Enable RRAS as a VPN Server
Applies To: Windows Server 2008 R2
After you install the RRAS server role, it is initially in a disabled state. Use the first procedure to enable the service and to configure it to provide virtual private network (VPN) services.
If you have already installed and enabled RRAS and want to add the remote access feature, use the second procedure.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
To enable RRAS and configure it as a VPN server
Right-click the server name for which you want to enable routing, and then click Configure and Enable Routing and Remote Access. If you are using Server Manager, right-click Routing and Remote Access, and then click Configure and Enable Routing and Remote Access.
On the Welcome page, click Next.
On the Configuration page, click Remote Access (dial-up or VPN), and then click Next.
On the Remote Access page, select VPN, and then click Next.
On the VPN Connection page, select the network interface that is connected to the public Internet from which remote VPN clients will connect to this server.
To configure packet filters that restrict network access through the specified public network adapter to only the ports required by VPN clients, select Enable security on the selected interface by setting up static packet filters. This option is different from firewall rules that you create by using Windows Firewall with Advanced Security.
If you intend to protect your RRAS server by using a firewall instead, do not select this option. We recommend that do not you use both RRAS packet filters and firewall rules at the same time.
If you enable this option, then by default you will not be able to ping the IP address of the public network adapter because Internet Control Message Protocol (ICMP) is not permitted by the packet filters created by this option.
On the Network Selection page, select the private network to which remote VPN clients are to be granted access. The network adapter and its IP address are displayed to help you determine which to select.
On the IP Address Assignment page, specify the way in which the RRAS server will acquire IP addresses for the remote VPN clients. If you have a DHCP server with a range of addresses available, click Automatic. If you want the RRAS server to manage the IP addresses itself, click From a specified range of addresses.
If you selected Automatic in step 9, then skip step 10.
On the **Address Range Assignment** page, click **New**, and then type starting and ending IP addresses to create the range from which remote VPN clients are assigned addresses. You can enter multiple ranges if required. Click **Next** when you have created the address ranges.
On the Managing Multiple Remote Access Servers page, select whether you want to use a centralized RADIUS server for authentication of your network clients. If you select No, then RRAS uses its local account database or, if the RRAS server is joined to an Active Directory domain, the RRAS server uses the domain account database. To use Active Directory Domain Services (AD DS), you must join the RRAS server to a domain, and then add the computer account of this server to the RAS and IAS Servers security group in the domain of which this server is a member. The domain administrator can add the computer account to the RAS and IAS Servers security group by using Active Directory Users and Computers or by using the netsh ras add registeredserver command.
On the Completing page, click Finish.
To configure an existing RRAS server to support VPN remote access
Open Server Manager.
Expand Roles, and then expand Network Policy and Access Services.
Right-click Routing and Remote Access, and then click Properties.
Select IPv4 Remote access Server or IPv6 Remote access server, or both.
If you select IPv6 Remote access server, then you must also specify an IPv6 prefix. On the IPv6 tab, in This server assigns the following IPv6 prefix, type the 64-bit IPv6 prefix that the server is to assign to connected clients. The address assigned to a client is a combination of this prefix and a host identifier chosen by the client (typically either derived from the MAC address or randomly generated).
- When you are prompted to restart RRAS, click Yes.