Remote Access VPN Feature in the Windows Server Environment

Introduction

The remote access feature in Windows Server is essential for both users and administrators. It allows users to connect to the server from anywhere over a network, enabling access to files and programs remotely. Simultaneously, administrators can use this feature to manage and maintain the server’s settings, troubleshoot issues, and perform administrative tasks without being physically present at the server’s location.

Remote Access integrates DirectAccess, VPN, and Web Application Proxy in a single management console.

• Direct Access - Deploy Direct Access to allow managed domain-joined computers to connect to the internal corporate network as DirectAccess clients. Connectivity is seamless and transparent and is available any time client computers are located on the Internet. DirectAccess administrators can remotely manage clients, ensuring that mobile computers are kept up-to-date with security updates and corporate compliance requirements.
• VPN - Deploy VPN to allow client computers running operating systems not supported by Direct Access or configured in a workgroup to remotely access corporate networks over a VPN connection.
• Web Application Proxy - Deploy Web Application Proxy to publish selected HTTP and HTTPS based applications from your corporate network to client devices outside of the corporate network. It can use AD FS to ensure that users are authenticated before they gain access to published applications. Web Application Proxy also provides proxy functionality for your AD FS servers.

In this demonstration, I used a deployed VPN to access the server remotely. A remote access VPN allows secure connectivity for remote users to access the organization’s network resources over the internet. The VPN service uses the connectivity of the internet and a combination of tunneling and data encryption technologies to connect to remote clients and offices. With VPN and routing services, we can also choose to deploy Always On VPN. Always on VPN enables Windows 10 clients to securely access shared resources, intranet Web sites, and applications on an internal network without having to manually connect.

Feature Details

Functionality

1. Always on VPN —

Always on VPN allows you to,

• Configure auto-triggering for user and device authenticated connections.
• Maintain network security, restricting connection by traffic types, applications, and authentication methods.
• Control your network by creating routing policies at a granular level, even down to the individual application.
• Create advanced scenarios by integrating Windows operating systems and third-party solutions.
• Configure your VPN settings with a standard XML profile (ProfileXML) which is defined by an industry standard configuration template. You can deploy and manage your VPN settings with Windows PowerShell, Microsoft Endpoint Configuration Manager, Intune, Windows Configuration Designer, or any third-party mobile device management (MDM) tool.

2. Secure Connectivity —

Remote Access VPN ensures encrypted communication between remote users and the organization’s internal network, safeguarding data during transmission.

3. Authentication and Authorization —

Users connecting through the VPN are typically authenticated against the organization’s Active Directory, ensuring only authorized personnel can access network resources.

Importance

• Remote Work Enablement — In the modern work landscape, Remote Access VPNs play a crucial role in facilitating remote work by providing secure access to corporate resources for employees working outside the office.
• Data Security — The encrypted tunnel established by the VPN enhances data security, making it difficult for unauthorized entities to intercept or tamper with sensitive information during transit.
• Cost-Efficiency — VPNs can be a cost-effective solution for remote connectivity compared to alternatives like dedicated private networks. This is especially relevant for smaller organizations with budget constraints.
• Compliance and Security Standards — Many industries and regulatory bodies mandate secure communication practices. Remote Access VPNs assist in achieving compliance with data protection and privacy standards by encrypting data in transit and enforcing access controls.
• Geographic Flexibility- Remote Access VPNs provide geographic flexibility, allowing employees to connect to the corporate network from virtually anywhere with internet access. This is particularly beneficial for businesses with a distributed workforce or global operations.

Potential Benefits

• Integration with Active Directory- Seamless integration with Active Directory simplifies user authentication and ensures consistent access policies.
• Centralized Management- Windows Server provides tools for centralized management of VPN connections, making it easier for administrators to monitor and control remote access.
• Encrypted Secure Connections- enhanced security through encrypted connections, user authentication, and facilitating secure remote access to corporate networks.

Implementation Process

First, we shout open server manager, navigate to Manage > Add roles and features, and then add Remote Access server role.

Add Remote Server Feature

Then we should select role services.

The DirectAccess and VPN (RAS) role service facilitates secure remote access to corporate resources by offering both DirectAccess and traditional VPN connectivity. DirectAccess provides seamless and always-on access for domain-joined devices, allowing users to access resources securely without manually establishing a VPN connection. Additionally, traditional VPN (RAS- Remote Access Service) supports a wide range of devices and authentication methods, ensuring flexibility in remote connectivity while maintaining strong security measures such as encryption and multi-factor authentication.

Routing efficiently manages network traffic between remote clients and corporate resources, ensuring secure data packet routing across networks while maintaining segmentation and security. It employs dynamic routing protocols, network address translation (NAT), and Quality of Service (QoS) policies to optimize performance and prioritize traffic according to business requirements.

The Web Application Proxy, as part of Remote Access, acts as a reverse proxy for internal web apps, securing remote access through user authentication and features like single sign-on while safeguarding web servers and ensuring compliance with organizational policies.

In this demonstration, I install DirectAccess and VPN (RAS) only. We do not consider much about network traffic or additional authentications in this virtual machine environment. But in real-world scenarios, routing and Web application proxying can be required to manage network traffic efficiently and add more security to authentication.

Add Direct Access and VPN

Then install the feature and click on the Getting Started Wizard link.

Install Feature

Then select Deploy VPN only. We do not require direct access. We want to establish a VPN connection only between the client and server.

