Step 3. Configure the Remote Access Server for Always On VPN

Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2012 R2, Windows 10

RRAS is designed to perform well as both a router and a remote access server because it supports a wide array of features. For the purposes of this deployment, you require only a small subset of these features: support for IKEv2 VPN connections and LAN routing.

IKEv2 is a VPN tunneling protocol described in Internet Engineering Task Force Request for Comments 7296. The primary advantage of IKEv2 is that it tolerates interruptions in the underlying network connection. For example, if the connection is temporarily lost or if a user moves a client computer from one network to another, IKEv2 automatically restores the VPN connection when the network connection is reestablished—all without user intervention.

Configure the RRAS server to support IKEv2 connections while disabling unused protocols, which reduces the server’s security footprint. Additionally, configure the server to assign addresses to VPN clients from a static address pool. You can feasibly assign addresses from either a pool or a DHCP server; however, using a DHCP server adds complexity to the design and delivers minimal benefits.

It is important to:

Install two Ethernet network adapters in the physical server. If you are installing the VPN server on a VM, you must create two External virtual switches, one for each physical network adapter; and then create two virtual network adapters for the VM, with each network adapter connected to one virtual switch.

Install the server on your perimeter network between your edge and internal firewalls, with one network adapter connected to the External Perimeter Network, and one network adapter connected to the Internal Perimeter Network.

Before you get started, make sure to enable IPv6 on the VPN server. Otherwise, a connection cannot be established and an error message displays.

Install Remote Access as a RAS Gateway VPN Server

In this procedure, you install the Remote Access role as a single tenant RAS Gateway VPN server. For more information, see Remote Access.

Install the Remote Access role by using Windows PowerShell

Open Windows PowerShell as Administrator.

Enter and run the following cmdlet:

After installation completes, the following message appears in Windows PowerShell.

Install the Remote Access role by using Server Manager

You can use the following procedure to install the Remote Access role using Server Manager.

On the VPN server, in Server Manager, select Manage and select Add Roles and Features.

The Add Roles and Features Wizard opens.

On the Before you begin page, select Next.

On the Select Installation Type page, select the Role-Based or feature-based installation option and select Next.

On the Select destination server page, select the Select a server from the server pool option.

Under Server Pool, select the local computer and select Next.

On the Select server roles page, in Roles, select Remote Access, then Next.

On the Select features page, select Next.

On the Remote Access page, select Next.

On the Select role service page, in Role services, select DirectAccess and VPN (RAS).

The Add Roles and Features Wizard dialog box opens.

On the Add Roles and Features dialog, select Add Features then select Next.

On the Web Server Role (IIS) page, select Next.

On the Select role services page, select Next.

On the Confirm installation selections page, review your choices, then select Install.

When the installation is complete, select Close.

Configure Remote Access as a VPN Server

In this section, you can configure Remote Access VPN to allow IKEv2 VPN connections, deny connections from other VPN protocols, and assign a static IP address pool for the issuance of IP addresses to connecting authorized VPN clients.

On the VPN server, in Server Manager, select the Notifications flag.

In the Tasks menu, select Open the Getting Started Wizard

The Configure Remote Access wizard opens.

The Configure Remote Access wizard might open behind Server Manager. If you think the wizard is taking too long to open, move or minimize Server Manager to find out whether the wizard is behind it. If not, wait for the wizard to initialize.

Select Deploy VPN only.

The Routing and Remote Access Microsoft Management Console (MMC) opens.

Right-click the VPN server, then select Configure and Enable Routing and Remote Access.

The Routing and Remote Access Server Setup Wizard opens.

In the Welcome to the Routing and Remote Access Server Setup Wizard, select Next.

In Configuration, select Custom Configuration, and then select Next.

In Custom Configuration, select VPN access, and then select Next.

The Completing the Routing and Remote Access Server Setup Wizard opens.

Select Finish to close the wizard, then select OK to close the Routing and Remote Access dialog box.

Select Start service to start Remote Access.

In the Remote Access MMC, right-click the VPN server, then select Properties.

In Properties, select the Security tab and do:

a. Select Authentication provider and select RADIUS Authentication.

b. Select Configure.

The RADIUS Authentication dialog box opens.

c. Select Add.

The Add RADIUS Server dialog box opens.

d. In Server name, enter the Fully Qualified Domain Name (FQDN) of the NPS server on your Organization/Corporate network.

