CONFIGURING ROUTING AND REMOTE ACCESS SERVICES IN WINDOWS SERVER 2008

Routing and Remote Access Service

Updated: September 30, 2009

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

The Routing and Remote Access service (RRAS) in Windows Server® 2008 R2 and Windows Server® 2008 supports remote user or site-to-site connectivity by using virtual private network (VPN) or dial-up connections. RRAS consists of the following components:

• Remote Access. By using RRAS, you can deploy VPN connections to provide end users with remote access to your organization's network. You can also create a site-to-site VPN connection between two servers at different locations.
• Routing. RRAS is a software router and an open platform for routing and networking. It offers routing services to businesses in local area network (LAN) and wide area network (WAN) environments or over the Internet by using secure VPN connections. Routing is used for multiprotocol LAN-to-LAN, LAN-to-WAN, VPN, and network address translation (NAT) routing services.

Getting Started

• Windows Server 2008 R2 and Windows Server 2008 each include new features designed to enhance security and manageability of RRAS. This topic describes the new features and other significant changes made to RRAS, including the addition of new VPN tunneling protocols, VPN enforcement for Network Access Protection, and Internet Protocol version 6 (IPv6) support. For more information, see What's New in Routing and Remote Access in Windows Server 2008.

Deployment

The RRAS Deployment documentation provides information about implementing a VPN remote access server. Topics include planning and configuring secure remote access; configuring routing on the VPN server and VPN clients; and connecting remote sites.

The following describe how to deploy RRAS:

• Remote Access Step-by-Step Guide: Deploying Remote Access with VPN Reconnect. This guide is also available as a Word document at http://go.microsoft.com/fwlink/?linkid=143364 in the Download Center.
• SSTP Remote Access Step-by-Step Guide: Deployment
• Deploying VPN Connections by Using PowerShell and Group Policy. This guide is also available as a Word document that is part of a .zip file that contains the sample PowerShell script and data file. It is available at http://go.microsoft.com/fwlink/?linkid=160558 in the Download Center.

The following topics are still relevant to Windows Server 2008 and Windows Server 2008 R2, although they were written for Windows Server 2003. The topics have not yet been updated to include new features that have been added in those newer versions of Windows.

• Virtual Private Networking with Windows Server 2003: Deploying Remote Access VPNs
• Virtual Private Networking with Windows Server 2003: Deploying Site-to-Site VPNs
• Virtual Private Networking with Windows Server 2003: An Example Deployment
• Deploying Routing

Operations

The following describe how to configure RRAS:

The following topics are still relevant to Windows Server 2008 and Windows Server 2008 R2, although they were written for Windows Server 2003. The topics have not yet been updated to include new features that have been added in those newer versions of Windows.

• Remote Access How To
• Routing How To

Technical Reference

The following provide foundational information for RRAS:

• Changes in IKEv2 from Windows 7 Beta to Release Candidate
• Supported Number of VPN Connections in Routing and Remote Access
• Routing and Remote Access Service Management Pack Guide for System Center Operations Manager 2007

The following topics are still relevant to Windows Server 2008 and Windows Server 2008 R2, although they were written for Windows Server 2003. The topics have not yet been updated to include new features that have been added in those newer versions of Windows.

• Routing Technologies
• VPN Technical Reference
• Dial-up Remote Access Technical Reference

Troubleshooting

This reference contains troubleshooting information for events logged by RRAS. You can use this information to diagnose and resolve specific error conditions and to verify that those error conditions are no longer present.

This content is available at:

• VPN Client Compatibility with Windows 7 and Windows Server 2008 R2. If you are using third-party VPN client software on computers that are running Windows 7 or Windows Server 2008 R2, then review the information available in this topic.
• Troubleshooting IKEv2 VPN Connections. The VPN Reconnect feature available on VPNs connecting computers that are running Windows 7 and Windows Server 2008 R2 uses IKEv2-based IPsec technology. This topic discusses some common troubleshooting issues and resolution steps.
• Configure the Inbound Firewall Rules that Enable Remote Management of a Routing and Remote Access Server (RRAS). This topic describes how to configure firewall rules that support remote management of an RRAS server when the client and RRAS server are separated by a firewall.
• The following topics describe some of the events and errors that RRAS can generate. In Windows Server 2008 or Windows Server 2008 R2, if these events appear in the Event Log, click the Event Log Online Help link below the event description.

·         Routing and Remote Access Events and Errors for Windows Server 2008 R2

·         Routing and Remote Access Events and Errors for Windows Server 2008

Routing and Remote Access Product Help

After you install RRAS, product Help is available when you open the RRAS Microsoft Management Console (MMC) snap-in and press F1. The product Help provides information about how to install and configure Routing and Remote Access as a Virtual Private Network (VPN) server and as a router.

What's New in Routing and Remote Access in Windows Server 2008

Windows Server 2008 includes several new features designed to enhance security and manageability of Routing and Remote Access. This section describes the new features and other significant changes made to Routing and Remote Access in Windows Server 2008.

Server Manager

SSTP tunneling protocol

VPN enforcement for Network Access Protection

IPv6 support

New cryptographic support

Removed technologies

Server Manager

Server Manager is a new feature designed to guide information technology (IT) administrators through the process of installing, configuring, and managing server roles and features that are part of Windows Server 2008. Server Manager is started automatically after the administrator completes the tasks listed in Initial Configuration Tasks. After that, it is started automatically when an administrator logs on to the server.

