Windows Server 2012 Essentials VPN without port 1723?
August 4, 2012 10 Comments
Ugh VPNS! Is what a lot of the MVPs said when we were told that VPN was being reintroduced as a feature on the Essentials SKU. No one uses VPNs anymore right? too insecure, too difficult to configure probably, doesn’t work in a hotel… or a star bucks.
Why is it needed if we have the RDP feature of RWA so a user can get back to his own desktop over SSL?
Suffice to say, this is one in a series of battles we lost areas we disagreed on initially, and VPN remains a feature, but on reflection i don’t think it is a bad thing.
Like most things, there are good and bad points of any technical decision or implementation, I’m not advocating the use of VPN over any other method, and where possible would use RWA over VPN, but if you do need to use a VPN then this is the way to do it. Oh and by the way, if you are not installing DHCP on your WSE servers, this is one scenario where i can see you probably would want to do that.
So, how is it configured?
Easy. Through the Anywhere Access wizard.
Depending on the options you chose, your path through the wizard will be different. However, assuming this is your first run of the wizard, after you complete the domain name section, you will then be prompted to chose which Anywhere Access features to choose. You can also return to the wizard at any time via the Server Settings option in the dashboard.
Just put a tick in that box, and that is literally all you need to do. You don’t need to open any additional ports on your firewall, Port 80 and Port 443 should already be open for the RWA but for the VPN you don’t need port 1723.
If you are wondering how that is achieved, it is done using Secure Socket Tunneling Protocol (SSTP). SSTP has been around for a while now, first introduced into Windows Server in 2008 i believe and there is a nice article about it here. it is an interesting technology and does seem to solve some potential headaches, however i personally have not seen it used much in my corner of the SMB world YMMV.
Currently there is very little in the way of tweaking you can do (may change in RTM build) but if you are curious you can open the RRAS snap-in from an MMC window, and look at the configuration.
You will see that a static address pool is defined for remote clients.
Depending on your environment and the competence of your users, this may give you a small challenge.
On a lab system i setup a VPN Connection which worked very nicely. I did find i had a problem with name resolution, despite my client being correctly told to use the IP of the WSE server for DNS. This is due to the DNS Suffix, and i think is a by-product of not running DHCP on the WSE server and using a static address pool. Fortunately it is easy to workaround that problem, however it may be another pro in favour of installing DHCP on the WSE server.
You can view my video on how to implement the workaround below.
Tim Barrett, of Home Server fame, pointed out that i didn’t mention about the ‘Use Default Gateway on Remote network’ check box.
Indeed i did not mention this, as it didn’t occur to me at the time. Tim rightly points out you will suffer web surfing speed issues if you leave that option checked, however, if you have a security concern, i would still leave that option enabled.
Now Tim, you see what i have done is raise a lot more questions, that perhaps would be better left to another blog post, or another blog altogether.
Perhaps it is just a hang-up from my ISA Server study that i keep that option checked because i want anything connected to the company lan controlled by the firewall at the office..
Anyway Tim, i hope you are happy now.
Remote Domain Join
Did someone say, remote domain join?
Yes i did, thanks for listening.
An exciting, perhaps exciting is a little strong… a new feature of WSE will make it possible to join clients to the domain, from a remote location over a WAN link.
The process is exactly the same as if you were local to the server, with the addition of one or two new screens in the connect wizard.
I know, i know, i can hear you all saying how painful the connect wizard is to use. You don’t have to tell me that, i remember. However what i can tell you is that the first time i used the connect wizard on a client computer, was to do this remote domain join process, and it worked perfectly. Perhaps that is a coincidence, but add on to that, the PC in question previously had the WSSE2008 Connector application installed, i think that is a great big win for everyone concerned.
I put together a heavily cropped and poorly narrated video to demonstrate the process, hope you enjoy it.
I hope you found this useful.
Ill be going through the process of setting up Direct Access in the next few weeks.