For example, if the NetBIOS name of your NPS server is NPS1 and your domain name is corp.contoso.com, enter NPS1.corp.contoso.com.

e. In Shared secret, select Change.

The Change Secret dialog box opens.

f. In New secret, enter a text string.

g. In Confirm new secret, enter the same text string, then select OK.

Save this text string. When you configure the NPS Server on your Organization/Corporate network, you will add this VPN Server as a RADIUS Client. During that configuration, you will use this same shared secret so that the NPS and VPN Servers can communicate.

In Add RADIUS Server, review the default settings for:

Time-out

Initial score

Port

If necessary, change the values to match the requirements for your environment and select OK.

A NAS is a device that provides some level of access to a larger network. A NAS using a RADIUS infrastructure is also a RADIUS client, sending connection requests and accounting messages to a RADIUS server for authentication, authorization, and accounting.

Review the setting for Accounting provider:

If you want the.	Then…
Remote Access activity logged on the Remote Access server	Make sure that Windows Accounting is selected.
NPS to perform accounting services for VPN	Change Accounting provider to RADIUS Accounting and then configure the NPS as the accounting provider.

Select the IPv4 tab and do:

a. Select Static address pool.

b. Select Add to configure an IP address pool.

The static address pool should contain addresses from the internal perimeter network. These addresses are on the internal-facing network connection on the VPN server, not the corporate network.

c. In Start IP address, enter the starting IP address in the range you want to assign to VPN clients.

d. In End IP address, enter the ending IP address in the range you want to assign to VPN clients, or in Number of addresses, enter the number of the address you want to make available. If you’re using DHCP for this subnet, ensure that you configure a corresponding address exclusion on your DHCP servers.

e. (Optional) If you are using DHCP, select Adapter, and in the list of results, select the Ethernet adapter connected to your internal perimeter network.

(Optional) If you are configuring conditional access for VPN connectivity, from the Certificate drop-down list, under SSL Certificate Binding, select the VPN server authentication.

(Optional) If you are configuring conditional access for VPN connectivity, in the NPS MMC, expand Policies\Network Policies and do:

a. Right-the Connections to Microsoft Routing and Remote Access Server network policy and select Properties.

b. Select the Grant access. Grant access if the connection request matches this policy option.

c. Under Type of network access server, select Remote Access Server (VPN-Dial up) from the drop-down.

In the Routing and Remote Access MMC, right-click Ports, and then select Properties.

The Ports Properties dialog box opens.

Select WAN Miniport (SSTP) and select Configure. The Configure Device — WAN Miniport (SSTP) dialog box opens.

a. Clear the Remote access connections (inbound only) and Demand-dial routing connections (inbound and outbound) check boxes.

b. Select OK.

Select WAN Miniport (L2TP) and select Configure. The Configure Device — WAN Miniport (L2TP) dialog box opens.

a. In Maximum ports, enter the number of ports to match the maximum number of simultaneous VPN connections that you want to support.

b. Select OK.

Select WAN Miniport (PPTP) and select Configure. The Configure Device — WAN Miniport (PPTP) dialog box opens.

a. In Maximum ports, enter the number of ports to match the maximum number of simultaneous VPN connections that you want to support.

b. Select OK.

Select WAN Miniport (IKEv2) and select Configure. The Configure Device — WAN Miniport (IKEv2) dialog box opens.

a. In Maximum ports, enter the number of ports to match the maximum number of simultaneous VPN connections that you want to support.

b. Select OK.

If prompted, select Yes to confirm restarting the server and select Close to restart the server.

Next step

Step 4. Install and configure the Network Policy Server (NPS): In this step, you install Network Policy Server (NPS) by using either Windows PowerShell or the Server Manager Add Roles and Features Wizard. You also configure NPS to handle all authentication, authorization, and accounting duties for connection requests that it receives from the VPN server.