Deploy VPN only

Then the Route and Remote Access windows will be open. Right-click on FCT-DC1 (this is our domain name server) and select Configure and Remote Access.

Configure Remote Access

We have several option in here. Lets we discuss about this features breifly.

• NAT is a method used to modify network address information in packet headers while they are in transit across a traffic routing device, typically a router or firewall. It adds an extra layer of security by hiding internal IP addresses from external networks and preserving public IP addresses, allowing multiple devices connected to a private network to share a single public address.
• Dial-up is a method of connecting to the Internet or a private network using a standard telephone line and a modem.
• Secure connections between two private networks are used to connect our network to another remote network. We can use real-world cases like establishing Secure connections between two private networks are utilized to link a company’s headquarters to its branch office network securely over the internet.

My goal is to individually connect the client PC to the remote network. Thus, we do not want the dial-up feature, and we do not require connecting two networks. In this demo, we select Custom Configuration. Thus, we can select any combination in there according to our requirements.

Custom Configuration

Now we want to select the services that we want to enable. As I mentioned previously, we do not require dial-up, LAN routing and NAT services. Select VPN access.

VPN Access

After finishing this setup, we can see that the start service notification pops up. Click Start Service.

Start Service

Then the Routing and Remote Access window will open. Right-click on FCT-DC1 (Domain Controller) and go to Properties.

Properties

Then we can see that DHCP is already selected in the IPv4 tab. In our lab, we already created a DHCP service on this server, so it will work. If you are interested in knowing how to configure DHCP service on Windows Server, you can refer to my ADDS, DNS, and DHCP Configuration article. If we do not have a DHCP server, we should manually add a static address pool here.

Add IP Addresses

Let’s navigate to Ports under FCT-DC1 (local host). Right-click on ports and add the maximum port number to 2. The default maximum port number is 128, but we do not need that much. We want two maximum ports for this demonstration. We want more than that, we can set it in there.

Maximum Port Number

Navigate to Tools > Active Directory Users and Computers and Find Staff Users, and right-click and go properties.

Navigate to Users and Computers

In there, we can see Network Access Permission is set to Control Access through the NPS network policy. So, we should create a policy for this.

NPS Network Policy

Navigate to Network Policy Server by Tools > Network Policy Server. Right-click on Network Policy and add a new policy.

Network Policy Server

Give the policy name “MYLAB VPN Test Policy” and change the type of network access server to Remote Access Server (VPN — dial up).

Policy name

To add a new condition, select Windows group conditions. Then click Add button and again click Add groups.

Add Condition

Then add the staff group. In this demonstration, I added remote access to the staff group. If we want to give access to a special group of staff, we can create a new group under the staff group, and then we can add it.

Add Group

Then grant access and click next.

Access Granted

Then select Microsoft Security Password (EAP-MSCHAP v2) as EAP and untick other encrypted authentication methods.

In VPN remote access on Windows Server, we use Microsoft Security Password (EAP-MSCHAP v2) as a key security protocol. This protocol ensures that when users connect to the VPN from remote locations, their passwords are securely transmitted. It acts as a protective layer, making it difficult for unauthorized users to intercept and access these passwords. This strengthens the security of VPN connections, keeping sensitive data and network resources safe from potential threats.

Add EAP

Remove other Encrypted Authentications

After that, click the Finish button. Then we can see the policy is enabled.

New Network Policy

Then we need to configure port forwarding on the router. In this scenario, I assume staff users remotely access the server through our configured VPN from outside our local network. So, staff users are remotely accessing this server through the internet. Then we should first change the network adapter to NAT and configure port forwarding on the router to access VPN. Also, we should enable PPTP passthrough in the router security tab under VPN.

PPTP Passthrough

Then move to the client computer (the staff user). We should first set up a VPN connection on the client computer. So right-click on the start button and select Network Connections.

Network Connections Settings

Then navigate to VPN and add a new VPN connection. Add VPN provider as Windows (built-in) and then connection name as “MYLAB_TEST_VPN”. Also, we should give the public IP address of the server (VPN server), and we should also set the VPN type to Point-to-Point Tunneling Protocol (PPTP).

Add VPN Connection

Then click Connect and provide credentials to connect to the VPN.

VPN Connected

Then move back to Routing and Remote Access on the server, and then we can see our staff user client in the Remote Access Client tab. Also, we can see the WAN Miniport (PPTP) (VPN4–1) port on my server is active. So, we are confirmed to have successfully accessed the server through this VPN connection.

Port is Actived

Also, we can see our newly created VPN connection in the client computer network connection. Therefore, we can verify that this configuration is successful.

VPN Connection

Lab Observation

• User Experience- The remote access feature in Windows Server allows users to access files and programs remotely, while admins can control the server from anywhere, making it easier and more flexible for both users and administrators.
• PPTP Passthrough firewalls- We should also concern about router configure router to passthrough PPTP otherwise it will not work properly.
• Performance- Evaluate the performance of the VPN connection, considering factors like speed and latency.
• Logging and Monitoring- Explore logging and monitoring tools to track VPN usage and identify potential issues.

Conclusion

The Remote Access VPN feature in Windows Server is a critical component for enabling secure remote access, especially in today’s dynamic work environment. Its integration with Active Directory, centralized management capabilities, and emphasis on data security make it an essential tool for organizations seeking to provide remote connectivity without compromising on security. The successful implementation and effective management of this feature contribute significantly to streamlined server management and enhanced organizational productivity.

previous part of this series — Click here >>

Next Part of this Series — Click here >>