What's New in RRAS

Applies To: Windows 7, Windows Server 2008 R2

This topic describes new features and other significant changes in RRAS in Windows Server® 2008 and Windows Server® 2008 R2.

New features

The following feature has been introduced in Windows Server 2008 R2:

  • VPN Reconnect

The following features were introduced in Windows Server 2008:

  • Server Manager

  • Secure Socket Tunneling Protocol

  • VPN enforcement for Network Access Protection

  • IPv6 support

  • Cryptographic support

Removed technologies

Support for the following technologies has been removed from RRAS:

  • Bandwidth Allocation Protocol (BAP).

  • Serial Line Interface Protocol (SLIP). SLIP-based connections will be updated to Point-to-Point Protocol (PPP)-based connections automatically.

  • Basic Firewall has been replaced with Windows Firewall with Advanced Security.

  • Static IP filter application programming interfaces (APIs) for RRAS have been replaced with Windows Filtering Platform APIs.

  • SPAP, EAP-MD5-CHAP, and MS-CHAP authentication protocols for PPP-based connections.

  • Open Shortest Path First (OSPF) routing protocol component.

  • X.25.

  • Asynchronous Transfer Mode (ATM).

  • IP over IEEE 1394.

  • NWLink IPX/SPX/NetBIOS Compatible Transport Protocol.

  • Services for Macintosh.

VPN Reconnect

RRAS in Windows Server 2008 R2 introduces support for Internet Protocol security (IPsec) Tunnel Mode with Internet Key Encryption version 2 (IKEv2), as described in RFC 4306. This new tunneling protocol enables VPN Reconnect, which allows the virtual private network (VPN) connection to remain active even when the client’s IP address changes. VPN Reconnect is useful in scenarios in which the network client is mobile and changes wireless hotspots or changes from a wired to a wireless connection. IKEv2 and VPN Reconnect support both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6).

Server Manager

Server Manager is a new feature that provides a single source for managing a server's identity and system information, displaying server status, identifying problems with server role configuration, and managing all roles installed on the server. Server Manager is started automatically after the administrator completes the tasks in Initial Configuration Tasks. Subsequently, it is started automatically when an administrator logs on to the server. For information about how to install and enable RRAS by using Server Manager, see Install RRAS.

Secure Socket Tunneling Protocol

Secure Socket Tunneling Protocol (SSTP) is a form of VPN tunnel with features that allow traffic to pass through firewalls that block Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP)/IPsec. SSTP provides a mechanism to encapsulate PPP traffic over the Secure Sockets Layer (SSL) channel of the HTTPS protocol. The use of PPP allows support for strong authentication methods, such as Extensible Authentication Protocol with Transport Level Security (EAP-TLS). The use of HTTPS means traffic will flow through TCP port 443, a port commonly used for Web access. SSL provides transport-level security with enhanced key negotiation, encryption, and integrity checking.

VPN enforcement for Network Access Protection

Network Access Protection (NAP) is a client health policy creation, enforcement, and remediation technology that is included in Windows Vista, Windows Server 2008, and later versions of Windows. With NAP, system administrators can establish and automatically enforce health policies, which can include software requirements, security update requirements, required computer configurations, and other settings.

When making VPN connections, client computers that are not in compliance with health policy can be granted restricted network access until their configuration is updated and brought into compliance with policy. Depending on how you choose to deploy NAP, noncompliant clients can be automatically updated so that users can quickly regain full network access without manually updating or reconfiguring their computers.

VPN enforcement provides strong limited network access for all computers accessing the network through a VPN connection. VPN enforcement with NAP is similar in function to Network Access Quarantine Control, a feature in Windows Server 2003, but it is easier to deploy. For more information, see Configure Network Access Protection Enforcement for VPN.

IPv6 support

RRAS supports the following IPv6 protocols:

  • PPPv6. IPv6 traffic can be sent over PPP-based connections, as described in RFC 2472. For example, PPPv6 support allows you to connect with an IPv6-based Internet service provider (ISP) through dial-up or PPP over Ethernet (PPPoE)-based connections that might be used for broadband Internet access.

  • PPPv6 over dial-up/Ethernet and VPN tunnels.

  • L2TP over IPv6.

  • DHCPv6 Relay Agent.

RRAS supports stateless filtering based on the following parameters:

  • Source IPv6 address/prefix.

  • Destination IPv6 address/prefix.

  • Next hop type (IP protocol type).

  • Source Port number (TCP/UDP).

  • Destination Port number (TCP/UDP).

RRAS also supports RADIUS over IPv6. For more information, see IPv6 Addressing.

IPv6 does not support PPTP.

Cryptographic support

In response to governmental security requirements and security industry trends, RRAS supports several new encryption algorithms for PPTP and L2TP VPN connections. Support for protocols such as DES and MD5 has been removed, but these protocols can be added by changing a registry key. Microsoft does not recommend the use of DES and MD5. For more information, see VPN Tunneling Protocols.

Additional references