Checklist: Installing and Configuring an RRAS VPN Server
Applies To: Windows 7, Windows Server 2008 R2
| Task | Reference |
|---|---|
Review key concepts. |
|
Gather required information. |
|
Configure TCP/IP on the network adapters of the RRAS server. |
|
Install RRAS. |
|
Enable RRAS and configure it as a VPN server. |
|
If your RRAS server is behind a perimeter firewall, or is running a host-based firewall such as Windows Firewall with Advanced Security, then configure the required firewall rules to permit virtual private network (VPN) network traffic through the firewall to the RRAS server. |
|
If your RRAS server is not behind a perimeter firewall, and is not running a host-based firewall such as Windows Firewall with Advanced Security, then configure static packet filters to permit only the required VPN network traffic to the RRAS server. |
|
Configure the types of VPN connections and the number of each type that your VPN server supports. |
|
Specify either DHCP or configure a static pool of IP addresses for VPN clients. |
|
If you are using DHCP to supply IP addresses to remote clients, and the DHCP server is not located on the same IP subnet as the RRAS server, then configure a DHCP relay agent that forwards broadcast DHCP requests and responses through routers to the DHCP server. |
|
If you are using Network Policy Server (NPS) to centrally manage policies for your RRAS servers, then configure dial-in properties and network policies for dial-in permission, authentication, and encryption settings. |
See "Checklist: Configure NPS for Dial-Up and VPN" in Network Policy Server Help. |
Adjust logging levels for RRAS and for each routing protocol. |
|
(Optional) Create a Connection Manager profile to manage the client connection experience for your users and simplify troubleshooting client connections. |
Connection Manager Administration Kit (https://go.microsoft.com/fwlink/?linkid=136440) |
If your RRAS configuration requires any certificates for authentication, for example, when you use Internet Key Exchange version 2 (IKEv2) or Secure Socket Tunneling Protocol (SSTP)-based VPN connections, then you must have a source for the certificates. Install Active Directory Certificate Services (AD CS) on a server on your network as an alternative to purchasing certificates from third-party root certification authorities (CAs). |
Active Directory Certificate Services (https://go.microsoft.com/fwlink/?linkid=136444) |
To support SSTP or IKEv2 certificate-authenticated VPN connections, you must install a computer certificate with the Server Authentication or All-Purpose Enhanced Key Usage (EKU) property installed on your RRAS server. |
|
If you initially configured your RRAS server to support Internet Protocol version 4 (IPv4) only, you can add support for Internet Protocol version 6 (IPv6) remote access. |
|
(Optional) Configure your VPN server to use Network Access Protection (NAP) to enforce health requirement policies. |