SBS 2011 Essentials – Configuring VPN access
It has been pointed out that SBS 2011 Essentials does not have the familiar wizards to create VPN access to the server. Though a better and MUCH more secure option is to make use of Remote Web Access, or add a VPN capable router that supports an IPSec client, on occasion there are reasons to still make use of the native Windows VPN feature. Where SBS has traditionally supported the PPTP protocol for its VPN, this article will address creating similar service.
Add the RRAS Role:
The first step is to add the RRAS (Routing and Remote Access) role. To do so open the Server Manager under Administrative Tools, click on roles, scroll down to the Network Policy And Access Service role, and choose Add Role Services.
In the resulting window add the RRAS services.
Click Next, and Install.
Open the newly created RRAS console, under Administrative Tools, and then right click on the server name and choose Configure and Enable Routing and Remote Access. Select Next, and then choose Custom Configuration, and Next.
Select VPN Access and LAN Routing in the next window.
Choose Next, Finish, accept the notification that a default Network Policy Server policy has been created, confirm to start the service (RRAS), and wait for it to complete.
SBS Essentials is not the DHCP server for the network in a default configuration. Though you may be able to configure a DHCP relay it is simplest to create a static address pool for VPN clients from which they can obtain an IP address. To do so in the RRAS console right click on the server name and choose properties. Under the IPv4 tab select Static Address Pool, Add, and then enter a range of IP’s to be assigned to the VPN clients. Make sure you have enough to support the total number of simultaneous VPN clients you will have. This range needs to be part of the same subnet as the server itself, and the IP’s selected cannot overlap with any existing DHCP scopes or statically assigned devices on the network.
You also need to verify the number of available PPTP ports is sufficient to support the maximum number of simultaneous VPN connections. The default with SBS Essentials is 50, which should be more than enough. However if you wish to make adjustments it can be set from 1 and 128. You can also reduce the number of ports for other protocols not in use if you like, though there is no need. To configure right click on Ports in the RRAS console below the server name, and choose properties. To make changes highlight the port type and click Configure:
Add a Group:
Next we will create a group for VPN users. Only members of this group will be granted access to the server using the VPN connection. Open Active Directory Users and Computers, expand your domain, right click on Users and choose New, then Group.
Enter a name for your group such as “VPN Users” and select Global & Security. Click OK.
You can now double click on the newly created group and add members by adding individual users or existing groups. For example you might want to add the Domain Users group, if you want to allow all users access. You can manually type these in and click Check Names, or choose Advanced and Find to browse and locate users and groups.
The final server configuration is to add a policy to define who has access to the server using the VPN. In server 2003 and earlier, if RADIUS was not configured, the common way of allowing access was to simply select “Allow Access” in each user’s profile. This still works, but it is better to make use of NPS and have polices defining protocols, user, hours of access, and more, so I suggest leaving this set as Control Access through NPS Network Policy”.
Again under Administrative Tools, open the Network Policy server console, expand Policies, and click on Connection Request Policies. You will note to the right, configuring Radius has already created the default Microsoft Routing and Remote Access Service Policy.
We will add a new Network Policy. Right click on Network Policies and choose New, enter a policy name such as “ VPN User Access”, select Remote Access Server (VPN Dial-up), and Next
In the Specify Conditions window scroll down to find the User Groups option, click Add, Add Groups, enter the name of the group you created earlier (VPN Users), and OK.
In the next two windows you can accept defaults;
Under Configure Constraints choose NAS port type, then under Configure Dial-up and VPN tunnel types select Virtual (VPN), which will automatically check the same under Other.
Accept defaults under Configure Settings, click Next and Finnish.
Though you can add many restrictions within the policy, I recommend configuring with the SBS standards as above and thoroughly testing your VPN before tightening security. You can also create multiple policies with different restrictions for different groups if needed.
The above configuration should have automatically configured the necessary Firewall Exceptions for RRAS, but to verify compare to the following.