Развертывание Always On VPN для Windows Server и Windows 10 Always On VPN deployment for Windows Server and Windows 10

Область применения: Windows Server (половина ежегодного канала), Windows Server 2016, Windows Server 2012 R2, Windows 10 Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2012 R2, Windows 10

Always On VPN предоставляет единое, единое решение для удаленного доступа и поддерживает присоединенные к домену, не присоединенные к домену (workgroup) или присоединенные к Azure AD устройства, даже персональные устройства. Always On VPN provides a single, cohesive solution for remote access and supports domain-joined, nondomain-joined (workgroup), or Azure AD–joined devices, even personally owned devices. Благодаря Always On VPN соединение может предназначаться не только для пользователя или устройства, но и для них обоих. With Always On VPN, the connection type does not have to be exclusively user or device but can be a combination of both. Например, можно включить аутентификацию устройств для управления удаленными устройствами, а затем включить аутентификацию пользователей для подключений к внутренним сайтам и службам компании. For example, you could enable device authentication for remote device management, and then enable user authentication for connectivity to internal company sites and services.

Предварительные требования Prerequisites

Скорее всего, развернуты технологии, которые можно использовать для развертывания Always On VPN. You most likely have the technologies deployed that you can use to deploy Always On VPN. Кроме серверов DC/DNS, для развертывания Always On VPN требуется сервер NPS (RADIUS), сервер центра сертификации (ЦС) и сервер удаленного доступа (маршрутизация/VPN). Other than your DC/DNS servers, the Always On VPN deployment requires an NPS (RADIUS) server, a Certification Authority (CA) server, and a Remote Access (Routing/VPN) server. После настройки инфраструктуры необходимо зарегистрировать клиенты, а затем безопасно подключить клиенты к локальной сети с помощью нескольких сетевых изменений. Once the infrastructure is set up, you must enroll clients and then connect the clients to your on-premises securely through several network changes.

• Active Directory доменной инфраструктуре, включая один или несколько DNS-серверов. Active Directory domain infrastructure, including one or more Domain Name System (DNS) servers. Требуются как внутренние, так и внешние зоны службы доменных имен (DNS), что предполагает, что внутренняя зона является делегированным поддоменом внешней зоны (например, corp.contoso.com и contoso.com). Both internal and external Domain Name System (DNS) zones are required, which assumes that the internal zone is a delegated subdomain of the external zone (for example, corp.contoso.com and contoso.com).
• Инфраструктура открытых ключей (PKI) на основе Active Directory и Active Directory служб сертификации (AD CS). Active Directory-based public key infrastructure (PKI) and Active Directory Certificate Services (AD CS).
• Для установки сервера политики сети (NPS): виртуальный или физический, существующий или новый. Server, either virtual or physical, existing or new, to install Network Policy Server (NPS). Если у вас уже есть серверы NPS в сети, можно изменить существующую конфигурацию сервера NPS, а не добавить новый сервер. If you already have NPS servers on your network, you can modify an existing NPS server configuration rather than add a new server.
• Удаленный доступ в качестве VPN-сервера шлюза RAS с небольшим набором функций, поддерживающих VPN-подключения по протоколу IKEv2 и маршрутизацию локальной сети. Remote Access as a RAS Gateway VPN server with a small subset of features supporting IKEv2 VPN connections and LAN routing.
• Сеть периметра, которая включает два брандмауэра. Perimeter network that includes two firewalls. Убедитесь, что брандмауэры разрешают правильную работу трафика, необходимого для подключения VPN и RADIUS. Ensure that your firewalls allow the traffic that is necessary for both VPN and RADIUS communications to function properly. Дополнительные сведения см. в статье Always on общие сведения о технологии VPN. For more information, see Always On VPN Technology Overview.
• Физический сервер или виртуальная машина в сети периметра с двумя физическими сетевыми адаптерами Ethernet для установки удаленного доступа в качестве VPN-сервера шлюза RAS. Physical server or virtual machine (VM) on your perimeter network with two physical Ethernet network adapters to install Remote Access as a RAS Gateway VPN server. Для виртуальных машин требуется виртуальная локальная сеть (VLAN) для узла. VMs require virtual LAN (VLAN) for the host.
• Членство в группах «Администраторы» или «эквивалентное» является минимальным необходимым. Membership in Administrators, or equivalent, is the minimum required.
• Ознакомьтесь с разделом Планирование этого руководством, чтобы убедиться, что вы готовы к развертыванию, прежде чем выполнять развертывание. Read the planning section of this guide to ensure that you are prepared for this deployment before you perform the deployment.
• Ознакомьтесь с руководством по проектированию и развертыванию для каждой из используемых технологий. Review the design and deployment guides for each of the technologies used. Эти руководства помогут определить, предоставляют ли сценарии развертывания службы и конфигурацию, необходимые для сети Организации. These guides can help you determine whether the deployment scenarios provide the services and configuration that you need for your organization’s network. Дополнительные сведения см. в статье Always on общие сведения о технологии VPN. For more information, see Always On VPN Technology Overview.
• Выбранная платформа управления для развертывания конфигурации Always On VPN, так как CSP не зависит от поставщика. Management platform of your choice for deploying the Always On VPN configuration because the CSP is not vendor-specific.

