Review key concepts.

Virtual Private Networking

Gather required information.

Requirements for Installing RRAS as a VPN Server

Configure TCP/IP on the network adapters of the RRAS server.

Configure TCP/IP on the RRAS Server

Install RRAS.

Install RRAS

Enable RRAS and configure it as a VPN server.

Enable RRAS as a VPN Server

If your RRAS server is behind a perimeter firewall, or is running a host-based firewall such as Windows Firewall with Advanced Security, then configure the required firewall rules to permit virtual private network (VPN) network traffic through the firewall to the RRAS server.

Configure a Firewall for VPN Traffic (http://go.microsoft.com/fwlink/?linkid=140709)

If your RRAS server is not behind a perimeter firewall, and is not running a host-based firewall such as Windows Firewall with Advanced Security, then configure static packet filters to permit only the required VPN network traffic to the RRAS server.

Configure Static Filters for VPN Traffic (http://go.microsoft.com/fwlink/?linkid=140713)

Configure the types of VPN connections, and the number of each that your VPN server supports.

By default, RRAS in this version of Windows supports 128 each of Internet Key Exchange version 2 (IKEv2), Layer Two Tunneling Protocol (L2TP), Point-to-Point Tunneling Protocol (PPTP), and Secure Socket Tunneling Protocol (SSTP) connections. If you enable VPN after installing RRAS, then the VPN ports are disabled and Windows only creates five of each connection type. Enable the ports and configure the number you need by following this procedure.

Configure Ports for Remote Access

Specify either DHCP or configure a static pool of IP addresses for VPN clients.

Configure the Way RRAS Assigns IP Addresses to VPN Clients

If you are using DHCP to supply IP addresses to remote clients, and the DHCP server is not located on the same IP subnet as the RRAS server, then configure a DHCP relay agent that forwards broadcast DHCP requests and responses through routers to the DHCP server.

Configure the IPv4 DHCP Relay Agent

Configure the IPv6 DHCP Relay Agent

If you are using Network Policy Server (NPS) to centrally manage policies for your RRAS servers, then configure dial-in properties and network policies for dial-in permission, authentication, and encryption settings.

See "Checklist: Configure NPS for Dial-Up and VPN" in Network Policy Server Help.

Adjust logging levels for RRAS and for each routing protocol.

Configure Logging Levels for RRAS

(Optional) Create a Connection Manager profile to manage the client connection experience for your users and simplify troubleshooting client connections.

Connection Manager Administration Kit (http://go.microsoft.com/fwlink/?linkid=136440)

If your RRAS configuration requires any certificates for authentication, for example, when you use IKEv2 or SSTP-based VPN connections, then you must have a source for the certificates. Install Active Directory Certificate Services (AD CS) on a server on your network as an alternative to purchasing certificates from third-party root CAs.

Active Directory Certificate Services (http://go.microsoft.com/fwlink/?linkid=136444)

To support SSTP or IKEv2 certificate-authenticated VPN connections, you must install a computer certificate with the Server Authentication or All-Purpose Enhanced Key Usage (EKU) property installed on your RRAS server.

Configure RRAS with a Computer Authentication Certificate

If you initially configured your RRAS server to support Internet Protocol version 4 (IPv4) only, you can add support for Internet Protocol version 6 (IPv6) remote access.

Enable IPv6 Remote Access

(Optional) Configure your VPN server to use Network Access Protection (NAP) to enforce health requirement policies.

Configure Network Access Protection Enforcement for VPN

Additional references

Table Of Contents