In the Windows Firewall console:
In the Windows Firewall with advanced Security console (Note: The L2TP-In policy was created, but is not necessary for our configuration.):
You will also have to manually configure your router to forward the PPTP protocol and enable GRE pass-through. In an ideal world if UPnP is enabled on the router (which I don’t recommend) the SBS will configure port forwarding for port 1723, but it will not address GRE. Configuring a router to forward VPN traffic is done in a multitude of different ways depending on the router used. Most of the inexpensive SOHO routers are configured by forwarding port 1723 to the IP address of the SBS, and under the firewall section select “allow PPTP pass-through”. Some others allow you to forward the PPTP service rather than the port, which both forwards port 1723 and enables GRE pass-through. Still others have different methods or require manual commands. Keep in mind GRE is a protocol (protocol 47) and not port 47 so it cannot be configured with a forwarding rule. You can test if port forwarding is properly configured by entering 1723 in the “port” box at http://www.canyouseeme.org/ however this will not test for GRE pass-through. If the VPN connection fails with a 721 or 806 error, it usually indicates GRE is blocked. Keep in mind GRE and/or PPTP can be blocked by third party security software on your server, or an ISP that does not support the protocol.
While on the subject of routers, it was mentioned above when creating the static address pool in RRAS that; “the IP’s selected cannot overlap with any existing DHCP scopes or statically assigned devices on the network”. I strongly recommend verifying that the router’s DHCP address range available to clients does not conflict with that of the static address pool. If your router supports exclusions, add the RRAS static address range, or in the example above we used 192.168.22.200-219 for the static address pool, so set the router’s DHCP range to something like 192.168.22.100-199. Again make sure neither conflict with any devices that may have a static address such as a printer.
A note about routing: An important fact to note that is that when traffic is sent from one network segment to another, as is done with a VPN, that all segments in the path between the client and host must use a different network ID (Subnet) for routing to take place. For example, if the remote client and server sites both were to use 192.168.0.X locally, the VPN will connect, but you cannot access resources. This is important to be aware of since SBS Essentials defaults to having the router determine the subnet, and if the default router settings are used, it is common to have them overlap with the client site. It is always best to use uncommon subnets for the corporate site. Therefore avoid the common/default subnets listed below and use something like 192.168.123.x when setting up the SBS site.
- Avoid the following subnets as they are common router or user defaults with the first two being extremely common: 192.168.0.x, 192.168.1.x, 192.168.2.x, 192.168.100.x, 192.168.111.x, 10.0.0.x, 10.0.1.x, 10.1.1.x, 10.10.10.x, 172.16.1.x
Creating client access is very straight forward. Open the Network and Sharing Center in control panel, and click on Connect to a workplace, and Next.
Choose No, create a new connection, and in the next window select Use my Internet connection (VPN). In the resulting window enter the public IP or the FQDN of your SBS site, and a ‘friendly’ name for the connection. Select allow other people to use this connection, and/or don’t connect now, if you wish.
In the final window enter a user name (member of your VPN User Group) and password. I do not recommend choosing the save password option, for security reasons. Then click connect. If all is in place you should now be able to connect to the server and other resources on the network. You may wish to test by Pinging the server IP.
You will likely not be able to access resources using either their NetBIOS or DNS name. At this point you are best to connect using the IP address such as \\192.168.123.123\ShareName. If you wish to use DNS names you need to configure the VPN (Virtual NIC) under adapter settings to point to the SBS for DNS, and add the DNS suffix. For more details see: VPN client name resolution
With SBS 2003 there was an option to create a deployable VPN client named “Connection Manager”. This was a fully configured client that did allow you access to the server using DNS names, and was very easy for clients to install on their remote computer. This is not longer available but if interested you can create your own installation package, with connection and DNS options pre-configured, using CMAK (Connection Manager Administration Kit). For details see: http://technet.microsoft.com/en-us/library/cc753977(WS.10).aspx
Updated Jan 31/2011:
After the first client has connected by VPN, check the DNS management console and see if the VPN’s virtual adapter IP has been added under Interfaces. If so you need to uncheck it, or client machines will receive this as their DNS server IP. You can find the VPN IP by running IPconfig and look next to the PPP adapter.