Configure TCP/IP on the VPN Server

Article
07/03/2012

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

After configuring the server as a remote access server, configure the TCP/IP settings for the Internet or perimeter network interface and for the intranet interface. The connection to the Internet from a computer running RRAS on Windows Server 2008 R2 or Windows Server 2008 is typically a dedicated connection – a WAN adapter installed in the computer. The WAN adapter is typically a DDS, T1, Fractional T1, Frame Relay adapter, or an adapter for another high-speed dedicated connection. Verify that the WAN adapter is compatible with your version of Windows Server. The WAN adapter includes drivers that are installed so that the WAN adapter appears as a network adapter.

Note

Because of possible routing issues that might occur if you configure TCP/IP automatically, we recommended that you do not configure a VPN server as a DHCP client. Instead, manually configure TCP/IP on the intranet interfaces of a VPN server. For information about configuring routing, see Configure Routing on a VPN Server.

Manually configure the Internet or perimeter network interface of the VPN server with a default gateway. Configure the TCP/IP settings with a public IP address, a subnet mask, and the default gateway of either the firewall (if the VPN server is connected to a perimeter network) or an ISP router (if the VPN server is connected directly to the Internet).

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

In this section

To configure TCP/IPv4 for the Internet or perimeter network interface
To configure TCP/IPv4 for the intranet interface
To configure TCP/IPv6 for the Internet or perimeter network interface
To configure TCP/IPv6 for the intranet interface

To configure TCP/IPv4 for the Internet or perimeter network interface

Click Start, click Run, type control netconnections, and then press ENTER.
Double-click the network adapter connected to the Internet or perimeter network.
In the network adapter status dialog box (for example, Local Area Connection Status), click Properties.
Select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
On the General tab, configure the IP address, subnet mask, and default gateway.

The IP address must be a public IP address assigned by an ISP. As an option, you can configure the VPN server with a private IP address but use a network address translator (NAT) to assign it a published static IP address by which it is known on the Internet. When packets are sent to and from the VPN server, the NAT that is positioned between the Internet and the VPN server translates the published IP address to the private IP address.

When you configure a VPN connection, give your VPN servers public names that resolve to IP addresses by using DNS A records.
Click Advanced to display the Advanced TCP/IP Settings dialog box.
To prevent the VPN server from dynamically registering the public IP address of its Internet interface with an intranet DNS server, on the DNS tab, clear the Register this connection’s addresses in DNS check box.
To prevent the VPN server from registering the public IP address of its Internet interface with intranet WINS servers, on the WINS tab, select the Disable NetBIOS over TCP/IP check box.
Click OK three times, and then click Close to save your changes.

To configure TCP/IPv4 for the intranet interface

Click Start, click Run, type control netconnections, and then click OK.
Double-click the network adapter connected to the intranet network.
In the network adapter status dialog box (for example, Local Area Connection 2 Status), click Properties.
Select Internet Protocol Version 4 (TCP/IPv4) , and then click Properties.
On the General tab, configure the IP address, subnet mask, and DNS server address.

Important

To prevent default route conflicts with the default route pointing to the Internet, do not configure a default gateway on the intranet connection. Your RRAS server should have only one default gateway, configured on the Internet or perimeter network adapter, pointing to the ISP router or perimeter network firewall.

Click Advanced to display the Advanced TCP/IP Settings dialog box.
On the WINS tab, configure the IP addresses of your WINS servers.
Click OK three times, and then click Close to save your changes.

To configure TCP/IPv6 for the Internet or perimeter network interface

Click Start, click Run, type control netconnections, and then press ENTER.
Double-click the network adapter connected to the Internet or perimeter network.
In the network adapter status dialog box (for example, Local Area Connection Status), click Properties.
Select Internet Protocol Version 6 (TCP/IPv6), and then click Properties.
On the General tab, configure the IP address, subnet prefix length (typically 64), and default gateway.

The IPv6 address must be a public IPv6 address assigned by an ISP. NAT is not an option for IPv6.

When you configure a VPN connection, give your VPN servers public names that resolve to IPv6 addresses by using DNS AAAA records.
Click Advanced to display the Advanced TCP/IP Settings dialog box.
To prevent the VPN server from dynamically registering the public IP address of its Internet interface with an intranet DNS server, on the DNS tab, clear the Register this connection’s addresses in DNS check box.
Click OK three times, and then click Close to save your changes.

To configure TCP/IPv6 for the intranet interface

Click Start, click Run, type control netconnections, and then click OK.
Double-click the network adapter connected to the intranet network.
In the network adapter status dialog box (for example, Local Area Connection 2 Status), click Properties.
Select Internet Protocol Version 6 (TCP/IPv6) , and then click Properties.
On the General tab, configure the IP address, subnet prefix length (typically 64), and DNS server address.