Windows Server 2012 - Routing and VPN server

Page 1 / 4

In business, it happens that employees or boss should go on a mission outside.
When they leave the company, they no longer have access to services hosted in their company.

To remedy this, there are VPN tunnels. This technology allows you to access your entire LAN from the outside in a completely secure way.
Once connected to your company's VPN server, your computer will virtually be in your company's local network as if you were physically there.

This technology is very convenient, but beware of hacking attempts because if your VPN server is not properly secured, a hacker might use it to gain access to your entire network.
Until you block his access (but it will probably be too late).

  1. VPN or DirectAcces ?
  2. Configuration used
  3. Install the VPN server and the router
  4. Configure the VPN server and the router
  5. Routing and Remote Access console properties
  6. Allow VPN connection for a user
  7. NPS (Network Policy Server)
    1. IP filters
    2. Network policies
  8. VPN client
    1. Configuration
    2. Properties
    3. Test
  9. Bonus : CMAK
    1. VPN client configuration
    2. VPN client installation

1. VPN or DirectAcces ?

When you try to install Remote Access Services (including VPN), Windows Server will offer you to choose between :

  • DirectAccess + VPN
  • DirectAccess only
  • VPN only

So what is the difference between these 2 technologies and which technology to choose ?

1.1. VPN

For VPN, it is to create a secure network connection to your corporate network.
With this network connection, your computer will be virtually in your company's network.

1.2. DirectAccess

As you'll see on the "DirectAccess Overview" page of the Microsoft site, DirectAccess is a technology that allows you to create a two-way connection with an internal network when a DirectAccess computer connects to the Internet.

When you use DirectAccess :

  • The connection is established before the user logs on its session
  • The network administrator of your company can manage the security of this PC with security policies.

For example: If an employee has a laptop that is a member of your domain (in your organization's network), you can manage its security and automatically set policies for it through Group Policy.
This is possible because the laptop is linked to your domain and he connects with a user's account of your Active Directory.
However, when he leave your company, you will no longer be able to manage this PC. Unless you are using the DirectAccess technology.

Note that this technology is very complex to set up, although it is very interesting.

1.3. Conclusion

The technology to use depends on your needs and especially if you want to be able to manage these remote PCs as if they were really in the network of your company.

2. Configuration used

For this tutorial, we will use 2 servers :

  1. an Active Directory server
  2. another server linked to this Active Directory, and where the DHCP role is already installed

In our case, our second server will act as a router and a VPN server.
With this server, users of our network will have access to the Internet through our server and authorized users will be able to connect to our network by connecting to our VPN server.

2.1. Network configuration

Here is the network configuration of our 2 servers.

The first server (Active Directory) :

The second server (router and VPN server).
Since he will act as a router, this server therefore has 2 network cards :

  • the LAN network card for the internal network. Machines of this network will have IP addresses in 10.x.x.x (IP of class A like that of the IP addresses distributed by our DHCP server)
  • The WAN network card connected to the Internet (in our case : on a box connected to the Internet).

For the network card connected to our internal network, we have defined a static IP address "".
Indeed, we must set a static IP address, because the DHCP server is installed on this server and our server will also act as a router.

There is no gateway, because it's our server.
For the DNS server, we use the one that was automatically installed during the installation of the Active Directory (on our 1st server).

For the network card connected to the Internet, our Box distributes IP addresses of type : 192.168.x.x
We have therefore chosen an IP address that is easy to memorize :
The gateway corresponds to the IP address of our Box :
For DNS servers, we will use those provided by our ISP (which are in the Box) and publics DNS servers of Google.

2.2. DNS configuration

On the server where you installed your Active Directory, you will also find a DNS server (this one was automatically installed when the Active Directory was installed).
However, by default, this DNS server resolves only domain names of your local network.

To allow your DNS server to also resolve domain names of the Internet, you will need to add redirectors.
To do this, launch the "DNS" program, then right-click "Properties" on your server's name.
Then, go in the "forwarders", click the "Edit" button at the bottom of the list and add the Google public DNS servers ( and

For more information about this configuration, see : Configuring the DNS server (to support Internet)

2.3. Configure the DHCP server

For the DHCP server installed on the server that will act as a router and VPN server, we have configured it to :

  • distribute IP addresses of type : 10.0.0.x
  • send the IP address of our future router as the default gateway (Option : 003 Router)
  • send the IP address of our Active Directory server as a DNS server (Option : 006 DNS servers)
  • send the local domain name "informatiweb.lan" as the DNS suffix (Option : 015 DNS Domain Name) - optional

3. Install the VPN server and the router

To begin, start the wizard to add roles and features.

As you can see, our second server has two IP addresses (one for each network adapter).

Add only the "Remote Access" role and click "Next".

No feature required.
Click Next.

Windows displays a description of the "Remote Access" role and of the "DirectAccess" technology.

Check "DirectAccess and VPN (remote access)" and "Routing" roles.

Windows displays a description of the "Web Server (IIS)" role.

Click Next.

Click "Install".
As you can see, the wizard will also install the Connection Manager Administration Kit (CMAK).
This program will allow you to create an executable to automatically install and configure a VPN client on your users computers with the settings you want.
In short, for your users, it will be enough to launch this program to be able to connect to the VPN server of your company.

When the installation is complete, click the "Open the Getting Started Wizard" link.