| Task | Reference |
|---|---|
Review key concepts. |
|
Gather required information. |
|
Configure TCP/IP on the network adapters of the RRAS server. |
|
Install RRAS. |
|
Enable RRAS and configure it as a VPN server. |
|
If your RRAS server is behind a perimeter firewall, or is running a host-based firewall such as Windows Firewall with Advanced Security, then configure the required firewall rules to permit virtual private network (VPN) network traffic through the firewall to the RRAS server. |
|
If your RRAS server is not behind a perimeter firewall, and is not running a host-based firewall such as Windows Firewall with Advanced Security, then configure static packet filters to permit only the required VPN network traffic to the RRAS server. |
|
Configure the types of VPN connections, and the number of each that your VPN server supports. By default, RRAS in this version of Windows supports 128 each of Internet Key Exchange version 2 (IKEv2), Layer Two Tunneling Protocol (L2TP), Point-to-Point Tunneling Protocol (PPTP), and Secure Socket Tunneling Protocol (SSTP) connections. If you enable VPN after installing RRAS, then the VPN ports are disabled and Windows only creates five of each connection type. Enable the ports and configure the number you need by following this procedure. |
|
Specify either DHCP or configure a static pool of IP addresses for VPN clients. |
|
If you are using DHCP to supply IP addresses to remote clients, and the DHCP server is not located on the same IP subnet as the RRAS server, then configure a DHCP relay agent that forwards broadcast DHCP requests and responses through routers to the DHCP server. |
|
If you are using Network Policy Server (NPS) to centrally manage policies for your RRAS servers, then configure dial-in properties and network policies for dial-in permission, authentication, and encryption settings. |
See "Checklist: Configure NPS for Dial-Up and VPN" in Network Policy Server Help. |
Adjust logging levels for RRAS and for each routing protocol. |
|
(Optional) Create a Connection Manager profile to manage the client connection experience for your users and simplify troubleshooting client connections. |
|
If your RRAS configuration requires any certificates for authentication, for example, when you use IKEv2 or SSTP-based VPN connections, then you must have a source for the certificates. Install Active Directory Certificate Services (AD CS) on a server on your network as an alternative to purchasing certificates from third-party root CAs. |
|
To support SSTP or IKEv2 certificate-authenticated VPN connections, you must install a computer certificate with the Server Authentication or All-Purpose Enhanced Key Usage (EKU) property installed on your RRAS server. |
|
If you initially configured your RRAS server to support Internet Protocol version 4 (IPv4) only, you can add support for Internet Protocol version 6 (IPv6) remote access. |
|
(Optional) Configure your VPN server to use Network Access Protection (NAP) to enforce health requirement policies. |