In Windows Server 2008 R2, in addition to the RDS
components, the server can also be configured to provide powerful
capabilities for remote clients to your network. Remote clients like
your road warriors, your telecommuters, and other users are not
connected to your network on a daily basis. In Windows Server 2008 R2,
you still have access to the Routing and Remote Access services that
were available in Windows Server 2008. However, you also have a powerful
alternative to a normal VPN with a new component to Windows Server 2008
R2 called DirectAccess. You will now get broad overview of working with
1. Install and Configure Windows Server 2008 R2 VPNs
Creating a VPN on your Routing
and Remote Access server provides secure remote access to private
networks. When you decide to install a VPN and install the Routing and
Remote Access role services, you get several capabilities for your
network. RRAS can be used in a variety of configurations, as you can see
in Table 1.
Table 1. RRAS Options
|VPN Access||This allows clients to connect to your network across the Internet.|
|Dial-Up Access||This allows clients to connect to your network via a modem or other dial-in equipment.|
allows your server to initiate and receive demand-dial connections.
Demand-dial connections allow your modem communications to be cost
effective by dialing the connections only when needed.|
Address Translation allows your users on your network to share a single
Internet connection. NAT translates between the public Internet address
and your private network IP address scheme.|
|LAN Routing||This option allows your RRAS server to forward packets from one LAN segment to another.|
1.1. Understand the Windows Server 2008 R2 Role Services
There are several core
services you can choose to configure on your Windows Server 2008 R2
server when you install your VPN for your network. Table 13.6 describes the role services and what their function is.
Table 2. Network Policy and Access Role Services
|Network Policy Server (NPS)||This
role service gives you the ability to create access policies governing
connection requests for authorization and authentication. This role
service also allows you to install a client health enforcement tool
called Network Access Protection (NAP).|
|RRAS Remote Access Service||The core RRAS services provide the VPN capability for your server. The connections can also be made with dial-up connections.|
|RRAS Routing||This role service will provide LAN and WAN routing services for your network as well as NAT, RIP, and IGMP proxy routers.|
|Health Registration Authority (HRA)||This
is used in conjunction when you roll out your NAP solution. The HRA
will validate the health of remote clients connecting to the server by
issuing certificates with the health status of the connection client.
This role service will require the IIS Management tools, specifically,
the IIS 6 WMI and Scripting tools.|
|Host Credential Authorization Protocol (HCAP)||This
is another component for a NAP solution in your network; specifically,
the HCAP component is designed to work with the Cisco Network Access
Control. This role service will require the IIS Client Certificate
Mapping Authentication and Digest Authentication components from the IIS
1.2. Install Routing and Remote Access Services
You install the Routing and Remote Access Services (RRAS) by adding the role services in Server Manager:
Select Start => Administrative Tools => Server Manager.
Click Roles on the tree menu on the left.
Click Add Roles in the details pane on the right.
In the list of roles, select Network Policy And Access Services, and click Next.
Review the welcome screen for Network Policy And Access Services, and click Next.
Routing And Remote Access Services; normally you will select both
Remote Access Services and Routing. After you have selected the
components, click Next.
Review the confirmation screen, and click Install.
Review the installation results, and click Close.
1.3. Configure the VPN
After you have installed the
RRAS solutions, you will need to enable and configure the role service.
In Windows Server 2008 R2, you will notice there is a wizard drive
utility designed to help you configure the VPN.
When you configure RRAS, you will have several choices. Follow these steps:
To open Routing And Remote Access, select Start => Administrative Tools => Routing And Remote Access.
your server in the tree on the left. When you first launch the Routing
and Remote Access management tools, you will see a screen similar to Figure 1.
Select Action => Configure And Enable Routing And Remote Access.
Figure 1. Enabling RRAS
Review the welcome screen, and click Next.
On the configuration screen, select Remote Access (Dial-Up or VPN), and click Next.
your users will connect and what hardware you have on your server will
determine whether you select VPN or Dial-Up. After you have selected
your option, click Next.
the network interface you are using on your Windows Server 2008 R2
server to connect to the Internet. After you have selected your Internet
network interface, click Next.
Select the internal network adapter in which you want to assign to your remote VPN users.
the IP Address Assignment screen, you can use a DHCP server in your
network, or you can create a specific range of IP addresses for the VPN
connection. After you make your selection, click Next. If you choose
your own range of addresses, you will have an additional step to
configure the range.
the next screen, you will see a choice to configure a Remote
Authentication Dial-In User Service (RADIUS). You will see a screen
similar to Figure 2.
The RADIUS server is useful if you have several RRAS servers and you
want to have a central authentication point. If you have only a single
RRAS server, you can click No, as in this walk-through; then click Next.
the summary screen, and click Finish. You may also receive a few
additional warning prompts, which you will need to acknowledge before
you can finish your setup. These additional prompts are determined by
the other options you may have configured during the setup of these
After you have completed
enabling and configuring your RRAS server, your Routing and Remote
Access management console will look similar to Figure 3.
The completed console
provides you with the ability to modify any of your VPN settings.
Traditionally, once you have configured the VPN, you will not need to
perform many day-to-day duties for maintenance. However, the console
does provides some nice monitor tools to view server status as well as
the ability to see which clients are currently connected via VPN to your
Figure 2. RADIUS
Figure 3. RRAS configured
One of the additional
capabilities you have with RRAS is the ability to verify the health of
your VPN clients to your network. NAP provides a method for you to
quarantine your VPN clients before they are allowed to connect to your
server. NAP can also be instrumental in providing remediation for
clients not meeting the computer health requirements of your network.