Use the following steps to install Routing and Remote Access using Server Manager:

To install Routing and Remote Access

1. Install Windows Server 2008.
2. Click Start, Administrative Tools, Server Manager.
3. Under Roles Summary, click Add roles.
4. Click Next. Select the Network Access Services role, and then click Next.
5. Click Next. Select the Routing and Remote Access Services role service, and then click Next.
6. Click Install. When the Installation Results dialog box appears, click Close.

Use the following steps to configure and enable the Routing and Remote Access service:

To configure and enable the Routing and Remote Access service

1. Click Start, Administrative Tools, Routing and Remote Access.
2. By default, the local computer is listed as a server. Right-click the server, and then click Configure and Enable Routing and Remote Access.
3. Click Next. Click Custom configuration, and then click Next.
4. Select all the services except NAT, click Next, and then click Finish.
5. Click OK, click Start service, and then click Finish.

SSTP tunneling protocol

Secure Socket Tunneling Protocol (SSTP) is a new form of virtual private networking (VPN) tunnel with features that allow traffic to pass through firewalls that block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate PPP traffic over the SSL channel of the HTTPS protocol. The use of PPP allows support for strong authentication methods, such as EAP-TLS. The use of HTTPS means traffic will flow through TCP port 443, a port commonly used for Web access. Secure Sockets Layer (SSL) provides transport-level security with enhanced key negotiation, encryption, and integrity checking.

For information about deploying SSTP, see:

• Step-by-Step Guide: Deploying SSTP Remote Access (http://go.microsoft.com/fwlink/?LinkID=104247)
• Screencast: Deploying SSTP Remote Access (http://go.microsoft.com/fwlink/?LinkID=102605)

VPN enforcement for Network Access Protection

VPN enforcement provides strong limited network access for all computers accessing the network through a VPN connection. VPN enforcement with Network Access Protection (NAP) is similar in function to Network Access Quarantine Control, a feature in Windows Server 2003, but it is easier to deploy.

NAP is a client health policy creation, enforcement, and remediation technology that is included in Windows Vista® client operating system and in the Windows Server 2008 operating system. With NAP, system administrators can establish and automatically enforce health policies, which can include software requirements, security update requirements, required computer configurations, and other settings.

When making VPN connections, client computers that are not in compliance with health policy can be provided with restricted network access until their configuration is updated and brought into compliance with policy. Depending on how you choose to deploy NAP, noncompliant clients can be automatically updated so that users can quickly regain full network access without manually updating or reconfiguring their computers.

Remote access policy configuration

You must use Network Policy Server to create and configure remote access policies. Use the following steps to set the remote access policy to grant user access:

To configure the remote access policy

1. Open Routing and Remote Access.
2. Right-click Remote Access Logging & Policies, and then click Launch NPS.
3. Click Network Policies.
4. Double-click Connections to Microsoft Routing and Remote Access server.
5. On the Overview tab, under Access Permission, click Grant access, and then click OK.

IPv6 support

Windows Server 2008 and Windows Vista support the following enhancements to Internet Protocol version 6 (IPv6):

• Protocols

·         PPPv6. Native IPv6 traffic can now be sent over PPP-based connections. (RFC 2472). For example, PPPv6 support allows you to connect with an IPv6-based Internet service provider (ISP) through dial-up or PPP over Ethernet (PPPoE)-based connections that might be used for broadband Internet access.

·         PPPv6 over dial-up/Ethernet as well as VPN tunnels

·         L2TP over IPv6

·         DHCPv6 Relay Agent

• Stateless filtering, based on the following parameters:

·         Source IPv6 address/prefix

·         Destination IPv6 address/prefix

·         Next hop type (IP protocol type)

·         Source Port number (TCP/UDP)

·         Destination Port number (TCP/UDP)

• RADIUS over IPv6 transport

IPv6 configuration

By default, Routing and Remote Access is configured to accept only Internet Protocol version 4 (IPv4) connections. In Windows Server 2008, you can use the Routing and Remote Access Microsoft Management Console (MMC) to configure IPv6 routing and connections. Use the following steps to configure Routing and Remote Access to accept IPv6 and IPv4 connections.

To enable IPv6 connections

1. In the Routing and Remote Access MMC, right-click the server, and then click Properties.
2. Click the IPv6 tab.
3. Enter an IPv6 prefix (for example: 3ffe::).
4. Click the General tab.
5. Click IPv6 Router, and then click IPv6 Remote access server.
6. Click OK, and then click Yes to restart the Routing and Remote Access service.

New cryptographic support

In response to governmental security requirements and trends in the security industry to support stronger cryptography, Windows Server 2008 and Windows Vista support the following encryption algorithms for PPTP and L2TP VPN connections.

Removed technologies

Support for the following technologies has been removed from Windows Server 2008 and Windows Vista:

• Bandwidth Allocation Protocol (BAP). Removed from Windows Vista. Disabled in Windows Server 2008.
• X.25.
• Serial Line Interface Protocol (SLIP). SLIP-based connections will automatically be updated to PPP-based connections.
• Asynchronous Transfer Mode (ATM).
• IP over IEEE 1394.
• NWLink IPX/SPX/NetBIOS Compatible Transport Protocol.
• Services for Macintosh.
• Open Shortest Path First (OSPF) routing protocol component in Routing and Remote Access.
• Basic Firewall in Routing and Remote Access (replaced with Windows Firewall).
• Static IP filter application programming interfaces (APIs) for Routing and Remote Access (replaced with Windows Filtering Platform APIs).
• The SPAP, EAP-MD5-CHAP, and MS-CHAP authentication protocols for PPP-based connections.