Для этого развертывания не требуется, чтобы серверы инфраструктуры, например компьютеры под управлением домен Active Directory Services, Active Directory службы сертификатов и сервер политики сети, выполнялись под управлением Windows Server 2016. For this deployment, it is not a requirement that your infrastructure servers, such as computers running Active Directory Domain Services, Active Directory Certificate Services, and Network Policy Server, are running Windows Server 2016. Можно использовать более ранние версии Windows Server, такие как Windows Server 2012 R2, для серверов инфраструктуры и для сервера, на котором выполняется удаленный доступ. You can use earlier versions of Windows Server, such as Windows Server 2012 R2, for the infrastructure servers and for the server that is running Remote Access.

Не пытайтесь развернуть удаленный доступ на виртуальной машине (ВМ) в Microsoft Azure. Do not attempt to deploy Remote Access on a virtual machine (VM) in Microsoft Azure. Использование удаленного доступа в Microsoft Azure не поддерживается, включая VPN удаленного доступа и DirectAccess. Using Remote Access in Microsoft Azure is not supported, including both Remote Access VPN and DirectAccess. Дополнительные сведения см. в статье поддержка серверного программного обеспечения Майкрософт для Microsoft Azure виртуальных машин. For more information, see Microsoft server software support for Microsoft Azure virtual machines.

Об этом развертывании About this deployment

Приведенные инструкции описывают развертывание удаленного доступа в качестве VPN-шлюза для подключения типа «точка — сеть» с помощью любого из сценариев, упомянутых ниже, для удаленных клиентских компьютеров под управлением Windows 10. The instructions provided walk you through deploying Remote Access as a single tenant VPN RAS Gateway for point-to-site VPN connections, using any of the scenarios mentioned below, for remote client computers that are running Windows 10. Кроме того, вы найдете инструкции по изменению некоторых существующих инфраструктур для развертывания. You also find instructions for modifying some of your existing infrastructure for the deployment. Кроме того, в рамках этого развертывания вы найдете ссылки на дополнительные сведения о процессе VPN-подключения, серверах для настройки, Профилексмл поддержка vpnv2 node и других технологиях развертывания Always On VPN. Also throughout this deployment, you find links to help you learn more about the VPN connection process, servers to configure, ProfileXML VPNv2 CSP node, and other technologies to deploy Always On VPN.

Always On сценарии развертывания VPN: Always On VPN deployment scenarios:

1. Развертывание только Always On VPN. Deploy Always On VPN only.
2. Развертывание Always On VPN с условным доступом для VPN-подключения с помощью Azure AD. Deploy Always On VPN with conditional access for VPN connectivity using Azure AD.

Дополнительные сведения и рабочий процесс приведенных сценариев см. в разделе Deploy Always on VPN. For more information and workflow of the scenarios presented, see Deploy Always On VPN.

Что не предусмотрено в этом развертывании What isn’t provided in this deployment

Это развертывание не предоставляет инструкции для: This deployment does not provide instructions for:

• Службы домен Active Directory (AD DS). Active Directory Domain Services (AD DS).
• Службы сертификатов Active Directory (AD CS) и инфраструктура открытых ключей (PKI). Active Directory Certificate Services (AD CS) and a Public Key Infrastructure (PKI).
• Протокол DHCP. Dynamic Host Configuration Protocol (DHCP).
• Сетевое оборудование, например кабель Ethernet, брандмауэры, коммутаторы и концентраторы. Network hardware, such as Ethernet cabling, firewalls, switches, and hubs.
• Дополнительные сетевые ресурсы, например приложения и файловые серверы, к которым удаленные пользователи могут получить доступ через Always On VPN-подключение. Additional network resources, such as application and file servers, that remote users can access over an Always On VPN connection.
• Подключение к Интернету или условный доступ для подключения к Интернету с помощью Azure AD. Internet connectivity or Conditional Access for Internet connectivity using Azure AD. Дополнительные сведения см. в разделе условный доступ в Azure Active Directory. For details, see Conditional access in Azure Active Directory.