Bewerken

Delen via


Install Remote Access as a VPN server

In this getting started guide, we'll show you how to install and configure Remote Access (RAS) as a VPN server.

Prerequisites

Membership in Administrators, or equivalent, is the minimum required to perform these procedures. However, if the RAS server is domain joined, then the procedures need to be performed by a domain administrator.

Install the Remote Access role

To install Remote Access role by using Windows PowerShell:

  1. Open Windows PowerShell as Administrator.

  2. Enter and run the following cmdlet:

    Install-WindowsFeature DirectAccess-VPN -IncludeManagementTools
    

    After installation completes, the following message appears in Windows PowerShell.

    | Success | Restart Needed | Exit Code |               Feature Result               |
    |---------|----------------|-----------|--------------------------------------------|
    |  True   |       No       |  Success  | RAS Connection Manager Administration Kit |
    

Configure Remote Access as a VPN server

In this section, we'll configure Remote Access to allow IKEv2 VPN connections and to deny connections from other VPN protocols. We'll also assign a static IP address pool for the issuance of IP addresses to connecting authorized VPN clients.

Routing and Remote Access Services (RRAS) supports remote user or site-to-site connectivity by using virtual private network (VPN) or dial-up connections. It accepts VPN connections based on protocols such as PPTP, L2TP, SSTP, and IKEv2. These protocols are all enabled by default when the RRAS role is installed and setup with default configuration. By default an authorized client can establish a VPN connection based using any of the enabled protocols. Beginning with Windows Server 2025, new RRAS setups don't accept VPN connections based on PPTP and L2TP protocols. You can still enable these protocols if necessary. SSTP and IKEv2 based VPN connections are still accepted without any change.

Existing configurations and Windows Server releases retain their behavior. For example, if you're running Windows Server 2019 and accept PPTP and L2TP connections, when you update to Windows Server 2025 using an in-place update, L2TP and PPTP based connections are still accepted. This change doesn't affect Windows clients operating systems.

Note

Instead of IKEv2, you can also choose to use SSTP. We don't recommend that you use PPTP, due to its lack of security features.

  1. Make sure that your firewall rules allow UDP ports 500 and 4500 inbound to the external IP address applied to the public interface on the VPN server.

  2. On the VPN server, in Server Manager, select the Notifications flag. You may have to wait a minute or two to see the Notifications flag.

  3. In the Tasks menu, select Open the Getting Started Wizard to open the Configure Remote Access wizard.

    Note

    The Configure Remote Access wizard might open behind Server Manager. If you think the wizard is taking too long to open, move or minimize Server Manager to find out whether the wizard is behind it. If not, wait for the wizard to initialize.

  4. Select Deploy VPN only to open the Routing and Remote Access Microsoft Management Console (MMC).

  5. Right-click the VPN server, and then select Configure and Enable Routing and Remote Access to open the Routing and Remote Access Server Setup Wizard.

  6. In the Welcome to the Routing and Remote Access Server Setup Wizard, select Next.

  7. In Configuration, select Custom Configuration, and then select Next.

  8. In Custom Configuration, select VPN access, and then select Next to open the Completing the Routing and Remote Access Server Setup Wizard.

  9. Select Finish to close the wizard, then select OK to close the Routing and Remote Access dialog box.

  10. Once the VPN server is running, right-click the VPN server and select Properties.

  11. Select the IPv4 tab and do the following steps:

    1. Select Static address pool.

    2. Select Add to configure an IP address pool.

    3. In Start IP address, enter the starting IP address in the range you want to assign to VPN clients.

    4. In End IP address, enter the ending IP address in the range you want to assign to VPN clients, or in Number of addresses, enter the number of the address you want to make available.

  12. Select OK to close the Properties dialog.

  13. In the Routing and Remote Access MMC, right-click Ports, and then select Properties to open the Ports Properties dialog box.

  14. Select WAN Miniport (SSTP) and select Configure to open the Configure Device - WAN Miniport (SSTP) dialog box.

    1. Clear both Remote access connections (inbound only) and Demand-dial routing connections (inbound and outbound).

    2. Select OK.

  15. Select WAN Miniport (IKEv2) and select Configure to open the Configure Device - WAN Miniport (IKEv2) dialog box.

    1. Ensure that the Remote access connections (inbound only) and Demand-dial routing connections (inbound and outbound) are selected.

    2. In Maximum ports, enter the number of ports to match the maximum number of simultaneous VPN connections that you want to support.

    3. Select OK.

  16. Select WAN Miniport (L2TP) and select Configure to open the Configure Device - - WAN Miniport (L2TP) dialog box.

    1. Clear both Remote access connections (inbound only) and Demand-dial routing connections (inbound and outbound).

    2. Select OK.

  17. Select WAN Miniport (PPTP) and select Configure to open the Configure Device - - WAN Miniport (PPTP) dialog box.

    1. Clear both Remote access connections (inbound only) and Demand-dial routing connections (inbound and outbound).

    2. Select OK.

Next steps