In this simulation, you will be configuring remote access so that users can connect to your RAS by connecting to the Internet, and then creating a VPN connection to your server. Unlike most of the other simulations within this course, there are a few steps you'll need to figure out on your own. We'll tell you what to do, but figuring out how to do it will be your task in this exercise.
To configure inbound VPN connections on Windows Server 2019, you need to set up the server as a VPN server by enabling the Routing and Remote Access service (RRAS). Here's a step-by-step guide:
- Install the Remote Access Role
- Open Server Manager.
- Click Manage → Add Roles and Features.
- In the Add Roles and Features Wizard, click Next until you reach the Server Roles section.
- Select Remote Access and click Next.
- Under Features, no additional features are needed, so just click Next.
- On the Role Services screen, check DirectAccess and VPN (RAS).
- Click Next, then click Install. After the installation is complete, you’ll need to configure the service.
- Configure RRAS (Routing and Remote Access Service)
- Open Server Manager.
- Click Tools → Routing and Remote Access.
- In the RRAS window, right-click the server and select Configure and Enable Routing and Remote Access.
- In the wizard, select Custom configuration.
- Check VPN access and NAT (if needed), then click Next.
- Click Finish and then start the RRAS service when prompted.
- Configure IP Address Assignment
- Right-click the server name in the Routing and Remote Access window and select Properties.
- - Go to the IPv4 tab.
- If you have a DHCP server, you can select Dynamic Host Configuration Protocol (DHCP) for IP assignment.
- If you don’t have a DHCP server, select Static address pool and specify the IP address range that will be used for the VPN clients.
- Click Apply and OK.
- Configure VPN Authentication
- In the RRAS window, right-click the server and go to Properties again.
- Under the Security tab, configure your authentication methods:
- Windows Authentication is typically used for domain-based credentials.
- RADIUS Authentication can be used if you have a RADIUS server in your environment.
- Click Apply and OK.
- Configure Firewall
- Ensure that the firewall is configured to allow traffic on the ports used by your VPN protocol. For PPTP, L2TP, or SSTP, these ports include:
- PPTP: Port 1723 (TCP)
- L2TP/IPsec: Ports 500, 4500 (UDP), and 1701 (TCP)
- SSTP: Port 443 (TCP)
- Open Windows Defender Firewall with Advanced Security and configure inbound rules for these ports, allowing traffic as needed.
- Configure Port Forwarding on Router (if necessary):
If the server is behind a NAT device, you may need to configure port forwarding on the router for the VPN-related ports (e.g., 1723, 1701, 443).
- Allow VPN Users
- Open Active Directory Users and Computers or Local Users and Groups.
- Right-click the user you want to grant VPN access to and click Properties.
- Go to the Dial-in tab and select Allow access under Network Access Permission.
- Click OK.
- Test the VPN Connection:
- On a client machine, open Network and Sharing Center → Set up a new connection or network → Connect to a workplace.
- Enter the external IP address of the VPN server.
- Use the assigned credentials to test the connection.
By following these steps, you will have set up inbound VPN connections on a Windows Server 2019 environment.