network Policy And Access Services, and click Next.

  5. Review the welcome screen for Network Policy And Access Services, and click Next.

  6. Select Routing And Remote Access Services; normally you will select both Remote Access Services and Routing. After you have selected the components, click Next.

  7. Review the confirmation screen, and click Install.

  8. Review the installation results, and click Close.

1.3. Configure the VPN

After you have installed the RRAS solutions, you will need to enable and configure the role service. In Windows Server 2008 R2, you will notice there is a wizard drive utility designed to help you configure the VPN.

When you configure RRAS, you will have several choices. Follow these steps:

  1. To open Routing And Remote Access, select Start => Administrative Tools => Routing And Remote Access.

  2. Click your server in the tree on the left. When you first launch the Routing and Remote Access management tools, you will see a screen similar to Figure 1.

  3. Select Action => Configure And Enable Routing And Remote Access.

    Figure 1. Enabling RRAS
  4. Review the welcome screen, and click Next.

  5. On the configuration screen, select Remote Access (Dial-Up or VPN), and click Next.

  6. How your users will connect and what hardware you have on your server will determine whether you select VPN or Dial-Up. After you have selected your option, click Next.

  7. Select the network interface you are using on your Windows Server 2008 R2 server to connect to the Internet. After you have selected your Internet network interface, click Next.

  8. Select the internal network adapter in which you want to assign to your remote VPN users.

  9. On the IP Address Assignment screen, you can use a DHCP server in your network, or you can create a specific range of IP addresses for the VPN connection. After you make your selection, click Next. If you choose your own range of addresses, you will have an additional step to configure the range.

  10. On the next screen, you will see a choice to configure a Remote Authentication Dial-In User Service (RADIUS). You will see a screen similar to Figure 2. The RADIUS server is useful if you have several RRAS servers and you want to have a central authentication point. If you have only a single RRAS server, you can click No, as in this walk-through; then click Next.

  11. Review the summary screen, and click Finish. You may also receive a few additional warning prompts, which you will need to acknowledge before you can finish your setup. These additional prompts are determined by the other options you may have configured during the setup of these services.

After you have completed enabling and configuring your RRAS server, your Routing and Remote Access management console will look similar to Figure 3.

The completed console provides you with the ability to modify any of your VPN settings. Traditionally, once you have configured the VPN, you will not need to perform many day-to-day duties for maintenance. However, the console does provides some nice monitor tools to view server status as well as the ability to see which clients are currently connected via VPN to your server.

Figure 2. RADIUS

Figure 3. RRAS configured

Network Access Protection (NAP)

One of the additional capabilities you have with RRAS is the ability to verify the health of your VPN clients to your network. NAP provides a method for you to quarantine your VPN clients before they are allowed to connect to your server. NAP can also be instrumental in providing remediation for clients not meeting the computer health requirements of your network. 
  •  Windows Server 2008 R2 : Manage Remote Desktop Services (part 4) - Working with Virtual Desktop Infrastructure
  •  Windows Server 2008 R2 : Manage Remote Desktop Services (part 3) - Configure Remote Desktop Web Access
  •  Windows Server 2008 R2 : Manage Remote Desktop Services (part 2) - Configure Remote Desktop Gateway, Configure Remote Desktop Connection Broker
  •  Windows Server 2008 R2 : Manage Remote Desktop Services (part 1) - Administer Remote Desktop Session Host
  •  WD My Book Thunderbolt Duo 4TB
  •  Thunderbolt Storage (Part 3)
  •  Thunderbolt Storage (Part 2)
  •  Thunderbolt Storage (Part 1)
  •  Microsoft Surface
  •  LaCie Little Big Thunderbolt Series SSD 240GB
  •  Lacie 2big Thunderbolt Series 4TB
  •  Custom Kits – July 2012
  •  Aquacomputer Aquagratix For HD 7970
  •  Aquacomputer Airplex XT 240
  •  Alphacool NexXxos XT60 Full Copper 240mm
  •  Toshiba Portege Z830 - Flexi Thin
  •  INTEL ATOM N2600 - Still Mighty Atom
  •  Intel Ivy Bridge : Core i5-3570k and Core i7-3770K (part 2)
  •  Intel Serves The Cloud : Intel Xeon Processor E5-260
  •  HP Unveils Glass Design HP ENVY Spectre
    Top 10
    Windows Server 2003 : Domain Name System - Command-Line Utilities
    Microsoft .NET : Design Principles and Patterns - From Principles to Patterns (part 2)
    Microsoft .NET : Design Principles and Patterns - From Principles to Patterns (part 1)
    Brother MFC-J4510DW - An Innovative All-In-One A3 Printer
    Computer Planet I7 Extreme Gaming PC
    All We Need To Know About Green Computing (Part 4)
    All We Need To Know About Green Computing (Part 3)
    All We Need To Know About Green Computing (Part 2)
    All We Need To Know About Green Computing (Part 1)
    Master Black-White Copying
    Most View
    Ultrasone HFI-580 Headphone Review
    iPhone 3D Programming : Textures and Image Capture - Texture Compression with PVRTC
    Ditch Your Laptop For Your Phone (Part 5)
    Epic Gear Meduza - Super Competitive Mid-Range Mouse
    NAS Devices: The Storage Centers (Part 2) - Iomega StorCenter ix2 Network Storage Cloud Edition, Western Digital My Book Live Duo 4TB
    Dragon NaturallySpeaking 12.0 Premium
    Illumination Through Micro­perforation
    Advice Centre by Photography Experts (Part 3) - Canon EOS 5D Mk II & Canon EOS 550D
    Delete & Recover Data (Part 4) - Securely Deleting Data Using Eraser 6.0
    Hasselblad H5D - The Leader In Digital Medium Format Photography (Part 1)
    Beginer's Guide To Sports Photography (Part 1)
    Windows Server 2008 and Windows Vista : Administering GPOs (part 2) - Starter GPOs
    Apps Of The Month – November 2012 : Google Play Movies & TV, NavFree for iOS
    Asus Taichi 21 - Feels Like A Bold
    Motorola RAZR - Incredibly Slim Waistline
    Damson Twist – Wireless Portable Bluetooth Speaker With Serious Bass
    Algorithms for Compiler Design: PROPERTIES OF REGULAR SETS
    Manipulate File Paths
    Exchange Server 2007: Create Mail-Enabled Contacts and Mail-Enabled Users
    Get To Know Your Camera (Part 2) - Focusing