Enable RRAS as a VPN Server and a NAT Router
Applies To: Windows Server 2008 R2
After you install the RRAS server role, it is initially in a disabled state. Use the first procedure to enable the service and to configure it to provide virtual private network (VPN) and network address translation (NAT) services. If you have already installed and enabled RRAS, and want to add the VPN and NAT router features, use the second procedure. For more information, see Virtual Private Networking, and Network Address Translation (https://go.microsoft.com/fwlink/?linkid=140619).
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
To enable RRAS and configure it as both a VPN server and a NAT router
Right-click the server name for which you want to enable routing, and then click Configure and Enable Routing and Remote Access. If you are using Server Manager, right-click Routing and Remote Access, and then click Configure and Enable Routing and Remote Access.
On the Welcome page, click Next.
On the Configuration page, click Virtual Private Network (VPN) access and NAT, and then click Next.
On the VPN Connection page, select the network interface that is connected to the public network from which remote VPN clients will connect to this server.
On the IP Address Assignment page, specify the way in which the RRAS server will acquire Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) addresses for the remote VPN clients. If you have a DHCP server with a range of addresses available, click Automatic. If you want the RRAS server to manage the IP addresses itself, click From a specified range of addresses.
If you selected Automatic in step 6, then skip step 7.
On the **Address Range Assignment** page, click **New**, and then type starting and ending IP addresses to create the range from which remote VPN clients are assigned addresses. You can enter multiple ranges if required. Click **Next** when you have created the address ranges.
On the Managing Multiple Remote Access Servers page, select whether you want to use a centralized RADIUS server to authenticate your network clients. If you select No, then RRAS uses its local account database or, if the RRAS server is joined to an Active Directory domain, the RRAS server uses the domain account database. To use Active Directory Domain Services (AD DS), you must join the RRAS server to the domain and add the computer account of this server to the RAS and IAS Servers security group in the domain of which this server is a member. The domain administrator can add the computer account to the RAS and IAS Servers security group by using Active Directory Users and Computers or by using the netsh ras add registeredserver command.
On the Completing page, click Finish.
To configure an existing RRAS server to support both VPN remote access and NAT routing
Open Server Manager.
Expand Roles, and then expand Network Policy and Access Services.
Right-click Routing and Remote Access, and then click Properties.
Select IPv4 Remote access Server or IPv6 Remote access server, or both.
If you select IPv6 Remote access server, you must also specify an IPv6 prefix. On the IPv6 tab, in This server assigns the following IPv6 prefix, type the 64-bit IPv6 prefix that the server is to assign to connected clients. The address assigned to a client is a combination of this prefix and a host identifier chosen by the client (typically either derived from the MAC address or randomly generated).
- When you are prompted to restart RRAS, click Yes.
IPv6 does not support NAT. If your server is IPv6 only, then skip the steps in the rest of this procedure.
After the RRAS service has been restarted, expand IPv4, right-click General, and then click New Routing Protocol.
In Routing protocols, click NAT, and then click OK.
Right-click NAT, and then click New Interface.
Select the interface that connects to your private intranet, and then click OK.
Select Private interface connected to private network, and then click OK.
Right-click NAT, and then click New Interface again.
Select the interface that connects to the public Internet, and then click OK.
Select both Public interface connected to the Internet and Enable NAT on this interface, and then click OK.
For information about advance NAT configuration settings, see IPv4 - NAT - Interface - Properties Page - Address Pool Tab and IPv4 - NAT - Interface - Properties Page - Services and Ports Tab.