RRAS: Demand dial interface <interface name> should support encryption of the data

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Storage Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Network Policy and Access Service (NPAS) Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2012, Windows Server 2008 R2


Routing and Remote Access Service (RRAS)






"No encryption allowed" is selected in the <interface name> Properties page.


If you do not enable encryption, all data sent through the demand-dial interface is transmitted in plaintext and subject to inspection by any device on the network.

Demand-dial interfaces are often used to establish a tunnel through the public Internet between two private networks. To ensure the confidentiality of the data being sent, we recommend that you encrypt all data that passes through the demand-dial interface into the tunnel.


Use 'Routing and Remote Access' in Server Manager to configure the <interface name> Properties page to enable 'Optional encryption', 'Require encryption', or 'Maximum strength encryption'.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To enable encryption on the demand-dial interface

  1. Start Server Manager. Click Start, click Administrative Tools, and then click Server Manager.

  2. In the navigation tree, expand Roles, expand Network Policy and Access Services, expand Routing and Remote Access, and then click Network Interfaces.

  3. In the Network Interfaces list, right-click the demand-dial interface that you want to modify, and then click Properties.

  4. Select the Security tab.

  5. Change the Data encryption entry to either Require encryption (disconnect if server declines) or Maximum strength encryption (disconnect if server declines).

  6. Click OK to save your changes.

Additional references

For more information about demand-dial routing, see Demand-Dial Routing (http://go.microsoft.com/fwlink/?linkid=156447).

For more about the Routing and Remote Access role service, see Routing and Remote Access (http://go.microsoft.com/fwlink/?linkid=153482) on TechNet, and Routing and Remote Access Service in the Windows Server Technical Library.